Date: Tue, 31 Jul 2007 23:08:01 -0700 From: Julian Elischer <julian@elischer.org> To: Brett Glass <brett@lariat.net> Cc: net@freebsd.org Subject: Re: Creating a "non-bridge" Message-ID: <46B02341.9010803@elischer.org> In-Reply-To: <200708010219.UAA24373@lariat.net> References: <200708010219.UAA24373@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote: > I'd like to create what might be called a "non-bridge" on a FreeBSD > machine. I'd like to put two Ethernet interfaces on the machine which > have the same IP address and subnet, and use those interfaces to > communicate with clients. However, I do not want the clients on one > interface to be able to send packets through to the clients on the > other interface. possibly you could just bridge them together but use ipfw on the bridge to enforce isolation. OR you could possibly make a netgraph version of that.. > > Why would I want to do a thing like this? Well, as you probably know, > wireless access points often have a "client isolation" option which > allows the clients to talk to the AP (and the Internet) but not to > one another. This is a good thing, because it prevents users of the > wireless LAN from hacking one another; each of them can only see > what's "upstream" of the access point. > > I have a situation where I need to put up more than one AP, on the > same subnet, behind a FreeBSD machine which will be serving as an > Internet gateway. I'd plug both APs into a switch and connect the > switch to the FreeBSD machine, but if I did this, the access points' > "client isolation" feature would not be sufficient to isolate all of > the clients from one another. Each AP would isolate its OWN clients > from one another, but would let each of them communicate with ALL of > the clients on the other AP! > > My first idea of how to solve this problem is to set the FreeBSD > machine up as a bridge, but then block all packets that try to go in > one Ethernet interface and out the other. But will this work? Will > the FreeBSD machine know which interface to use to communicate with > each client, and only send packets for each one out of the > appropriate interface? Also, is there a way to do this without > putting the interfaces into promiscuous mode (which slows things down > considerably)? After all, since the FreeBSD machine is acting as a > gateway, it should really only look at packets that are addressed to > it. you can't really avoid the promiscuous mode part if you use bridging... A specific netgraph configuration might be able to do it but it's need some work. Another possibility is to use freebsd 4 and apply the vimage patches to make 3 virtual machines. (or 7.0 and use the current vimage patches that Marko has brewing up in perforce) > > --Brett Glass > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, > send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46B02341.9010803>