If you have a switch, access point or other piece of network hardware that supports 802.1q VLAN tagging, and you’d like to your FreeBSD system to recognize them, it’s a pretty straight-forward configuration. I’ll use examples from my network to illustrate. My goal in this case, which I may write about in a separate post, was to create two segmented wifi networks – one for my main network and one for guests to connect to. I wanted the guest network to have access to the internet, but not to any of my other systems on the network.
I have a wireless access point that supports multiple SSIDs, and each SSID can be tagged as a VLAN. Let’s say my two SSIDs are “Main” and “Guest.” My access point is configured to tag everything on Main with VLAN ID 101, and everything on Guest with VLAN ID 102. All the systems on Main will be on the 10.1.1.0/24 subnet and everything on Guest will be on the 10.1.2.0/24 subnet.
This access point is connected to the main switch on the network, which the FreeBSD box is also connected to – it’s not a managed switch, but it does support large packet sizes, which is required as 802.1q tagging adds data to packet headers, and that makes the packets bigger than the standard size. One of my older hubs ended up dropping the tagged packets silently.
All of the configuration is in /etc/rc.conf.
The first thing to do is to list the VLANs that will be on the lan0 adapter:
vlans_lan0="101 102"
This will cause FreeBSD to create new “virtual” network adapters called lan0.101 and lan0.102 – and these seem to function much like any other network card, you can use ifconfig on them.
Then, configure the actual addresses for the new virtual adapters:
ifconfig_lan0_101="inet 10.1.1.1/24" ifconfig_lan0_102="inet 10.1.2.1/24"
Now reboot your system or run /etc/rc.d/netif restart – you should now see something like this in your ifconfig output:
lan0.101: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:1b:b9:8b:ca:33
inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
inet6 fe80::210:b5ff:fe0d:9c75%lan0.101 prefixlen 64 scopeid 0x5
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
status: active
vlan: 101 parent interface: lan0
lan0.102: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:1b:b9:8b:ca:33
inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
inet6 fe80::210:b5ff:fe0d:9c75%lan0.102 prefixlen 64 scopeid 0x6
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
status: active
vlan: 102 parent interface: lan0
At this point, any packets coming in that are tagged in VLANs 101 or 102 will be recognized. Note that it clearly shows the vlan tag and the physical parent adapter. At this point, you may need to set up routing and firewall rules for these subnets.