Subject: Re: vlan(4), native vlan/vlan1, OpenBSD v.s. NetBSD behavior
To: Manuel Bouyer <>
From: Brian A. Seklecki <>
List: tech-net
Date: 12/16/2005 01:19:43
> Are you sure it's not tagged ? Don't you see them also on vlan1 ?
> Some fxp devices support hardware 802.1q, and in this case tcpdump
> doesn't show you the vlan tag for packets received.

Yes; incoming is only seen on the physical.  tcpdump(8) show no tag. 
Outbound is seen in tcpdump(8) on both the logical (w/o) and physical
(with the tag).

Essentially the answer is: Don't use VLAN1 to isolate insecure devices. 
Each vendor has different uses for it.

More insightful discussion at: from tech@

Thx everyone.


> > [...]
> > So it seems that NetBSD has some "magic code"(r) to deal with the native 
> > VLAN, because most admins assume that a VLAN router can see a VLAN1 
> > interface on a trunk regardless if the packets are tagged or not.
> Packets received from an interface are passed to the IP stack, and
> the IP stack won't check the interface the packet came from, unless
> you set net.inet.ip.checkinterface to 1 (weak host model vs strong
> host model - both have pros and cons). So you could receive the packet from
> any interface (physical, or another vlan), it would be processed,
> it's not something magic with vlan1.
> OpenBSD may have a different default for net.inet.ip.checkinterface (if
> it's possible to choose at all the behavior on openbsd)