Re: Multiple if_bridge devices


On Jan 29, 2008, at 12:31 PM, Andrew Thompson wrote:

On Tue, Jan 29, 2008 at 11:58:53AM -0800, Chris wrote:
(I am reposting this. I posted to FreeBSD-Questions but
it appears OT for that list. I didn't come here first
because I felt it was too non-technical, but I'd appreciate
any insights)

I have 3 transparent firewalls on 3 T1s with a LAN behind each
supporting multiple servers.

Existing:
Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1
Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2
Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3

...
I got as far as attempting this:

ifconfig bridge0 create
ifconfig bridge0 addm rl0 addm em0 up
ifconfig bridge1 create
ifconfig bridge1 addm vx0 up

It created the devices but obviously is not something I could
test to see if it actually worked as two discrete bridges. I've
no additional hardware, but before I buy anything, I thought
I could simply ask if if_bridge is meant to do this. I have
googled, checked man (if_bridge, ipfirewall, ipfw), and the
handbook, but I can't find anywhere that specifically says
if_bridge is designed to support multiple bridges on one
computer.

My questions are:

1. Is if_bridge designed to support more than one bridge
on a single machine by creating multiple bridge devices (only,
of course with multiple NICs on the second and tertiary
bridges)?

Yes, the number of bridges are unlimited except by resources (memory).

2. If so, does it retain complete isolation of the bridges (e.g.
for ARP) while allowing ipfw to examine all three simultaneously?

The bridges are completly seperate. Note that you can only add a nic to
one bridge at a time, so you could have 6 nics, two per bridge.

3. Should I be exploring a different FreeBSD route to
implement this.

Maybe the private flag on interfaces could help you here? You can put
the three server networks on different nics (or vlans) and set the
private flag, this stops all traffic going between them. See the
bridging section of the Handbook for an example or my slides here
http://conference.nznog.org/presentations/20080125_01-01-bridge- seperation_andrew-thompson.pdf

Thank you very much. That gives me enough assurance to proceed
as it looks like either method would be safe for the routers. I missed
the significance of the private flag in the handbook first time. It
suggests a bridge0-only implementation would restrict the routers
from receiving each others arp if the 3 WAN interfaces had it set.
Thanks again.

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Multiple if_bridge devices
    ... FreeBSD 6.2, if_bridge and ipfw. ... with 3 2-port NICs, but not three complete quality servers. ... I would like to get to one firewall machine yet maintain the ... test to see if it actually worked as two discrete bridges. ...
    (freebsd-net)
  • Re: Do I really need all these bridges?
    ... you don't tell us what the numerous NICs are used ... >> My computer is a Portable with built in Wireless NIC ... >> From what I can tell the Bridges being built by XP are ... >> overly complicating my network and interfering with my ...
    (microsoft.public.windowsxp.network_web)
  • Re: Multiple if_bridge devices
    ... supporting multiple servers. ... ifconfig bridge0 addm rl0 addm em0 up ... test to see if it actually worked as two discrete bridges. ... one bridge at a time, so you could have 6 nics, two per bridge. ...
    (freebsd-net)