Subject: Re: vlan(4), native vlan/vlan1, OpenBSD v.s. NetBSD behavior
To: Manuel Bouyer <firstname.lastname@example.org>
From: Brian A. Seklecki <email@example.com>
Date: 12/16/2005 01:19:43
> Are you sure it's not tagged ? Don't you see them also on vlan1 ?
> Some fxp devices support hardware 802.1q, and in this case tcpdump
> doesn't show you the vlan tag for packets received.
Yes; incoming is only seen on the physical. tcpdump(8) show no tag.
Outbound is seen in tcpdump(8) on both the logical (w/o) and physical
(with the tag).
Essentially the answer is: Don't use VLAN1 to isolate insecure devices.
Each vendor has different uses for it.
More insightful discussion at:
http://marc.theaimsgroup.com/?t=113459493000002&r=1&w=2 from tech@
> > [...]
> > So it seems that NetBSD has some "magic code"(r) to deal with the native
> > VLAN, because most admins assume that a VLAN router can see a VLAN1
> > interface on a trunk regardless if the packets are tagged or not.
> Packets received from an interface are passed to the IP stack, and
> the IP stack won't check the interface the packet came from, unless
> you set net.inet.ip.checkinterface to 1 (weak host model vs strong
> host model - both have pros and cons). So you could receive the packet from
> any interface (physical, or another vlan), it would be processed,
> it's not something magic with vlan1.
> OpenBSD may have a different default for net.inet.ip.checkinterface (if
> it's possible to choose at all the behavior on openbsd)