Solved vlan - traffic flow

[W.hâ/t]

Hi guys, long time no see. I hope you're doing fine.

I recently setup my network to use vlan, it seems to work properly but I am not confident I understand enough to be sure it's actualy working as expected.

- The router's lan interface (igc1) is connected directly to my machine (bge0), no switch is involved
- Both have matching vlan configuration (using vlan 20 - 10.9.20.0/24 network for the example)
- igc1 address is: 192.168.0.9
- My machine address is 192.168.0.1 with 192.168.0.9 as default gateway
- net.inet.ip.forwarding=0
- The bridge used for the VMs connection contains the vlan 20 interface bge0.20
- VMs are configured with a default route of 10.9.20.9 - which is associated with the igc1.20 interface on the router.

1. The major thing I don't understand here is: how are the packet from the 10.9.20.0/24 network correctly routed without address translation or my machine acting as a gateway? I did not configure bge0 and igc1 at first but it didn't work until I did. I am missing something here.

2. tcpdump ... vlan 20 shows traffic on both bge0 and igc1, but not on the vlan interfaces themselves, I didn't expect that. I suppose this is the expected behavior. The packet is only tagged when leaving the interface and the tag is removed when the packet is red back on the receiving interface.

It's been a long journey since then, but I do need some more help - any pointer is welcome. Thank you.

 

[SirDice]

how are the packet from the 10.9.20.0/24 network correctly routed without address translation or my machine acting as a gateway?

Depends on where they came from. The host itself is directly connected to both 10.9.20.0/24 (bge0.20) and 192.168.0.0/24 (bge0) networks. So anything you do on the host that would connect to some other host on any of those networks can be accessed directly, no "routing" (besides the implied directly accessible ones) involved.

But everything else is probably routed by your LAN router (that's what it's supposed to do), it too is directly connected to both 192.168.0.0/24 and 10.9.20.0/24 and I'm assuming forwarding is enabled there, it's a router is it not?

tcpdump ... vlan 20 shows traffic on both bge0 and igc1,

Yes, but there are two types of traffic on both bge0 and igc1, tagged (VLAN ID 20; to/from 10.9.20.0/24) and untagged (to/from 192.168.0.0/24 traffic). The traffic on bge0.20 and igc1.20 is untagged, so if you're specifically looking for vlan tagged traffic there you're not going to see anything.

 

[W.hâ/t]

Thanks, I'm getting there, ... maybe.

it's a router is it not

Yes it is.

So anything you do on the host that would connect to some other host on any of those networks can be accessed directly, no "routing" (besides the implied directly accessible ones) involved

I've just tried to ping the world with success from a VM (vlan 20) without bge0 being configured and without a default route for the host. So it works as expected.

--
Damn... My packet filter was blocking the traffic! I had first tried to put the host behind a vlan too and tested from there but I didn't allow the traffic to pass. I think I forgot to put a nat rule for the network. Oops!

Turns out I ~understood things correctly. I misconfigured my packet filter, made poor testing and got confused. It works as expected now. Traffic flows through the vlan without bge0 or igc1 being configured with an ip address.

Thank you SirDice