From owner-freebsd-net@FreeBSD.ORG Tue Jan 29 20:17:41 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D482A16A418 for ; Tue, 29 Jan 2008 20:17:41 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from n126.sc0.he.tucows.com (smtpout1123.sc0.he.tucows.com [64.97.144.123]) by mx1.freebsd.org (Postfix) with ESMTP id A8CC313C4EA for ; Tue, 29 Jan 2008 20:17:41 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from sc0-out01.emaildefenseservice.com (64.97.131.2) by n126.sc0.he.tucows.com (7.2.069.1) id 479CC1B50015C656 for freebsd-net@freebsd.org; Tue, 29 Jan 2008 20:07:28 +0000 X-SpamScore: 2 X-Spamcatcher-Summary: 2, 0, 0, 4ea46229800bfb23, 8fa981c1a3a1b70e, eagletree@hughes.net, -, RULES_HIT:355:379:541:617:945:946:960:966:973:988:989:1260:1261:1277:1311:1313:1314:1345:1437:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1766:1792:1801:2196:2199:2393:2559:2562:2739:2861:3354:3636:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:4039:4250:4362:4385:4605:5007:6119:7652, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL:none, DNSBL:none X-Spamcatcher-Explanation: Received: from [192.168.0.3] (dpc6744118153.direcpc.com [67.44.118.153]) (Authenticated sender: eagletree@hughes.net) by sc0-out01.emaildefenseservice.com (Postfix) with ESMTP for ; Tue, 29 Jan 2008 20:07:22 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <3D322B10-E36E-4194-95DD-5242498F02FC@hughes.net> Content-Transfer-Encoding: 7bit From: Chris Date: Tue, 29 Jan 2008 11:58:53 -0800 To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.752.2) Subject: Multiple if_bridge devices X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: snagit@cbpratt.prohosting.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 20:17:42 -0000 (I am reposting this. I posted to FreeBSD-Questions but it appears OT for that list. I didn't come here first because I felt it was too non-technical, but I'd appreciate any insights) I have 3 transparent firewalls on 3 T1s with a LAN behind each supporting multiple servers. Existing: Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1 Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2 Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3 These firewalls are workstation class computers running FreeBSD 6.2, if_bridge and ipfw. This has worked quite well with the exception of hardware failures because of the workstations hardware. I can afford one server-class blade with 3 2-port NICs, but not three complete quality servers. I would like to get to one firewall machine yet maintain the isolation of the circuits and servers. Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw AllServers<->Switch<->FreeBSD Firewall<->T1 Router1 <->T1 Router2 <->T1 Router3 or 1 firewall 6 nics, if_bridge (3 bridges) and ipfw Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1 Servers2<->Switch2<-> <->T1 Router2 Servers3<->Switch3<-> <->T1 Router3 Initially I designed the replacement using a single if_bridge with a single LAN backbone as shown first here. After trying to design the rules, I concluded that it was either illogical or beyond my ipfw rule skills. Then it occurred to me to try to run three if_bridge devices as shown in the second Target One box, 6 NICs, 3 networks kept isolated for arp but IP-managed in a single instance of ipfw. I got as far as attempting this: ifconfig bridge0 create ifconfig bridge0 addm rl0 addm em0 up ifconfig bridge1 create ifconfig bridge1 addm vx0 up It created the devices but obviously is not something I could test to see if it actually worked as two discrete bridges. I've no additional hardware, but before I buy anything, I thought I could simply ask if if_bridge is meant to do this. I have googled, checked man (if_bridge, ipfirewall, ipfw), and the handbook, but I can't find anywhere that specifically says if_bridge is designed to support multiple bridges on one computer. My questions are: 1. Is if_bridge designed to support more than one bridge on a single machine by creating multiple bridge devices (only, of course with multiple NICs on the second and tertiary bridges)? 2. If so, does it retain complete isolation of the bridges (e.g. for ARP) while allowing ipfw to examine all three simultaneously? 3. Should I be exploring a different FreeBSD route to implement this. Thank you, Chris Pratt