net.link.ether.bridge.config effeciency for more then 2 interfaces?

I'm trying to get a vlan based firewall working, but having a problem with ARP & DHCP not working well
(dhcp could be maybe not working well because of ARP)

The network is setup:
IP: xyz.zyx.xzy.0/24
[ISP router -> ISP Switch] -> firewall ->{vlans-tagged}->layer2 switch->other switches
(I don't have the authoritzation to put the firewall between the ISP router/switch unfortunatly)

I've configured a local layer2 managed switch to have all vlans as tagged on port 1, and then configured two ports per vlan.

In the firewall I have it configured as follows:
network cards:
fxp0 -> to the ISP switch (.14/28)
fxp1 -> unused at the moment
fxp2 -> receives the vlans
vlan3 vlan 3 vlandev fxp2; (IP:.17/28)
vlan4 vlan 4 vlandev fxp2; (IP:.33/27)
vlan5 vlan 5 vlandev fxp2; (IP:.65/26)
vlan7 vlan 7 vlandev fxp2; (IP.129/25)
vlan8 vlan 8 vlandev fxp2; (IP:10.1.0.0/16) (nat is arranged by PF to .13 on fxp0)

Having only gateway_enable="YES" in rc.conf, the traffic between vlans flows fine (until I put in IPFW restrictions that is), but from vlans to internet it doesn't (ping to router doesn't work). So I decided simply to bridge all the vlans together (if you have a possible solution around this, I'd appreciate it!). And that's where my problem begins.

For what could be best described as 'political' reasons, I want at all costs to avoid having the ISP router reconfigured (the ISP is ready to do it, people here aren't)
if I configure net.link.ether.bridge.config=fxp0,vlan7 for example, all is fine. Traffic flows normally. If I configure net.link.ether.bridge.config=fxp0,vlan3,vlan7 then I start having major problems with arp requests making it through. DHCP is as well seriously affected, leaving computers in a pretty bad situation. CPU usage in either case ranges from 2-4% (internet's only a SDSL link, so it's no trouble for the firewall)

I've put below a summary of the loaded ipfw rules. I sorta think my problem could be related to the bridging of arps, but I'm not unconvinced that the traffic shapping is affecting as well although the firewall rules don't change, only the bridge configuration to go from problematic to OK.

I thank you all for your time,
Andrew

ipfw.rules:
----------
1 allow ip from ...0/24 to ...0/24
100 count ip from any to any via fxp0
...
108 count ip from any to any via vlan8
201 - 205 allow tcp/udp ssh,dhcp,snmp and dns
300 - deny netbios traffic
401&402 - pipe 10/11 (bw 300kbps, mask src/dst 0x000000ff) // max speed per computer
410-420 allow some stuff like web/email to go to max speed
490&491 - pipe 30/31 (bw 1000kbps) // max speed for 'bulk' stuff like P2P, FTP...
492&493 - pipe 20/21 (bw 200kbps, mask src/dst 0x000000ff) // max bulk speed per computer
65535 - allow all





_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages