Date: Thu, 16 Oct 2003 11:05:50 +0200 From: Mark Daniel Reidel <mark@removetomailme.reidel.info> To: freebsd-net@freebsd.org Subject: VLANs and bridging Message-ID: <3F8E5F6E.4090105@removetomailme.reidel.info>
next in thread | raw e-mail | index | archive | help
Hello,
I'm having a network-problem I cannot solve myself and am hoping you
could point me in the right direction.
I'm currently hosting a lot of computers, all in the same subnet. Since
there are administrative servers, hosting-servers, ans so on, I want to
limit access from one logical group to the other. However, the computers
are at physically totally scattered locations, some in the same rack,
some not.
It's impossible for me to divide the network into subnets, keep that in
mind.
My idea was to install several VLANs, each of them holding a group of
computers, and connecting them via a filtering bridge. So my setup looks
like this:
+--------+ +--------+ +--------+
| Switch |---| Switch |---| Switch |
+--------+ +--------+ +--------+
| | | | | | | | | | | |
Conputers | Computers
|
FreeBSD
Machine
|
\-- Internet
The obvious drawback is that all the traffic between the VLANs would
have to pass through this bridge, but most of the traffic will pass to
the internet and back, the traffic between the VLANs is not that much
but nevertheless important.
For testing, I used a FXP-card and did NOT connect the box to the
internet, just to the switch. The switch was configured to give tagged
packets to the BSD-machine and non-tagged to all other ports.
I compiled the BRIDGE into the kernel and set up to VLANs to test:
ifconfig fxp0 up
ifconfig vlan1 create
ifconfig vlan2 create
ifconfig vlan1 vlan 1 vlandev fxp0
ifconfig vlan2 vlan 2 vlandev fxp0
The next step was to setup a bridge between vlan1 and vlan2:
sysctl net.link.ether.bridge=1
sysctl net.link.ether.bridge_cfg=vlan1,vlan2
And then: nothing happens. It simply doesn't work. Using tcpdump shows
me that there are ARP-packets trying to be sent and the bridge seems to
be forwarding those, but I never get an answer-packet. There was no
packet-filter active at this moment, so I assume there is a problem with
bridging VLANs (since bridging fxp0 to rl0 works flawlessly).
My question now is: I've read in some mails that bridging between tagged
VLANs is currently not working really well. So what am I to do? Is there
a better solution (besides subnets and using a gateway)? Is there a way
to make it work? I also read about netgraph bridging but as I
understand, there's no way to make it filter packets.
Any suggestions or hints?
- Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F8E5F6E.4090105>