From owner-freebsd-net@FreeBSD.ORG Sun May 18 20:27:23 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11E551065672 for ; Sun, 18 May 2008 20:27:23 +0000 (UTC) (envelope-from jay@jcornwall.me.uk) Received: from vps1.jcornwall.me.uk (vps1.jcornwall.me.uk [193.227.111.74]) by mx1.freebsd.org (Postfix) with ESMTP id AAB948FC1B for ; Sun, 18 May 2008 20:27:22 +0000 (UTC) (envelope-from jay@jcornwall.me.uk) Received: from [82.70.152.17] (cobra.home.jcornwall.me.uk [82.70.152.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vps1.jcornwall.me.uk (Postfix) with ESMTP id 098785201C2; Sun, 18 May 2008 21:29:32 +0100 (BST) Message-ID: <48309128.1020101@jcornwall.me.uk> Date: Sun, 18 May 2008 21:27:20 +0100 From: "Jay L. T. Cornwall" User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: "H.fazaeli" References: <4825EF8D.1050304@jcornwall.me.uk> <4826EB42.104@sepehrs.com> <48274E6D.9060704@jcornwall.me.uk> <48286052.6000507@sepehrs.com> In-Reply-To: <48286052.6000507@sepehrs.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: if_bridge with two subnets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2008 20:27:23 -0000 H.fazaeli wrote: > It does work. However, if I understand your setup correctly, the freebsd > box > has been setup to act as a bridge, not as a router (routing is enabled with > sysctl net.inet.ip.forwarding=1). Bridging works when the forwarding is > between the same subnets. > > For freebsd box to route between subnets: > - enable routing: sysctl net.inet.ip.forwarding=1 > - clients must use the freebsd box as gateway. > - IP addresses must be removed from the bridge and assigned to > the member interfaces. (the bridge is no longer needed). > > You may have bridging & routing on the same box at the same time but > note that a single packet coming into the system either goes through > bridging _or_ routing code, but not both. The former case happens > if packet's destination MAC address is not that of box. The > latter case happens when destination MAC address is that of receiving > interface. Thank you very much for your explanation. I had misunderstood precisely how routing and bridging are done in FreeBSD but it now makes sense. > If you provide a network diagram along with your requirements, > we can better discuss the matter. I now have a working network configuration. For completeness I will explain how it's set up. I have a small, publicly routable netblock to serve a larger LAN of machines. Thus some of the machines draw IPs from a non-routable private pool and are NAT'd to a one of the public IPs. It looks like this: [Gateway] XX.XX.XXX.22 | [FreeBSD] XX.XX.XXX.20-21 | [L2 Switch] | PCs XX.XX.XXX.17-19 192.168.1.0/24 The gateway must have one of the public IPs to communicate with its upstream correctly. On the other side of the FreeBSD server the rest of those IPs are used. So a traditional gateway setup would not work here: it would imply that the FreeBSD server has two interfaces from two different subnets, rather than one split subnet. Perhaps a static route for the gateway would work, but it would be messy. So I bridge the two interfaces to join the public subnet. Following your advice I have set the FreeBSD server to the network gateway - previously it was the .22 gateway - and now all of the LAN PCs can communicate without additional routing information. Inter-subnet packets will bounce off the FreeBSD server, rather than staying inside the L2 switch, but that's OK. -- Jay L. T. Cornwall http://www.jcornwall.me.uk/