Date: Fri, 15 Jul 2005 11:13:56 -0500 (CDT) From: "Viren Patel" <virenp@mail.utexas.edu> To: freebsd-net@freebsd.org Subject: 5.4-stable, 802.1q vlans, ipfw, and bridging?? Message-ID: <43646.146.6.178.5.1121444036.squirrel@mail.cm.utexas.edu>
next in thread | raw e-mail | index | archive | help
Hello. I am trying to setup a bridging firewall between multiple 802.1q vlans. Vlans 1 and 2 are public and vlans 3 and 4 are private. Vlans 1 and 3 are to be bridged, as are vlans 2 and 4. Router/switches are Cisco. My setup is as follows: Firewall: PC with Intel Pro/1000 MT dual-port server adapter Operating System: FreeBSD 5.4-stable Kernel config: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD options IPDIVERT options IPSTEALTH options BRIDGE device vlan /etc/sysctl.conf: net.link.ether.bridge.enable=1 net.link.ether.bridge.config=vlan1:1,vlan3:1,vlan2:2,vlan4:2 net.link.ether.bridge.ipfw=1 /etc/rc.conf: network interfaces="em0 em1 lo0" ifconfig_em0="up promisc vlanhwtag" ifconfig_em1="up promisc vlanhwtag" cloned_interfaces="vlan1 vlan2 vlan3 vlan4" ifconfig_vlan1="vlan1 vlan 1 vlandev em0" ifconfig_vlan2="vlan2 vlan 2 vlandev em0" ifconfig_vlan3="vlan3 vlan 3 vlandev em1" ifconfig_vlan4="vlan4 vlan 4 vlandev em1" ipfirewall_enable="YES" ipfirewall_type="OPEN" ipfirewall_quiet="NO" ipfirewall_logging="YES" Vlans 1 and 2 are trunked to em0 and vlans 3 and 4 are trunked to em1. The firewall does not seem to be functioning correctly. A PC on private vlan is not able to connect out. In the open firewall configuration as above, I would expect all traffic to be passed from private to public vlans and vice-versa. Starting a steady ping on the private PC, then capturing vlan traffic on the firewall via tcpdump shows arp requests on the private vlan, and corresponding arp requests on the public vlan, but no arp replies. Sniffing the physical interfaces on the firewall shows the 802.1q frames. Sniffing the public vlan via a third host however does not show any arp traffic at all. So it seems the vlan bridging is working on the firewall, however the packets are not being put out on the parent interface of the public vlan. What am I doing wrong? Viren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43646.146.6.178.5.1121444036.squirrel>