I was running 1.4 epa2 (1.4-rolling-202404220305) on an APU4, with a LAN bridge configured for 2 of the LAN ethernet ports (eth1 and eth2) plus a USB-ethernet connection to a Raspberry Pi "ethernet gadget" (eth4).
I upgraded to VyOS Stream 1.5-2025-Q2 ("add system image...") and accepted the defaults to all the questions. When I rebooted into 1.5 Q2, I saw my client PC had no IPv4 address. I bounced the PC's ethernet interface a couple of times, no change. I consoled into the router (via a serial cable) and entered these lines:
set firewall global-options apply-to-bridged-traffic accept-invalid ethernet-type arp set firewall global-options apply-to-bridged-traffic accept-invalid ethernet-type dhcp
And my PC immediately received an IPv4 address.
Here are what I think are the relevant parts of the 1.4 config, indicating the LAN bridge and the interface definitions.
interfaces {
bridge br0 {
address "192.168.1.1/24"
address "fd01:redacted::1/64"
description "Bridge LAN"
enable-vlan
ipv6 {
address {
autoconf
}
}
member {
interface eth1 {
allowed-vlan "10"
allowed-vlan "50"
native-vlan "1"
}
interface eth2 {
native-vlan "1"
}
interface eth4 {
native-vlan "1"
}
}
vif 10 {
address "192.168.10.1/24"
address "fd10:redacted::1/64"
description "VLAN10"
ipv6 {
address {
autoconf
}
}
}
vif 50 {
address "192.168.50.1/24"
address "fd50:redacted::1/64"
description "VLAN50"
ipv6 {
address {
autoconf
}
}
}
}
ethernet eth0 {
address "dhcp"
address "dhcpv6"
description "OUTSIDE"
dhcpv6-options {
duid "00:01:00:01:2d:f1:17:redacted"
no-release
pd 0 {
interface br0 {
address "1"
sla-id "1"
}
interface br0.10 {
address "1"
sla-id "2"
}
interface br0.50 {
address "1"
sla-id "5"
}
interface eth3 {
address "1"
sla-id "3"
}
length "56"
}
rapid-commit
}
hw-id "redacted"
ipv6 {
address {
autoconf
}
}
offload {
gro
gso
sg
tso
}
redirect "ifb0"
}
ethernet eth1 {
hw-id "redacted"
offload {
gro
gso
sg
tso
}
}
ethernet eth2 {
hw-id "redacted"
offload {
gro
gso
sg
tso
}
}
ethernet eth3 {
address "192.168.3.1/24"
address "fd03:redacted::1/64"
description "ETH3_LAN"
hw-id "redacted"
ipv6 {
address {
autoconf
}
}
offload {
gro
gso
sg
tso
}
}
ethernet eth4 {
hw-id "redacted"
}
input ifb0 {
}
loopback lo {
}
}Here are the IPv4 DHCP server settings:
service {
dhcp-server {
shared-network-name ETH3_LAN {
authoritative
subnet 192.168.3.0/24 {
default-router "192.168.3.1"
domain-name "localdomain"
lease "86400"
name-server "1.1.1.1"
name-server "1.0.0.1"
ping-check
range 0 {
start "192.168.3.10"
stop "192.168.3.100"
}
}
}
shared-network-name LAN {
authoritative
subnet 192.168.1.0/24 {
default-router "192.168.1.1"
domain-name "localdomain"
lease "86400"
name-server "192.168.1.120"
ping-check
range 0 {
start "192.168.1.10"
stop "192.168.1.100"
}
}
}
shared-network-name VL10_LAN {
authoritative
subnet 192.168.10.0/24 {
default-router "192.168.10.1"
domain-name "localdomain"
lease "86400"
name-server "1.1.1.1"
name-server "1.0.0.1"
ping-check
range 0 {
start "192.168.10.10"
stop "192.168.10.100"
}
}
}
shared-network-name VL50_LAN {
authoritative
subnet 192.168.50.0/24 {
default-router "192.168.50.1"
domain-name "localdomain"
lease "86400"
name-server "9.9.9.9"
name-server "149.112.112.112"
ping-check
range 0 {
start "192.168.50.10"
stop "192.168.50.100"
}
}
}
}And here are the firewall global options in 1.4 (prior to the migration)
global-options {
all-ping "enable"
broadcast-ping "disable"
ip-src-route "disable"
ipv6-receive-redirects "disable"
ipv6-src-route "disable"
log-martians "disable"
receive-redirects "disable"
send-redirects "disable"
source-validation "disable"
state-policy {
established {
action "accept"
}
invalid {
action "drop"
}
related {
action "accept"
}
}
syn-cookies "enable"
twa-hazards-protection "disable"
}Here are the firewall global options in the 1.5 Stream installation after I manually applied the global options commands (above):
firewall {
global-options {
all-ping "enable"
apply-to-bridged-traffic {
accept-invalid {
ethernet-type "dhcp"
ethernet-type "arp"
}
}
broadcast-ping "disable"
ip-src-route "disable"
ipv6-receive-redirects "disable"
ipv6-src-route "disable"
log-martians "disable"
receive-redirects "disable"
send-redirects "disable"
source-validation "disable"
state-policy {
established {
action "accept"
}
invalid {
action "drop"
}
related {
action "accept"
}
}
syn-cookies "enable"
twa-hazards-protection "disable"
}I only received an IPv4 address from the 1.5 Stream Q2 install after I applied those "global-options apply-to-bridged-traffic accept-invalid" config statements. (I actually performed the entire upgrade process twice to be sure of what I was seeing.)