Bridge with VLANs

General questions
,
1

Hi guys,

I’m trying to bridge 3 ethernet interface (eth1, eth2 and eth3). I want to create 7 VLANs on the bridge (10, 11, 12, 13, 14 ,15 ,16) with each vlan with address 192.168.(VLANID).1/24.

This is my base config for bridge

set interfaces bridge br0 address '192.168.1.1/24'
set interfaces bridge br0 description 'LAN'
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface eth2
set interfaces bridge br0 member interface eth3
set interfaces bridge br0 stp
set interfaces bridge br0 vif 10 address '192.168.10.1/24'
set interfaces bridge br0 vif 11 address '192.168.11.1/24'
set interfaces bridge br0 vif 12 address '192.168.12.1/24'
set interfaces bridge br0 vif 13 address '192.168.13.1/24'
set interfaces bridge br0 vif 14 address '192.168.14.1/24'
set interfaces bridge br0 vif 15 address '192.168.15.1/24'
set interfaces bridge br0 vif 16 address '192.168.16.1/24'

I have 7 Wireless AP which are connected to unmanaged switches that are connected in the eth1, eth2 and eth3.

With this configuration, no APs get IPs from DHCP (192.168.1.X). If I disable vlan (enable-vlan) on the bridge, APs are able to get IPs from DHCP correctly.

All I want is to spread the 7 VLANs through the 3 ethernet interfaces via bridge.

Is there a configuration that I missed?

Thanks!

2

Could you share VyOS version and dhcp config?

3

If they are unmanaged switches, how are you tagging the traffic?

4

When you enable VLAN awareness, VLAN parameters are not configured for the interface.

In this case, all interfaces do not have a default VLAN for communication, and the protocol data may be discarded.

5

Hi guys!

@jack9603301 Thanks for your info. I was thinking that every port will have VLAN 1 as native VLAN by default. I just added it in the config and it works now.

set interfaces bridge br0 address '192.168.1.1/24'
set interfaces bridge br0 description 'LAN'
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth1 allowed-vlan '10-16'
set interfaces bridge br0 member interface eth1 native-vlan '1'
set interfaces bridge br0 member interface eth2 allowed-vlan '10-16'
set interfaces bridge br0 member interface eth2 native-vlan '1'
set interfaces bridge br0 member interface eth3 allowed-vlan '10-16'
set interfaces bridge br0 member interface eth3 native-vlan '1'
set interfaces bridge br0 stp
set interfaces bridge br0 vif 10 address '192.168.10.1/24'
set interfaces bridge br0 vif 10 description 'VLAN10'
set interfaces bridge br0 vif 11 address '192.168.11.1/24'
set interfaces bridge br0 vif 11 description 'VLAN11'
set interfaces bridge br0 vif 12 address '192.168.12.1/24'
set interfaces bridge br0 vif 12 description 'VLAN12'
set interfaces bridge br0 vif 13 address '192.168.13.1/24'
set interfaces bridge br0 vif 13 description 'VLAN13'
set interfaces bridge br0 vif 14 address '192.168.14.1/24'
set interfaces bridge br0 vif 14 description 'VLAN14'
set interfaces bridge br0 vif 15 address '192.168.15.1/24'
set interfaces bridge br0 vif 15 description 'VLAN15'
set interfaces bridge br0 vif 16 address '192.168.16.1/24'
set interfaces bridge br0 vif 16 description 'VLAN16'

@pirateghost

VLAN can be tagged on the SSID in the AP

@n.fort I use the latest version of VyOS.

I have another question. There is no option to set firewall on the bridge VLANs. I can set firewall on the bridge itself, but does this firewall apply to vlans too ?

Thanks!

6

Firewall rules should be independent of whether VLAN is passed or not

7

Well, firewall option is only available on bridge interfaces and not on bridge vif 10. How can I set a firewall on VLANs bridge if the option is not available?

Thanks!

8

Well, I don’t know if you want to configure a firewall on the VLAN sub interface. Same question

9

I have the LAN_IN firewall that block every traffic from a subnet to another subnet.

set firewall name LAN_IN default-action 'accept'
set firewall name LAN_IN rule 10 action 'drop'
set firewall name LAN_IN rule 10 destination address '192.168.0.0/16'
set firewall name LAN_IN rule 10 source address '192.168.0.0/16'

If I want to apply the LAN_IN firewall to every VLAN subnet how can I do that? If I’m applying this firewall to the ethernet interface or bridge interfaces, does VLANs subnet will inherit of this firewall?

10

Setting firewall to the bridge directly seems that VLANs inherit firewall from the bridge. Seems to work.

Thanks!

12

The VLAN aware bridge of vyos does not provide VLAN 1 by default (except that the bridge parent interface is always VLAN 1), so any VLAN parameters must be set manually. When the vif option is missing or the VLAN setting of the member interface is missing, it cannot work. Packets that do not belong to the VLAN within the setting range will be discarded by default.

I know that some other devices may pass through VLAN 1 by default, but on vyos, VLAN 1 cannot communicate by default. Therefore, once the VLAN aware bridge is turned on, its VLAN parameters must be set manuallyfe

13

I can confirm that its previous configuration was wrong. It forgot to configure the required VLAN parameters for the VLAN aware bridge. In this case, the bridge will discard all data

14

@pirateghost
Most unmanaged switches will only look at MAC addresses, and pass and ignore the VLAN tag present in the packet.
Also, most unmanaged switches can handle the increased packet size.

15

Obviously, vyos supports VLAN aware bridges, but its configuration is wrong, causing the bridge to discard all packets

16

Why is VyOS unable to apply firewall rules onto bridge subinterfaces?
iptables can, and so should VyOS

1 Like
17

You can submit a feature request