Linux Vlans over Bridge
I am trying to bridge a dot1q trunk and cannot seem to figure it out. I am able to connect to hosts on the trunk with my eth0.2 interface but when I bridge the interface with br0 and try to connect I get nothing. Am I missing something simple here?
auto lo
iface lo inet loopback
auto br0
iface br0 inet manual
bridge_ports eth0
bridge_stp off
bridge_fd 9
bridge_hello 2
bridge_maxwait 0
auto br0.100
iface br0.100 inet static
address 192.168.100.99
netmask 255.255.255.0
auto eth0.2
iface eth0.2 inet static
address 10.1.2.225
netmask 255.255.255.0
network 10.1.2.1
broadcast 10.2.1.255
gateway 10.1.2.1
mtu 1500
If an interface (eth0 in your case) is added to a bridge, by default its VLAN subinterfaces (eth0.2) will no longer get the incoming traffic — all packets will be passed to the bridge. Before Linux 2.6.37 VLAN subinterfaces could sometimes work depending on your hardware (if the hardware and driver supported RX VLAN acceleration (NETIF_F_HW_VLAN_RX), VLANs were handled before bridging, and VLAN subinterfaces worked); since 2.6.37 the behavior is the same for all cards and drivers.
There are several solutions with different drawbacks:
Add VLAN subinterfaces to the bridge instead of the physical interface. But in this case all ports of the bridge will have access to all VLANs, which is probably not desired.
-
Use
ebtablesto pass 802.1Q tagged traffic to VLAN subinterfaces:ebtables -t broute -A BROUTING -i eth0 -p 802_1Q -j DROP(In the
BROUTINGchainACCEPTmeans “bridge”, andDROPmeans “route”, or actually “process according to ethertype”, which for the 802_1Q type means “pass to the appropriate VLAN subinterface”.)In this case the bridge will not get any tagged traffic, but there will be slightly more overhead due to ebtables processing.
Reconfigure the network to make all traffic on the interface tagged and avoid the need to bridge the untagged traffic at all.
Once you add an interface to a bridge, you should use the bridge interface and sub-interfaces for getting untagged and VLAN tagged packets.
So, in your example, you need to replace eth0.2 with br0.2.
You would have only one bridge (br0), but using the bridge sub-interfaces (e.g. br0.2), you can get traffic from any VLAN you like.
To pass all information from eth0 to br0, just add eth0 to br0 and call it a day. It appears you've already done this.
You may also want to toggle the following:
sudo sysctl net.bridge.bridge-nf-filter-vlan-tagged=1
This is 1 on my Jaunty box, but 0 on Lucid. I had to make it 1 for my bridge / VLAN setup to work again.
There are few things being mixed together here. Tagging generally takes place on the actual ethernet interface (i.e. eth0.2) while bridging doesn't usually require any kind of explicit tagging (although there are exceptions to this).
OK - I am going to assume that you want VLAN 2 and VLAN 100 to pass over ethernet 0.
1.) You want to create eth0.2 and eth0.100. Don't put an IP address on either (inet manual).
2.) Create br2 and br100 (for convenience) and assign the IP's you'd like to use in these VLAN's (inet static).
3.) eth0.2 will be a bridge_port in br2. eth0.100 will be a bridge_port in br100.
to make a long story short: tag your interfaces, and then add bridges. So, for vlan100 to be usable in a bridged mode, you will need
eth0 -> eth0.100 ->br100
To add another tag:
eth0 -> eth0.100 -> br100
........->eth0.101 -> br101
and so on