If I understand your message correctly, you have the port on the
switch tagged for vlan 30. This means that all packets you send to
that port need to be tagged for vlan30.
I have a vlan for internal (2), dmz (5), and isp(3). The line from my
ISP is plugged into an untagged port on the switch, which is set up
for the isp vlan(3) and the router has a tagged pseudo interface
(vlan3) for the isp connection. This allow routing to all networks
over a single interface.
I use an em interface on my router but I connect the em interface to a
trunk port (accepts packets tagged for vlans 2, 3, and 5, and discards
all other packets); I then have a series of vlan pseudo-devices on top
of em, where each vlan device specifies a tag. Note that em0 does not
get an ip address.
# cat /etc/hostname.em0
up media autoselect
# cat /etc/hostname.vlan2
inet 10.107.208.1 255.255.255.0 NONE vlan 2 vlandev em0
inet6 alias 2001:xxx::2::10 64 vlan 2 vlandev em0
# cat /etc/hostname.vlan3
dhcp vlan 3 vlandev em0
# cat /etc/hostname.vlan5
inet 10.180.16.1 255.255.255.0 NONE vlan 5 vlandev em0
inet6 alias 2001:xxx::5::10 64 vlan 5 vlandev em0
vlan3 is from my ISP and they provision an IP using dhcp.
My ifconfig looks like this:
# ifconfig -a
lo0: flags=8049 mtu 33152
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
gem0: flags=8863 mtu 1500
lladdr 00:03:ba:04:b2:1d
priority: 0
media: Ethernet autoselect (none)
status: no carrier
inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1
em0: flags=8843 mtu 1500
lladdr 00:02:b3:ed:68:89
priority: 0
media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
status: active
inet6 fe80::202:b3ff:feed:6889%em0 prefixlen 64 scopeid 0x2
enc0: flags=0<> mtu 1536
priority: 0
vlan2: flags=8843 mtu 1500
lladdr 00:02:b3:ed:68:89
priority: 0
vlan: 2 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::202:b3ff:feed:6889%vlan2 prefixlen 64 scopeid 0x5
inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255
inet6 2001:xxx::2::10 prefixlen 64
vlan3: flags=8843 mtu 1500
lladdr 00:02:b3:ed:68:89
priority: 0
vlan: 3 priority: 0 parent interface: em0
groups: vlan egress
inet6 fe80::202:b3ff:feed:6889%vlan3 prefixlen 64 scopeid 0x6
inet x.x.x.x netmask 0xf800 broadcast 255.255.255.255
vlan5: flags=8843 mtu 1500
lladdr 00:02:b3:ed:68:89
priority: 0
vlan: 5 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::202:b3ff:feed:6889%vlan5 prefixlen 64 scopeid 0x7
inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255
inet6 2001:xxx::5::10 prefixlen 64
gif0: flags=8051 mtu 1280
priority: 0
groups: gif egress
physical address inet x.x.x.x --> y.y.y.y
inet6 fe80::203:baff:fe04:b21d%gif0 -> prefixlen 64 scopeid 0x8
inet6 2001:xxx:x:xxx::2 -> 2001:xxx:x:xxx::1 prefixlen 128
pflog0: flags=141 mtu 33152
priority: 0
groups: pflog
I used to use a trunk device between the physical interfaces and vlan
devices as well, but I moved to 1gb instead of 4x100mb interfaces.
Axton Grams
On Thu, May 13, 2010 at 6:52 AM, Marcus Larsson wrote:
>
> Hello!
>
> I have a server acting as a router and firewall running 4.6-stable
> from Apr 24 with an Intel quad port NIC.
>
> In short I have problems with traffic going to or from the
> server itself via a vlan interface. It works fine via em0 which
> is the uplink to the ISP and doesn't use any vlan and also
> traffic passing through the server is ok.
>
> It doesn't matter whether PF is enabled or disabled, the problem
> still appears.
>
> em0 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82576)" rev 0x01: apic 0
int 11 (irq 5), address 00:1b:21:63:74:d8
> em1 at pci5 dev 0 function 1 "Intel PRO/1000 QP (82576)" rev 0x01: apic 0
int 12 (irq 10), address 00:1b:21:63:74:d9
>
> # cat /etc/hostname.em0
> inet X.X.X.X 255.255.255.252 NONE
>
> # cat /etc/hostname.em1
> up
> # cat /etc/hostname.vlan30
> inet 10.46.196.1 255.255.255.0 NONE vlan 30 vlandev em1
>
> em1 is connected to a port in a switch, vlan 30 is tagged on
> that port, the switch has IP 10.46.196.8
>
> I can ping 10.46.196.8 but I cannot ssh to it, the ssh attempt
> hangs at: debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP and then I
> get a connection closed.
>
> I thought this was MTU related somehow because pings work with
> small packets, actually ping -s 1472 10.46.196.8 works but
> anything larger than that doesnt.
>
> MTU for vlan30 and em1 is 1500 and I guess 1472 makes sense
> since 1500 - 20(ip) - 8(icmp) = 1472.
>
> I really have no clue what's going on here and any help would be
> very much appreciated.
>
> Regards
>
> /marcus
