From owner-freebsd-questions@FreeBSD.ORG Mon Jul 5 18:36:23 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5FAD1065670 for ; Mon, 5 Jul 2010 18:36:23 +0000 (UTC) (envelope-from nvidican@m2.vidican.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 826E98FC13 for ; Mon, 5 Jul 2010 18:36:23 +0000 (UTC) Received: by iwn35 with SMTP id 35so4144759iwn.13 for ; Mon, 05 Jul 2010 11:36:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.203.15 with SMTP id fg15mr3141547ibb.187.1278354982551; Mon, 05 Jul 2010 11:36:22 -0700 (PDT) Sender: nvidican@m2.vidican.com Received: by 10.231.182.200 with HTTP; Mon, 5 Jul 2010 11:36:22 -0700 (PDT) X-Originating-IP: [69.165.170.15] In-Reply-To: References: <20100705165746.GB10990@Grumpy.DynDNS.org> Date: Mon, 5 Jul 2010 14:36:22 -0400 X-Google-Sender-Auth: XbtoZIVWXaY_NRoi2agHqv0hTdY Message-ID: From: Nathan Vidican To: Modulok Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: David Kelly , freebsd-questions@freebsd.org Subject: Re: VLANs is this right? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2010 18:36:23 -0000 On Mon, Jul 5, 2010 at 1:30 PM, Modulok wrote: > It was a simplified diagram of what I thought I needed. ( Which may or > may not be what I actually need! ) > > Basically, I want a port on the switch that I can plug un-trusted > devices into. Systems wich are known to be just crawling with > malicious software. I need to provide them with an Internet > connection, but otherwise want them separated from everybody else. > Think DMZ isolation, but they're not providing any 'external' > services. I was wondering if this could be done with tagging and > address aliases, instead of buying a third network card for the BSD > machine. > > If that makes any sense. > > > On 7/5/10, David Kelly wrote: > > On Mon, Jul 05, 2010 at 10:16:19AM -0600, Modulok wrote: > >> > >> Criteria: > >> - HostA must never directly talk to HostB. > >> - Both hostA and hostB have an Internet connection. > >> > >> What I have to work with: > >> proCurve switch which supports VLANs. > >> 2x Intel NICs in FreeBSD which support VLANs. > > > > Am thinking you are approaching it the wrong way. > > > > Not familiar with the specifics of a ProCurve switch but that's a high > > end unit, not a Netgear. I would expect you could configure the switch > > to disallow the MAC addresses from talking to each other of hostA and > > hostB. > > > > Furthermore, it would be even easier to disallow hostB from within > > hostA's firewall. And do the same at hostB. > > > > -- > > David Kelly N4HHE, dkelly@HiWAAY.net > > ======================================================================== > > Whom computers would destroy, they must first drive mad. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > I have almost the exact same setup as you're looking for currently running on a FreeBSD box acting as a server/router for multiple VLANS as follows: Internet ---------- FreeBSD (Sun Sparc SunFire v120 w/ Intel PCI 100BaseSX fibre card) ---------- Cisco Catalyst 2948G - configured with: - 4 distinct VLANS, each with their own subnet - 802.1q (dot1q) trunks between switches carrying specified VLANS - 802.1q trunk between switch and FreeBSD box ----------- Each subnet (VLAN) has it's own gateway which is the IP of the FreeBSD machine. They key is that the switch must connect to the FreeBSD machine using TRUNK not access mode. I am not that familiar with the HP procurve series but I'd imagine it's not that dissimilar from others I've worked with. The key on the FreeBSD machine is to use cloned interfaces for each seperate VLAN and assign that cloned vlan interface to 'transmit via ' the real interface. You will need the 'vlan' pseudo device compiled into your kernel. The pertinent parts of my rc.conf are as follows for an example: # rc.conf excerpt: hostname="gw.xx.xx.com" gateway_enable="YES" cloned_interfaces="vlan190 vlan100 vlan200 vlan300" ifconfig_em0="up" ifconfig_vlan190="inet 69.16.x.x/26 vlan 190 vlandev em0" ifconfig_vlan100="inet 10.10.1.1/26 vlan 100 vlandev em0" ifconfig_vlan200="inet 10.10.2.254/24 vlan 200 vlandev em0" ifconfig_vlan300="inet 10.10.3.254/24 vlan 300 vlandev em0" ifconfig_vlan400="inet 10.10.4.254/24 vlan 400 vlandev em0" ifconfig_vlan700="inet 10.10.7.254/25 vlan 700 vlandev em0" # end of rc.conf excerpt I then add a host (for example) as '10.10.1.11/26 on vlan 100' via a different port on the switch; the ONLY way for that particular host to talk to another beyond that vlan is to go through the freebsd box (which also acts as a firewall, NAT, etc). Hope this helps, but what you're trying to do is definetly possible. Not all NIC card drivers support vlan tagging/trunks though, check documentation as need be. In general all the intel and most of the broadcom cards do and that's all I've really had any experience with. I've worked with Cisco, Netgear, and linksys units on the switch side for the vlan/trunk/access ports. -- Nathan Vidican nathan@vidican.com Happy FreeBSD user since 2.0 :)