Created attachment 204677 [details]
tcpdump -nvi ix0

If it's not already clear, the packets are coming from a "ping 192.168.221.2" in the VM.  192.168.221.2 is an external machine on vlan 221 (also FreeBSD).

Interestingly, also, two DHCP servers are on the network... one on the HOST and one on an external host.  The on-the-host DHCP server is bound to ix0.221 and manages to talk to the VM.  The external DHCP server cannot respond to the VM (ie: the VM fails to get an IP if the local DHCP server is not running).

Comment 3 Rodney W. Grimes 2019-05-29 03:33:36 UTC

Tagging kevans@ into this as he just made a fix to bridge that had to do with bpf missing some packets as they traverse the bridge so he might have a clue as to if that effects this or not.  Ie, it may be that bpf is not seeing all things it should be seeing.

I have also had issues in the past with getting the HOST to see vlans when I am doing the bhyve/vm, tap, bridge, em0 with vlan trunking turned on.  My vm's can talk to real boxes on the em0 network just fine, and the host can talk to boxes on the em0 network just fine, but my vm's can not talk to my host.

Comment 4 Kyle Evans 2019-05-29 13:33:25 UTC

(In reply to Rodney W. Grimes from comment #3)

There seems to be something else going on here- ix0.221 should've showed the inbound traffic (with or without my fixes) since that gets tapped in ether_input_internal before entering the bridge at all. The general flow here *should* look like:

external -> ix0:ether_input_internal -> ix0:ether_demux -> vlan_input -> ix0.221:ether_input_internal -> bridge2:bridge_input -> tap0:ether_demux

You've observed the traffic getting tapped at the second step above, then there's a disconnect somewhere after that.

Comment 5 Eugene Grosbein 2019-05-29 14:12:21 UTC

If you add and interface like ix0.221 to a bridge, you cannot leave IP addresses on ix0.221. Move them to the bridge0 and it should just work.

Comment 6 Rodney W. Grimes 2019-05-29 14:15:45 UTC

(In reply to Eugene Grosbein from comment #5)
How does one specify the vlan 221 on bridgeX for that IP address, and what happens when I have 4 vlans with different IP addresses, do I stick them all on bridgeX?

(In reply to Rodney W. Grimes from comment #6)

What you're saying is "what if I have 3 ethernet cards, with different addresses all plugged into the same switch" ... in effect.  I suppose there's nothing stopping the bridge interface from having the 3 aliases.  Thinking about differences, you still have 3 IP addresses on the same MAC (in the vlan case, not the three ethernet cards case).

If this is indeed the problem (I'm testing now) ... this needs some explicit documentation somewhere.  This might be the second time I've come around to this "documentation bug" ... but from a different direction.  The first time was that the bridge straight up needed the IP not the vlan ... but without a VM to think about.

Hrm.  This is a case with different ethernets being different.  Host also has an re0.  In rc.conf, I s1,$/ix0/re0/ and rebooted.  With re0, dhcpd (locally) doesn't give an IP to the VM where it did on ix0.

Comment 9 Eugene Grosbein 2019-05-29 14:29:26 UTC

(In reply to Rodney W. Grimes from comment #6)

Our if_bridge does not support tagged frames currently, so you'd need bridge-per-vlan, so each bridge deals with frames already stripped.

(In reply to dgilbert from comment #8)

OK.  My last comment sounded far-out on a limb, even to me.  But I re-verified it.  with isc-dhcpd and dhcpd_ifaces = either "ix0.221" or "re0.221" ... and ix0.221 or re0.221 added to brige2,

The VM gets and IP from the DHCP server with ix0 and not with re0.

(In reply to dgilbert from comment #10)

I tried to reproduce this bug, but with no luck. Could you please provide additional information mentioned below?

1. What is the device id of your ix interface?
2. Does log from dmesg contain anything unusual?
3. Could you provide VM's configuration parameters?

ix0@pci0:7:0:0: class=0x020000 card=0x00008086 chip=0x15638086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller 10G X550T'
    class      = network
    subclass   = ethernet

ix0: <Intel(R) PRO/10GbE PCI-Express Network Driver> mem 0xd0000000-0xd01fffff,0xd0200000-0xd0203fff irq 40 at device 0.0 on pci7
ix0: using 2048 tx descriptors and 2048 rx descriptors
ix0: msix_init qsets capped at 64
ix0: pxm cpus: 8 queue msgs: 63 admincnt: 1
ix0: using 8 rx queues 8 tx queues
ix0: Using MSIX interrupts with 9 vectors
ix0: allocated for 8 queues
ix0: allocated for 8 rx queues
ix0: Ethernet address: a0:36:9f:17:ba:10
ix0: PCI Express Bus: Speed 5.0GT/s Width x4
ix0: netmap queues/slots: TX 8/2048, RX 8/2048
ix0: link state changed to UP
ix0: link state changed to DOWN
ix0.1: link state changed to DOWN
bridge1: can't disable some capabilities on ix0.1: 0x400
ix0: promiscuous mode enabled
ix0.1: promiscuous mode enabled
bridge2: can't disable some capabilities on ix0.221: 0x400
ix0.221: promiscuous mode enabled
ix0: link state changed to UP
ix0.221: link state changed to UP
ix0.1: link state changed to UP

[1:13:313]root@run:~> cat /vms/FreeNAS/FreeNAS.conf
loader="bhyveload"
cpu=2
memory=8G
network0_type="virtio-net"
network0_switch="lan221"
disk0_type="virtio-blk"
disk0_name="disk0"
disk0_dev="sparse-zvol"
uuid="b2fdb1cd-b6d5-4ac0-a167-f216b52e0701"
network0_mac="58:9c:fc:01:d4:67"
disk1_name="disk1"
disk1_type="virtio-blk"
disk1_dev="sparse-zvol"
disk2_name="disk2"
disk2_type="virtio-blk"
disk2_dev="sparse-zvol"
disk3_name="disk3"
disk3_type="virtio-blk"
disk3_dev="sparse-zvol"

... so far I have only completed running "vm install FreeNAS" on this VM.

It doesn't explain the _different_ behaviour between ix0 and re0, but there is one bug I managed to nail myself.

I _had_ ix0 (or re0) attached to bridge0 (picking up untagged vlan 1 --- which this switch refuses to tag).  Then I had a few other vlans plus vlan 221 (the one we're discussing).  Certainly, I have had lots of BSD machines useing the raw ethernet to pick up the management vlan untagged --- but I don't believe I've had a bridge there before.

For now, I will use re0 to pick up the untagged vlan (sigh... feels like an engineering waste), but I do understand the complexity here.  In a netgraph-like case, you can specify the ethertypes that are taken and left and whatnot --- ifconfig doesn't allow us to express this.

I would very much like to be in a discussion of layer 2 semantics, should one occur.  Terminology is drastically overloaded and the number of useful combinations is high ... leaving a more flexible solution a clear winner.

What I'm saying is that the ability to pick off an untagged vlan 1 on the raw port is very useful with modern gear.  I realize this means having a way to specify picking off ethertypes (at least for v4 and v6) and that potential confusion is high ... so accurate abstraction is key.

Anyways... far beyond the status of this bug.  re0 and ix0 behave differently in this corner case, but you may need to add re0 and/or ix0 to a bridge to replicate it.

(In reply to dgilbert from comment #13)
I really never understood the need for and hence the presence of untagged frames on a switch trunk port. But it's in the standard so for now we are stuck with it. If your switch is of Cisco brand, here's what we do:

switchport trunk native vlan 1001

1001 is a VLAN that is never used in our entire data centre, so everything that matters is properly tagged.

Kind regards,
Patrick

(In reply to punkt.de Hosting Team from comment #14)

[ on configuring my switch to avoid the problem ]

That's fine on a Cisco.  But for the dozens of other brands, not-so-much.  In this case, it's a ubiquity (or unifi ?) ... and aggressively positioned switch as part of an ecosystem of WiFi and WISP gear.

AFAICT, changing the access vlan removes communication with the management lan alltogether.  As I said, so far I'm using another ethernet card to talk to this.

It's not an uncommon setup, I believe.  FreeBSD should be that swiss army knife that just works in all situations, not the OS that prays to one particular god of configuration or the other.

Comment 16 Mark Linimon 2024-10-04 14:31:17 UTC

^Triage: clear stale flags.