From owner-freebsd-questions@FreeBSD.ORG Mon Jul 5 22:58:55 2010 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B57161065687 for ; Mon, 5 Jul 2010 22:58:55 +0000 (UTC) (envelope-from steve@ipv6canada.com) Received: from smtp.ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 1760C8FC0C for ; Mon, 5 Jul 2010 22:58:54 +0000 (UTC) Received: (qmail 74197 invoked by uid 89); 5 Jul 2010 23:00:21 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 5 Jul 2010 23:00:20 -0000 Message-ID: <4C3263B7.9020705@ipv6canada.com> Date: Mon, 05 Jul 2010 18:59:03 -0400 From: Steve Bertrand User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1 MIME-Version: 1.0 To: David Kelly References: <20100705165746.GB10990@Grumpy.DynDNS.org> In-Reply-To: <20100705165746.GB10990@Grumpy.DynDNS.org> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@FreeBSD.org Subject: Re: VLANs is this right? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2010 22:58:55 -0000 On 2010.07.05 12:57, David Kelly wrote: > On Mon, Jul 05, 2010 at 10:16:19AM -0600, Modulok wrote: >> >> Criteria: >> - HostA must never directly talk to HostB. >> - Both hostA and hostB have an Internet connection. >> >> What I have to work with: >> proCurve switch which supports VLANs. >> 2x Intel NICs in FreeBSD which support VLANs. > > Am thinking you are approaching it the wrong way. I wasn't going to, but I'd like to respond to your post. In no way am I attempting to knock the fact that you tried to help, I'd just like to clarify a few things... My personal belief is that the OP is approaching this in the best possible way. > Not familiar with the specifics of a ProCurve switch but that's a high > end unit, not a Netgear. I would expect you could configure the switch > to disallow the MAC addresses from talking to each other of hostA and > hostB. I would expect a residential-grade NetGear be configured in such a way, not a higher-end switch. > Furthermore, it would be even easier to disallow hostB from within > hostA's firewall. And do the same at hostB. Easier if you have 2-10 machines, that are not laptops, and never get replaced. Your expectations are not scalable, nor do they provide a network-wide solution. If the OPs network grows to 200 vlans with 15k hosts, maintaining such a setup is no where near feasible. This is why the 'higher-end' gear allows such functions. By putting users (ie. client systems, or even business functional units) into vlans, security policies can be enacted in one fell swoop (one ACL, aka firewall rule) within the device they access the other portions of the network. Generally, MAC filtering is used to place a specific nic into its proper vlan, or to deny it access to the network in general (based on an allowed-only list). Personally, I've never seen it used to filter host-host traffic before. Also, using vlans also limits the size of broadcast domains. Not too long ago, I consulted for a company that had ~4k machines within one IP subnet. They questioned why they should replace their unmanaged switches with managed ones in the course of my work, so I generated an example. It is *trivial* in FBSD to trunk vlans, and firewall them off from one another (notes: I use Quagga to assign v4 addresses to my sub-ints, so the syntax may be off. However, FBSD 7.2 accepts this as valid. Also, I do it a bit differently in production (one line), but I don't have access to the boxes I do it on, and I forget the exact syntax): # ipfw add 100 deny all from any to any recv em5.10 xmit em5.11 # ipfw add 110 deny all from any to any recv em5.11 xmit em5.10 fwiw, depending on the switch, it may even be able to do some of this L3 functionality inherently. Steve