From owner-freebsd-net@FreeBSD.ORG Wed Aug 1 06:17:53 2007 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4684A16A481 for ; Wed, 1 Aug 2007 06:17:53 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outS.internet-mail-service.net (outS.internet-mail-service.net [216.240.47.242]) by mx1.freebsd.org (Postfix) with ESMTP id 282D513C4F3 for ; Wed, 1 Aug 2007 06:17:53 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Tue, 31 Jul 2007 23:07:20 -0700 Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 9DC19125AE6; Tue, 31 Jul 2007 23:07:19 -0700 (PDT) Message-ID: <46B02341.9010803@elischer.org> Date: Tue, 31 Jul 2007 23:08:01 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.5 (Macintosh/20070716) MIME-Version: 1.0 To: Brett Glass References: <200708010219.UAA24373@lariat.net> In-Reply-To: <200708010219.UAA24373@lariat.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: net@freebsd.org Subject: Re: Creating a "non-bridge" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 06:17:53 -0000 Brett Glass wrote: > I'd like to create what might be called a "non-bridge" on a FreeBSD > machine. I'd like to put two Ethernet interfaces on the machine which > have the same IP address and subnet, and use those interfaces to > communicate with clients. However, I do not want the clients on one > interface to be able to send packets through to the clients on the > other interface. possibly you could just bridge them together but use ipfw on the bridge to enforce isolation. OR you could possibly make a netgraph version of that.. > > Why would I want to do a thing like this? Well, as you probably know, > wireless access points often have a "client isolation" option which > allows the clients to talk to the AP (and the Internet) but not to > one another. This is a good thing, because it prevents users of the > wireless LAN from hacking one another; each of them can only see > what's "upstream" of the access point. > > I have a situation where I need to put up more than one AP, on the > same subnet, behind a FreeBSD machine which will be serving as an > Internet gateway. I'd plug both APs into a switch and connect the > switch to the FreeBSD machine, but if I did this, the access points' > "client isolation" feature would not be sufficient to isolate all of > the clients from one another. Each AP would isolate its OWN clients > from one another, but would let each of them communicate with ALL of > the clients on the other AP! > > My first idea of how to solve this problem is to set the FreeBSD > machine up as a bridge, but then block all packets that try to go in > one Ethernet interface and out the other. But will this work? Will > the FreeBSD machine know which interface to use to communicate with > each client, and only send packets for each one out of the > appropriate interface? Also, is there a way to do this without > putting the interfaces into promiscuous mode (which slows things down > considerably)? After all, since the FreeBSD machine is acting as a > gateway, it should really only look at packets that are addressed to > it. you can't really avoid the promiscuous mode part if you use bridging... A specific netgraph configuration might be able to do it but it's need some work. Another possibility is to use freebsd 4 and apply the vimage patches to make 3 virtual machines. (or 7.0 and use the current vimage patches that Marko has brewing up in perforce) > > --Brett Glass > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, > send any mail to "freebsd-net-unsubscribe@freebsd.org"