Multiple if_bridge devices
- From: Chris <eagletree@xxxxxxxxxx>
- Date: Tue, 29 Jan 2008 11:58:53 -0800
(I am reposting this. I posted to FreeBSD-Questions but
it appears OT for that list. I didn't come here first
because I felt it was too non-technical, but I'd appreciate
any insights)
I have 3 transparent firewalls on 3 T1s with a LAN behind each
supporting multiple servers.
Existing:
Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1
Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2
Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3
These firewalls are workstation class computers running
FreeBSD 6.2, if_bridge and ipfw. This has worked quite well
with the exception of hardware failures because of the
workstations hardware. I can afford one server-class blade
with 3 2-port NICs, but not three complete quality servers.
I would like to get to one firewall machine yet maintain the
isolation of the circuits and servers.
Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw
AllServers<->Switch<->FreeBSD Firewall<->T1 Router1
<->T1 Router2
<->T1 Router3
or
1 firewall 6 nics, if_bridge (3 bridges) and ipfw
Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1
Servers2<->Switch2<-> <->T1 Router2
Servers3<->Switch3<-> <->T1 Router3
Initially I designed the replacement using a single if_bridge
with a single LAN backbone as shown first here. After trying
to design the rules, I concluded that it was either illogical
or beyond my ipfw rule skills. Then it occurred to me to try
to run three if_bridge devices as shown in the second Target
One box, 6 NICs, 3 networks kept isolated for arp but
IP-managed in a single instance of ipfw.
I got as far as attempting this:
ifconfig bridge0 create
ifconfig bridge0 addm rl0 addm em0 up
ifconfig bridge1 create
ifconfig bridge1 addm vx0 up
It created the devices but obviously is not something I could
test to see if it actually worked as two discrete bridges. I've
no additional hardware, but before I buy anything, I thought
I could simply ask if if_bridge is meant to do this. I have
googled, checked man (if_bridge, ipfirewall, ipfw), and the
handbook, but I can't find anywhere that specifically says
if_bridge is designed to support multiple bridges on one
computer.
My questions are:
1. Is if_bridge designed to support more than one bridge
on a single machine by creating multiple bridge devices (only,
of course with multiple NICs on the second and tertiary
bridges)?
2. If so, does it retain complete isolation of the bridges (e.g.
for ARP) while allowing ipfw to examine all three simultaneously?
3. Should I be exploring a different FreeBSD route to
implement this.
Thank you,
Chris Pratt
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: Multiple if_bridge devices
- From: Andrew Thompson
- Re: Multiple if_bridge devices
- Prev by Date: Re: VLAN problems
- Next by Date: Re: kern/119548: [pf] [ath] [patch] PF Altq with ath hostap problem
- Previous by thread: tcp-md5 check for incomming connection
- Next by thread: Re: Multiple if_bridge devices
- Index(es):
Relevant Pages
|
