From owner-freebsd-net@FreeBSD.ORG Tue Jan 29 21:40:26 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C28B16A417 for ; Tue, 29 Jan 2008 21:40:26 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from n120.sc0.he.tucows.com (smtpout1084.sc0.he.tucows.com [64.97.144.84]) by mx1.freebsd.org (Postfix) with ESMTP id 63C7313C461 for ; Tue, 29 Jan 2008 21:40:26 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from sc0-out09.emaildefenseservice.com (64.97.131.2) by n120.sc0.he.tucows.com (7.2.069.1) id 476BFC81006B17BF for freebsd-net@freebsd.org; Tue, 29 Jan 2008 21:40:25 +0000 X-SpamScore: 50 X-Spamcatcher-Summary: 50, 0, 0, a895ef4f8b28835b, 9ea80b2d0065c3c3, eagletree@hughes.net, -, RULES_HIT:355:379:541:599:601:945:960:966:967:973:988:989:1260:1261:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1766:1792:2194:2196:2199:2200:2393:2525:2553:2560:2563:2682:2685:2857:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3027:3355:3743:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:4039:4250:4321:4362:4385:5007:6119: 7652:7679, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL:none, DNSBL:none X-Spamcatcher-Explanation: Received: from [192.168.0.3] (dpc6744118153.direcpc.com [67.44.118.153]) (Authenticated sender: eagletree@hughes.net) by sc0-out09.emaildefenseservice.com (Postfix) with ESMTP for ; Tue, 29 Jan 2008 21:40:18 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <20080129203122.GC40505@heff.fud.org.nz> References: <3D322B10-E36E-4194-95DD-5242498F02FC@hughes.net> <20080129203122.GC40505@heff.fud.org.nz> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <3FA60D7D-8B56-4B7D-85AA-B66EFB5D29DA@hughes.net> Content-Transfer-Encoding: 7bit From: Chris Pratt Date: Tue, 29 Jan 2008 13:31:47 -0800 To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.752.2) Subject: Re: Multiple if_bridge devices X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 21:40:26 -0000 On Jan 29, 2008, at 12:31 PM, Andrew Thompson wrote: > On Tue, Jan 29, 2008 at 11:58:53AM -0800, Chris wrote: >> (I am reposting this. I posted to FreeBSD-Questions but >> it appears OT for that list. I didn't come here first >> because I felt it was too non-technical, but I'd appreciate >> any insights) >> >> I have 3 transparent firewalls on 3 T1s with a LAN behind each >> supporting multiple servers. >> >> Existing: >> Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1 >> Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2 >> Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3 >> > ... >> I got as far as attempting this: >> >> ifconfig bridge0 create >> ifconfig bridge0 addm rl0 addm em0 up >> ifconfig bridge1 create >> ifconfig bridge1 addm vx0 up >> >> It created the devices but obviously is not something I could >> test to see if it actually worked as two discrete bridges. I've >> no additional hardware, but before I buy anything, I thought >> I could simply ask if if_bridge is meant to do this. I have >> googled, checked man (if_bridge, ipfirewall, ipfw), and the >> handbook, but I can't find anywhere that specifically says >> if_bridge is designed to support multiple bridges on one >> computer. >> >> My questions are: >> >> 1. Is if_bridge designed to support more than one bridge >> on a single machine by creating multiple bridge devices (only, >> of course with multiple NICs on the second and tertiary >> bridges)? > > Yes, the number of bridges are unlimited except by resources (memory). > >> 2. If so, does it retain complete isolation of the bridges (e.g. >> for ARP) while allowing ipfw to examine all three simultaneously? > > The bridges are completly seperate. Note that you can only add a > nic to > one bridge at a time, so you could have 6 nics, two per bridge. > >> 3. Should I be exploring a different FreeBSD route to >> implement this. > > Maybe the private flag on interfaces could help you here? You can put > the three server networks on different nics (or vlans) and set the > private flag, this stops all traffic going between them. See the > bridging section of the Handbook for an example or my slides here > http://conference.nznog.org/presentations/20080125_01-01-bridge- > seperation_andrew-thompson.pdf Thank you very much. That gives me enough assurance to proceed as it looks like either method would be safe for the routers. I missed the significance of the private flag in the handbook first time. It suggests a bridge0-only implementation would restrict the routers from receiving each others arp if the 3 WAN interfaces had it set. Thanks again.