5.4-stable, 802.1q vlans, ipfw, and bridging??

• Previous message: Sten Daniel Sørsdal: "Re: GRE and PF problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 15 Jul 2005 11:13:56 -0500 (CDT)
To: freebsd-net@freebsd.org

Hello. I am trying to setup a bridging firewall between
multiple 802.1q vlans. Vlans 1 and 2 are public and vlans
3 and 4 are private. Vlans 1 and 3 are to be bridged, as
are vlans 2 and 4. Router/switches are Cisco. My setup is
as follows:

Firewall:

PC with Intel Pro/1000 MT dual-port server adapter

Operating System:

FreeBSD 5.4-stable

Kernel config:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPDIVERT
options IPSTEALTH
options BRIDGE
device vlan

/etc/sysctl.conf:

net.link.ether.bridge.enable=1
net.link.ether.bridge.config=vlan1:1,vlan3:1,vlan2:2,vlan4:2
net.link.ether.bridge.ipfw=1

/etc/rc.conf:

network interfaces="em0 em1 lo0"
ifconfig_em0="up promisc vlanhwtag"
ifconfig_em1="up promisc vlanhwtag"

cloned_interfaces="vlan1 vlan2 vlan3 vlan4"
ifconfig_vlan1="vlan1 vlan 1 vlandev em0"
ifconfig_vlan2="vlan2 vlan 2 vlandev em0"
ifconfig_vlan3="vlan3 vlan 3 vlandev em1"
ifconfig_vlan4="vlan4 vlan 4 vlandev em1"

ipfirewall_enable="YES"
ipfirewall_type="OPEN"
ipfirewall_quiet="NO"
ipfirewall_logging="YES"

Vlans 1 and 2 are trunked to em0 and vlans 3 and 4 are
trunked to em1.

The firewall does not seem to be functioning correctly. A
PC on private vlan is not able to connect out. In the open
firewall configuration as above, I would expect all
traffic to be passed from private to public vlans and
vice-versa.

Starting a steady ping on the private PC, then capturing
vlan traffic on the firewall via tcpdump shows arp
requests on the private vlan, and corresponding arp
requests on the public vlan, but no arp replies.

Sniffing the physical interfaces on the firewall shows the
802.1q frames.

Sniffing the public vlan via a third host however does not
show any arp traffic at all. So it seems the vlan bridging
is working on the firewall, however the packets are not
being put out on the parent interface of the public vlan.

What am I doing wrong?

Viren

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Sten Daniel Sørsdal: "Re: GRE and PF problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: [OT] VLAN Design & Routing ... weil nur die Verwaltung über einen Internetzugang verfügt. ... > Da brauchst Du kein VLAN. ... Die Firewall wird an einem ... Port am Switch angeschlossen -> Nur an welchem? ... (microsoft.public.de.german.windows.server.networking) Re: [fw-wiz] Problem with Cisco Firewall Service Module running in transparent mode ... >I have attempting to get a Cisco Firewall Service Module (FWSM) running ... >software version 2.2in transparent mode and multiple context mode. ... I first remove this vlan interface from the MSFC2 ... (Firewall-Wizards) Re: [OT] VLAN Design & Routing ... Da brauchst Du kein VLAN. ... IPSec-Verschlüsselung zwischen CLient und Server hinauslaufen... ... in Form diverser Links oder/und Stichwörter zum googlen? ... Eine Möglichkeit faßt das Stichwort "Network Firewall" zusammen. ... (microsoft.public.de.german.windows.server.networking) Re: [fw-wiz] Worms, Air Gaps and Responsibility ... I've been thinking quite a lot about having switches ... It should be possible to put each host in it's own vlan and trunk all ... I use an iptables firewall configuration interface called shorewall ... interfaces (each vlan on the switch corresponds to a vlan interface on the ... (Firewall-Wizards) Re: [OT] VLAN Design & Routing ... Normalerweise hängt der WAN-Port der Firewall am INternetgateway. ... > Verwaltungs VLAN gehört, an einem Port der zum DTP VLAN gehört oder an ... VLANs konfigurierst Du auf einem Switch, um z.B. zwei getrennte Netze, ... (microsoft.public.de.german.windows.server.networking)