On Sat, Mar 14, 2026 at 12:43:44PM +0100, Maurice Janssen wrote: > Hi, > > I have a router running 7.8 with an interface (igc1) with several tagged > VLANs: > # cat /etc/hostname.igc1 > up > # cat /etc/hostname.vlan101 > vnetid 101 parent igc1 > inet 192.168.1.1 255.255.255.0 > # cat /etc/hostname.vlan102 > vnetid 102 parent igc1 > inet 192.168.2.1 255.255.255.0 > > igc1 is connected to a switch with the rest of my internal network. > This works as expected, filering in pf on vlan101, etc. > > Now I would like to connect a second switch to this router, expanding the > network with the same VLANs to another room. Connecting to the first > switch is not preferred due to the routing of the physical cabling. > > If I understand correctly, this can be done by hooking up the cable to > igc2 and changing my configuration as follows: > > # cat /etc/hostname.igc1 > up > # cat /etc/hostname.igc2 > up > # cat /etc/hostname.vport0 > up > # cat /etc/hostname.veb0 > add igc1 > add igc2 > add vport0 > link0 > up > # cat /etc/hostname.vlan101 > vnetid 101 parent vport0 > inet 192.168.1.1 255.255.255.0 > # cat /etc/hostname.vlan102 > vnetid 102 parent vport0 > inet 192.168.2.1 255.255.255.0 > > Or do I need multiple vport interfaces, one for each VLAN?
veb is vlan unaware in 7.8 and before. this means it only uses the mac addresses in the packet to figure out which port that packet should go to. technically, a "vlan" is supposed to be completely isolated from another one, so sharing the one veb instance with multiple vlans breaks this isolation because the mac address topology is shared between them. my advice previously was to create a veb per vlan, ie: # cat /etc/hostname.igc1 up # cat /etc/hostname.vlan1011 parent igc1 vnetid 101 up # cat /etc/hostname.vlan1021 parent igc1 vnetid 102 up # cat /etc/hostname.igc2 up # cat /etc/hostname.vlan1012 parent igc2 vnetid 101 up # cat /etc/hostname.vlan1022 parent igc2 vnetid 102 up # cat /etc/hostname.vport101 inet 192.168.1.1 255.255.255.0 up # cat /etc/hostname.vport102 inet 192.168.2.1 255.255.255.0 up # cat /etc/hostname.veb101 add vlan1011 add vlan1012 add vport101 up # cat /etc/hostname.veb102 add vlan1021 add vlan1022 add vport102 up this is obviously... a lot. > In pf nothing changes, filtering on the VLAN interfaces. Correct? > > > And after upgrading to 7.9 (with the new, VLAN aware veb), I understand that > this can (or must?) be changed into this: you can still configure vlan interfaces on top of vport interfaces. the config you had above should work if you add "tagged PORT 101,102" to igc1, igc2, and vport0, with the benefit that veb now knows to keep the mac addresses inside each vlan separate. however, the vlan interfaces are unecessary and you can just use a vport to talk to each isolated lan on the veb. this is exactly what your config below implements, with some minor syntax issues. > # cat /etc/hostname.igc1 > up > # cat /etc/hostname.igc2 > up > # cat /etc/hostname.veb0 > add igc1 > -untagged igc1 > +tagged igc1 101 > +tagged igc1 102 > add igc2 > -untagged igc2 > +tagged igc2 101 > +tagged igc2 102 > add vport0 > untagged vport0 101 > add vport1 > untagged vport1 102 > up > # cat /etc/hostname.vport0 > inet 192.168.1.1 255.255.255.0 > # cat /etc/hostname.vport1 > inet 192.168.2.1 255.255.255.0 > > and of course modifying pf.conf to use vport0 instead of vlan101 and > vport1 instead of vlan102 > > Is this correct? you want "tagged" instead of "+tagged", and you need "up" in hostname.vport0 and vport1, but yes. > > Thanks in advance, > Maurice >
