From owner-freebsd-isp@FreeBSD.ORG Wed Aug 30 11:11:39 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 682F216A4DA for ; Wed, 30 Aug 2006 11:11:39 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEAD343D5A for ; Wed, 30 Aug 2006 11:11:37 +0000 (GMT) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from [192.168.2.10] ([192.168.2.10]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.0); Wed, 30 Aug 2006 13:11:35 +0200 Message-ID: <44F57267.2000202@ide.resurscentrum.se> Date: Wed, 30 Aug 2006 13:11:35 +0200 From: Jon Otterholm User-Agent: Thunderbird 1.5 (X11/20060204) MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 30 Aug 2006 11:11:35.0834 (UTC) FILETIME=[0EA74FA0:01C6CC25] Subject: Router Tweaked X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 11:11:39 -0000 Hi. I have a problem, or maybe I should see it as a challenge. We offer broadband services and we buy the connection to our customers from another company with an infrastructure built on Cisco technology. Our customers are delivered to us on a unique VLAN/customer. In their core-net they use a technology called QinQ - a bunch of VLAN's with an extra VID to be able to scale the network easier. For example all customers from one DLSAM have a their unique VID but from that site and through the rest of the network they all belong to the same QinQ-VID. The downside to using this technology (QinQ) is that we loose some of the virtual functions of the VLAN's. For example the MAC-tables are not separated any longer - we have one table for each QinQ VLAN and not one for each VLAN. This means that we as ISP cannot use if_bridge to bridge a bunch of VLAN's together because this will mess upp FDB in the Cisco switches - one MAC-address will belong to more than one port in a switch in the same FDB. This wouldn't be a problem if they was'nt using QinQ - because then each VLAN would have their own FDB in each switch. My goal is to build a Router based on *BSD (preferably FreeBSD) with a VLAN-IF for each customer linked to a bridge so that I could use one (1) IP per customer and not waste 3 IP's on net-, Gateway- and boradcast-addresses on each customer if I would route each customer in a normal fashion. _____________________ ___________ | | Customer1; VID 100---\ | | |/em0.100--\ | |> QinQ VID 1----P1|CiscoSwitch|P2---VID 100,200----em0| FreeBSD |>-bridge0| Customer2; VID 200---/ |___________| |\em0.200--/ | |_____________________| The solution above are non-working out of the box because of the QinQ. One solutions is to put a ARP-Proxy (net.link.ether.inet.proxyall ?) that would spoof all the IP's connected to the client IF's. Or maybe PF/IPFW have some magic I could use to redirect Client-To-Client traffic via Loopback. Of course Cisco has a solution to this (since they invented the "problem" :-)) based on IP-less IF (for the customer), a local Loopback IF acting as gateway and ARP-Proxy for communications between customers. I have put this out there before with no good results. Is there anyone out there with any good thoughts on this that may help me on the way? Additionally I want to be able to trace my customers if back to their VLAN if someone give me a time and a IP-address. Any thoughts or hints are appreciated. /Jon