From: Isaac Meerleo <spritskillshot@gmail.com>
Subject: veb(4) link1 breaks vport(4) connectivity to igc(4) ports
To: tech@openbsd.org
Date: Mon, 16 Mar 2026 19:51:40 -0400

I am trying to create a sort of managed switch out of my OpenBSD box.
Effectively, my goal is to assign each IP to a NIC:

# Management
         mang_if = "vport0"
         mang_ip = "x.x.x.26"
# Home Network
         home_if = "igc0"
         home_ip = "x.x.x.27"
# Personal
         fugu_if = "igc1"
         fugu_ip = "x.x.x.28"
# Production
         prod_if = "igc2"
         prod_ip = "x.x.x.29"
# Buddy
         andy_if = "igc3"
         andy_ip = "x.x.x.30"

I did this with pf and veb(4). It works... sort of. With pf
running my ruleset and `ifconfig veb0 link1`, all the downlink
networks can reach the internet and are having a great time. But
when I ping or ssh to x.x.x.26 I get nothing. In fact, the
OpenBSD box doesn't have internet at all. Even if I `set skip on
lo` and `pass all`, ssh and ping to .26 fail. But if I
`ifconfig veb0 -link1`, all of a sudden I can touch interne
(even with the below pf.conf set). Is this a bug? Also, is there
a better approach?


edge# cat /etc/hostname.veb0
description "WAN Bridge"
add em0   # WAN
add igc0  # Home Network
add igc1  # Personal
add igc2  # Production
add igc3  # Buddy's Network
add vport0 # Host Management
link1
up

edge# cat /etc/pf.conf
# Home Network
         home_if = "igc0"
         home_ip = "x.x.x.27"
# Fugu Farm
         fugu_if = "igc1"
         fugu_ip = "x.x.x.28"
# Production
         prod_if = "igc2"
         prod_ip = "x.x.x.29"
# Andrew
         andy_if = "igc3"
         andy_ip = "x.x.x.30"


### Options
set skip on { lo vport0 }
set limit table-entries 1000000


# Normalize and de-fragment
match in all scrub (no-df random-id max-mss 1440)


### Meat and Potatos
block log all

# Allow Traffic on WAN Uplink
pass on em0

# Connect host stack to bridge
pass on vport0

pass  in on $home_if from $home_ip
pass out on $home_if to   $home_ip

pass  in on $fugu_if from $fugu_ip
pass out on $fugu_if to   $fugu_ip

pass  in on $prod_if from $prod_ip
pass out on $prod_if to   $prod_ip

pass  in on $andy_if from $andy_ip
pass out on $andy_if to   $andy_ip


edge# ls /etc/hostname.{em0,igc*} # All just contain "up"
/etc/hostname.em0       /etc/hostname.igc1      /etc/hostname.igc3
/etc/hostname.igc0      /etc/hostname.igc2

edge# cat /etc/hostname.vport0
inet x.x.x.26 255.255.255.0
up