Date: Wed, 30 Jan 2008 09:31:22 +1300 From: Andrew Thompson <thompsa@FreeBSD.org> To: snagit@cbpratt.prohosting.com Cc: freebsd-net@freebsd.org Subject: Re: Multiple if_bridge devices Message-ID: <20080129203122.GC40505@heff.fud.org.nz> In-Reply-To: <3D322B10-E36E-4194-95DD-5242498F02FC@hughes.net> References: <3D322B10-E36E-4194-95DD-5242498F02FC@hughes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 29, 2008 at 11:58:53AM -0800, Chris wrote: > (I am reposting this. I posted to FreeBSD-Questions but > it appears OT for that list. I didn't come here first > because I felt it was too non-technical, but I'd appreciate > any insights) > > I have 3 transparent firewalls on 3 T1s with a LAN behind each > supporting multiple servers. > > Existing: > Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1 > Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2 > Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3 > ... > I got as far as attempting this: > > ifconfig bridge0 create > ifconfig bridge0 addm rl0 addm em0 up > ifconfig bridge1 create > ifconfig bridge1 addm vx0 up > > It created the devices but obviously is not something I could > test to see if it actually worked as two discrete bridges. I've > no additional hardware, but before I buy anything, I thought > I could simply ask if if_bridge is meant to do this. I have > googled, checked man (if_bridge, ipfirewall, ipfw), and the > handbook, but I can't find anywhere that specifically says > if_bridge is designed to support multiple bridges on one > computer. > > My questions are: > > 1. Is if_bridge designed to support more than one bridge > on a single machine by creating multiple bridge devices (only, > of course with multiple NICs on the second and tertiary > bridges)? Yes, the number of bridges are unlimited except by resources (memory). > 2. If so, does it retain complete isolation of the bridges (e.g. > for ARP) while allowing ipfw to examine all three simultaneously? The bridges are completly seperate. Note that you can only add a nic to one bridge at a time, so you could have 6 nics, two per bridge. > 3. Should I be exploring a different FreeBSD route to > implement this. Maybe the private flag on interfaces could help you here? You can put the three server networks on different nics (or vlans) and set the private flag, this stops all traffic going between them. See the bridging section of the Handbook for an example or my slides here http://conference.nznog.org/presentations/20080125_01-01-bridge-seperation_andrew-thompson.pdf cheers, Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080129203122.GC40505>