How to configure a VLAN as a part of a bridge on a Linux server?

Question

I have my own private server on the Internet since years. At the moment it is running Linux 4.9.337. It serves as my router and as my WiFi access point and many more things.

On the machine I have 3 NICs called internet, lan0, lan1. I also have a Wifi-card called wlan0 and a VPN-bridge called vpn0.

All the interfaces are on a bridge called lan. lan has a static IP.

bridge name     bridge id               STP enabled     interfaces
lan             8000.000acd16687b       no              lan0
                                                        lan1
                                                        vpn0
                                                        wlan0

This setup works fine.

The time has come to modify my setup. I am planning to use an external WiFi access point. To still be able to sniff the WiFi traffic I want to use a managed switch to send the WiFi traffic via VLAN id 2 into lan0, making the external WiFi access point behave like an internal WiFi-card.

Now I try to add that VLAN functionality into the bridge.

This is the setup of the bridge:

#!/bin/bash
bridgename=lan
bridgemac=00:0a:cd:16:68:7b
bridgeip=10.10.13.1/24
bridgevlanfiltering=0
bridgeforwarddelay=200
bridgemulticastsnooping=0
bridgeports="lan0 lan1 wlan0 vpn0"
ip link add name ${bridgename} address ${bridgemac} up type bridge 

  vlan_filtering ${bridgevlanfiltering}     

  forward_delay  ${bridgeforwarddelay}      

  mcast_snooping ${bridgemulticastsnooping}
ip addr add dev lan ${bridgeip}
for interface in ${bridgeports}; do
  ip link set dev ${interface} up master ${bridgename}
done
adding VLAN id 2 interface into the bridge
ip link add dev wlan1 link lan0 address 00:0a:cd:16:68:7d up type vlan id 2
ip link set dev wlan1 master ${bridgename}

At this point the bridge looks like this:

bridge name     bridge id               STP enabled     interfaces
lan             8000.000acd16687b       no              lan0
                                                        lan1
                                                        vpn0
                                                        wlan0
                                                        wlan1

This does mostly work as before, but the WiFi access point is now cut off and do not work. I have no clue to what is wrong with the setup regarding the VLAN.

I read this question/answer. Still lost...

I wonder if anyone can help me get the VLAN part of this working?

Answer 1

Although I don't see how VLAN (alone) could help you in archiving your goal, I'm writing this answer as a general guide for you (and a study note for myself).

The assumption in this answer is that, lan0 (that is enslaved to a bridge) is connected to a "trunk port" of a switch (i.e., traffics from multiple VLANs would be seen on lan0), and those from VLAN 1 are untagged (i.e., VLAN 1 is the "native VLAN").

AFAICT, packet capturing is done before vlan_filtering is applied. Therefore, regardless of its value, or which VLAN(s) lan0 has been associated to (as seen in the output of bridge vlan), you should still be able to see the tagged frames if you tcpdump at lan0, as long as the the desired traffics are forwarded to the link lan0 is attached to (by the respective switch).

If you have vlan_filtering disabled (i.e., 0), the tagged frames would be flooded out of all the other bridge ports if they are e.g. broadcast frames. If the traffics are "mirrored traffics", the flood would probably occur for all of them as well, even if they are unicast frames, since the bridge is not going to learn that any port should be used for the particular destination, for obvious reason. Therefore, you would likely want to enable vlan_filtering:

ip link add lan type bridge vlan_filtering 1
ip link set lan0 master lan

(To change the value of an existing bridge, replace add with set and keep type bridge.)

If you for some reason want to capture frames (from VLAN 2) that are "802.1Q de-encapsulated" (i.e., with the tag removed), you can add a 802.1Q virtual interface on the bridge itself (i.e., with the bridge interface as the link):

ip link add lan_vl2 link lan type vlan id 2

(While it may be possible to just additionally associate the bridge interface (lan) to VLAN 2 with (egress) untagged, in that case you can't capture just the traffics from VLAN 2, I suppose.)

To allow the tagged frames to "get into" the bridge from lan0 with vlan_filtering enabled:

bridge vlan add dev lan0 vid 2

And to allow the frames to be forwarded out of lan_vl2 (untagged) via the bridge interface (lan):

bridge vlan add dev lan vid 2 self

---

Instead of adding a 802.1Q virtual interface on the bridge, you may also consider creating a veth and make one end of it a port/slave of lan:

ip link add lan_vl2 type veth peer lan_vl2_p
ip link set lan_vl2_p master lan

In this case, the port should be associated to VLAN 2 with the pvid and untagged attributes (and be disassociated from VLAN 1):

bridge vlan add dev lan_vl2_p vid 2 pvid untagged
bridge vlan del dev lan_vl2_p vid 1

Basically this makes the port an "access port" of VLAN 2, and you do NOT need to add a 802.1Q virtual interface on the other end (lan_vl2) either.

And you do NOT need to associate the bridge interface (lan) to VLAN 2 in this case.