Re: bridge with access on both interfaces

From: Bruce A. Mah (bmah_at_FreeBSD.org)
Date: 12/25/03

  • Next message: Andrew Karjagin: "Re[3]: CHAP FreeRadius and MPD" 
    Date: Thu, 25 Dec 2003 12:52:12 -0800
To: Ian Smith <smithi@nimnet.asn.au>

    If memory serves me right, Ian Smith wrote:

    > In short, ifconfig appears unwilling to have two NICs covering the same
    > /24. Can this be set up? I'm also at a bit of a loss with the routing,
    > so inside packets to the bridge box (ie unbridged packets) are responded
    > to on the same interface, and outside unbridged packets go only to/from
    > the gw. Some tcpdumps on both in and outside interfaces suggest an ARP
    > response problem also, perhaps; no responses on the inside iface at all.

    Hi Ian--

    This may or may not be the source of your problem, but I've been
    procrastinating on writing this up for a couple months and this was
    the impetus that pushed me over the edge.

    In 4-STABLE, there's a bug that prevents ARP from working correctly on
    unnumbered bridge interfaces when bridging is enabled using the
    bridge.ko module. Basically, there are some checks in the ARP code
    that decide when to accept inbound ARP packets. These checks are a
    little different when the inbound interface is part of a bridge group.
    Some of these tests are conditional on the BRIDGE preprocessor symbol;
    this symbol gets defined if "options BRIDGE" is compiled into the
    kernel but not if you use the bridge.ko module. As a result, ARP
    packets on unnumbered interfaces get thrown away.

    The workaround for this problem is just to compile BRIDGE into the
    kernel. Manuel Kasper and I spent a few cycles working on this trying
    to make a m0n0wall box into a filtering bridge.

    For more specifics, see src/sys/netinet/if_ether.c (grep for BRIDGE in
    this file).

    Merry Christmas!

    Bruce.

    • application/pgp-signature attachment: stored
  • Next message: Andrew Karjagin: "Re[3]: CHAP FreeRadius and MPD"

    Relevant Pages

    • Re: Creating a "non-bridge"
      ... demultiplexed or "teed" within the network stack? ... We only accept packets that are ... What we're really doing is giving two interfaces the ... We also need to make sure that we can ARP ...
      (freebsd-net)
    • Re: bridge with access on both interfaces
      ... ifconfig appears unwilling to have two NICs covering the same ... > so inside packets to the bridge box are responded ... Some tcpdumps on both in and outside interfaces suggest an ARP ... IP on one of the interfaces making up the bridge, ...
      (freebsd-net)
    • Re: My planned work on networking stack
      ... > What about bridged interfaces that have a MAC, ... > fine but still has some issues with ARP confusion and thus repeated ARP ... A bridge doesn't need any ARP for its bridging functionality, ...
      (freebsd-net)
    • Re: Pseudo Bridge
      ... thinked of building a simple bridge, ... So someone told me to do a Pseudo Bridge, ... But I need to rate the packets that come from the lan side of the ... But I don`t know which IP`s I put on interfaces X and Y. ...
      (comp.unix.admin)
    • Re: PF rule on bridged interface wont match
      ... The bridge would be a gateway for the hosts which are on member ... interfaces. ... it can be done using the old bridge but I think it would be ... more convenient if packets destined for/ originated from the bridge ...
      (freebsd-net)