Date: Tue, 29 Jan 2008 13:31:47 -0800 From: Chris Pratt <eagletree@hughes.net> To: freebsd-net@freebsd.org Subject: Re: Multiple if_bridge devices Message-ID: <3FA60D7D-8B56-4B7D-85AA-B66EFB5D29DA@hughes.net> In-Reply-To: <20080129203122.GC40505@heff.fud.org.nz> References: <3D322B10-E36E-4194-95DD-5242498F02FC@hughes.net> <20080129203122.GC40505@heff.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 29, 2008, at 12:31 PM, Andrew Thompson wrote: > On Tue, Jan 29, 2008 at 11:58:53AM -0800, Chris wrote: >> (I am reposting this. I posted to FreeBSD-Questions but >> it appears OT for that list. I didn't come here first >> because I felt it was too non-technical, but I'd appreciate >> any insights) >> >> I have 3 transparent firewalls on 3 T1s with a LAN behind each >> supporting multiple servers. >> >> Existing: >> Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1 >> Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2 >> Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3 >> > ... >> I got as far as attempting this: >> >> ifconfig bridge0 create >> ifconfig bridge0 addm rl0 addm em0 up >> ifconfig bridge1 create >> ifconfig bridge1 addm vx0 up >> >> It created the devices but obviously is not something I could >> test to see if it actually worked as two discrete bridges. I've >> no additional hardware, but before I buy anything, I thought >> I could simply ask if if_bridge is meant to do this. I have >> googled, checked man (if_bridge, ipfirewall, ipfw), and the >> handbook, but I can't find anywhere that specifically says >> if_bridge is designed to support multiple bridges on one >> computer. >> >> My questions are: >> >> 1. Is if_bridge designed to support more than one bridge >> on a single machine by creating multiple bridge devices (only, >> of course with multiple NICs on the second and tertiary >> bridges)? > > Yes, the number of bridges are unlimited except by resources (memory). > >> 2. If so, does it retain complete isolation of the bridges (e.g. >> for ARP) while allowing ipfw to examine all three simultaneously? > > The bridges are completly seperate. Note that you can only add a > nic to > one bridge at a time, so you could have 6 nics, two per bridge. > >> 3. Should I be exploring a different FreeBSD route to >> implement this. > > Maybe the private flag on interfaces could help you here? You can put > the three server networks on different nics (or vlans) and set the > private flag, this stops all traffic going between them. See the > bridging section of the Handbook for an example or my slides here > http://conference.nznog.org/presentations/20080125_01-01-bridge- > seperation_andrew-thompson.pdf Thank you very much. That gives me enough assurance to proceed as it looks like either method would be safe for the routers. I missed the significance of the private flag in the handbook first time. It suggests a bridge0-only implementation would restrict the routers from receiving each others arp if the 3 WAN interfaces had it set. Thanks again.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FA60D7D-8B56-4B7D-85AA-B66EFB5D29DA>