On Tue, Mar 17, 2026 at 10:35:27AM +1000, David Gwynne wrote: >On Sat, Mar 14, 2026 at 12:43:44PM +0100, Maurice Janssen wrote: >> Hi, >> >> I have a router running 7.8 with an interface (igc1) with several tagged >> VLANs: >> # cat /etc/hostname.igc1 >> up >> # cat /etc/hostname.vlan101 >> vnetid 101 parent igc1 >> inet 192.168.1.1 255.255.255.0 >> # cat /etc/hostname.vlan102 >> vnetid 102 parent igc1 >> inet 192.168.2.1 255.255.255.0 >> >> igc1 is connected to a switch with the rest of my internal network. >> This works as expected, filering in pf on vlan101, etc. >> >> Now I would like to connect a second switch to this router, expanding the >> network with the same VLANs to another room. Connecting to the first >> switch is not preferred due to the routing of the physical cabling. >> >> If I understand correctly, this can be done by hooking up the cable to >> igc2 and changing my configuration as follows: >> >> # cat /etc/hostname.igc1 >> up >> # cat /etc/hostname.igc2 >> up >> # cat /etc/hostname.vport0 >> up >> # cat /etc/hostname.veb0 >> add igc1 >> add igc2 >> add vport0 >> link0 >> up >> # cat /etc/hostname.vlan101 >> vnetid 101 parent vport0 >> inet 192.168.1.1 255.255.255.0 >> # cat /etc/hostname.vlan102 >> vnetid 102 parent vport0 >> inet 192.168.2.1 255.255.255.0 >> >> Or do I need multiple vport interfaces, one for each VLAN? > >veb is vlan unaware in 7.8 and before. this means it only uses the mac >addresses in the packet to figure out which port that packet should go >to. technically, a "vlan" is supposed to be completely isolated from >another one, so sharing the one veb instance with multiple vlans breaks >this isolation because the mac address topology is shared between them. > >my advice previously was to create a veb per vlan, ie: > ># cat /etc/hostname.igc1 >up ># cat /etc/hostname.vlan1011 >parent igc1 vnetid 101 >up ># cat /etc/hostname.vlan1021 >parent igc1 vnetid 102 >up ># cat /etc/hostname.igc2 >up ># cat /etc/hostname.vlan1012 >parent igc2 vnetid 101 >up ># cat /etc/hostname.vlan1022 >parent igc2 vnetid 102 >up ># cat /etc/hostname.vport101 >inet 192.168.1.1 255.255.255.0 >up ># cat /etc/hostname.vport102 >inet 192.168.2.1 255.255.255.0 >up ># cat /etc/hostname.veb101 >add vlan1011 >add vlan1012 >add vport101 >up ># cat /etc/hostname.veb102 >add vlan1021 >add vlan1022 >add vport102 >up > >this is obviously... a lot. > >> In pf nothing changes, filtering on the VLAN interfaces. Correct? >> >> >> And after upgrading to 7.9 (with the new, VLAN aware veb), I understand that >> this can (or must?) be changed into this: > >you can still configure vlan interfaces on top of vport interfaces. the >config you had above should work if you add "tagged PORT 101,102" to >igc1, igc2, and vport0, with the benefit that veb now knows to keep the >mac addresses inside each vlan separate. > >however, the vlan interfaces are unecessary and you can just use a vport >to talk to each isolated lan on the veb. this is exactly what your >config below implements, with some minor syntax issues. > >> # cat /etc/hostname.igc1 >> up >> # cat /etc/hostname.igc2 >> up >> # cat /etc/hostname.veb0 >> add igc1 >> -untagged igc1 >> +tagged igc1 101 >> +tagged igc1 102 >> add igc2 >> -untagged igc2 >> +tagged igc2 101 >> +tagged igc2 102 >> add vport0 >> untagged vport0 101 >> add vport1 >> untagged vport1 102 >> up >> # cat /etc/hostname.vport0 >> inet 192.168.1.1 255.255.255.0 >> # cat /etc/hostname.vport1 >> inet 192.168.2.1 255.255.255.0 >> >> and of course modifying pf.conf to use vport0 instead of vlan101 and >> vport1 instead of vlan102 >> >> Is this correct? > >you want "tagged" instead of "+tagged", and you need "up" in >hostname.vport0 and vport1, but yes.
Thank you for your detailed response. For now, I’ve added a simple managed switch and will get started on the bridge setup after the 7.9 release. Maurice
