I've been banging my head against this for too long and would really appreciate a second opinion/sanity check:
LAN Interface eth1 is bridged together with OpenVPN tap0 on br0 (192.168.2.1). I would like to add subif eth1.100 to (bridged) eth1 for a guest VLAN that will provide Internet access only for a subset of LAN boxes (192.168.22.0/24).
Looks like this is not as straightforward as I thought, because any tagged traffic will apparently end up on the bridge via the host interface. Following suggestions from this thread
I tried a 'dual-bridge' setup with eth1->eth.0->br0 and eth1->eth.100->br1, which stopped traffic cold on my existing br0 setup.
Second best option with 'ebtables -t broute -A BROUTING -i eth1 -p 802_1Q -j DROP' and eth1.100 only (no additional bridge) yields pretty much the same behavior as eth1.100 w/o the BROUTING table entry: I can ping the subif from localhost, but pings from clients within the VLAN return with a 50% loss rate and 'Destination host unreachable'.
All this on Debian 9.1, vlan v. 1.9-3.2, and bridge-utils v. 1.5-13.
Edited to provide some more detail: apparently, VLAN traffic hits the bridge, and I get "martian source 192.168.22.1 from 192.168.22.100 on dev br0" for pings from client 192.168.22.100 to eth1.100 (192.168.22.1). As I understand the above ebtables command, 'drop' in the broute table means 'route frame instead of bridge'. So is this happening here? If so, why would those packets be considered 'martian'?
Output of 'brctl show':
bridge Name | bridge id | STP enabled | Interfaces
br0 | 8000.a0b3cce4c5a9 | no | eth1+tap0
Output of 'ifconfig eth1':
flags=4163 mtu 1500
ether a0:b3:cc:e4:c5:a9 txqueuelen 1000 (Ethernet)
Output of 'ifconfig eth1.100':
flags=4163 mtu 1500
inet 192.168.22.1 netmask 255.255.255.0 broadcast 192.168.22.255
ether a0:b3:cc:e4:c5:a9 txqueuelen 1000 (Ethernet)
Output of 'ifconfig br0':
flags=4163 mtu 1500
inet 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
ether a0:b3:cc:e4:c5:a9 txqueuelen 1000 (Ethernet)
iptables:
iptables -A INPUT -i eth1.100 -j ACCEPT
iptables -A OUTPUT -o eth1.100 -j ACCEPT
iptables -A FORWARD -i eth1.100 -o $EXTERNAL_INTERFACE -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o eth1.100 -j ACCEPT
