Date: Fri, 02 Dec 2005 08:11:49 -0500 From: David Pierron <david@wombatsweb.com> To: freebsd-pf@freebsd.org Subject: FBSD6 if_bridge Message-ID: <43904815.4070805@wombatsweb.com>
next in thread | raw e-mail | index | archive | help
I have been trying for some time to get if_bridge working on a FreeBSD 6.0 machine. I must be missing something simple. I have Googled, I have previously posted here, I've IRC'd and I have tried 3 different installations on different hardware ... I have read and reread the man pages for if_bridge and associated docs, I believe I made the correct choices. I have posted my edits so that it may jump out at someone and I can proceed on my merry way into ruleset building ... The configuration desired is a 3 NIC install ... 2 doing the bridge between the router and the network and the 3rd used for access I/O to the machine. When I am ready to try this new configuration, I pull the two CAT5 cables from the existing bridge (FBSD 4.11-p13 BRIDGE IPFW) and pop them into this new one. I see traffic being blocked using tcpdump -i pflog0 from machines within the network (fxp2), but nothing outside (fxp0 and fxp1). I see states being established and removed watching pftop but only for the internal network (fxp2). It appears the bridge is not working what-so-ever ... any ideas for me to try? I install from 6.0-RELEASE-i386-bootonly.iso using a Minimal install. Get base via FTP :: pkg_add -r cvsup-without-gui cvsup all source and ports and recompile the kernel editing GENERIC with: # Bridge support device if_bridge # PF support device pf device pflog device pfsync # ALTQ support options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ # for SMP machine options ALTQ_NOPCC # other stuff #options IPSTEALTH options HZ=1000 config SMP ; cd ../compile/SMP ; make depend ; make ; make install reboot /etc/sysctl.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Enable bridge and allow each NIC (member) in/out filtering for PF net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=1 # # Enable forwarding #net.inet.ip.forwarding=1 # I have tried with this on as well but bridge should do forwarding - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /etc/rc.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - defaultrouter="my.c.class.xxx" hostname="foo.mydomain.org" ifconfig_fxp2="inet my.c.class.xxx netmask 255.255.255.0" # # Create Bridge cloned_interfaces="bridge0" ifconfig_bridge0="addm fxp0 addm fxp1 up" # # Enable PF firewall pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" # # Enable PF logging pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" # # Start Apache2 at startup apache2_enable="YES" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /etc/pf.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ext_if="fxp0" # replace with actual external interface name i.e., dc0 int_if="fxp1" # replace with actual internal interface name i.e., dc1 mgt_if="fxp2" # replace with actual internal interface name i.e., dc2 # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # localhost interface pass quick on lo0 all # Block everything and log it block log on $mgt_if all block log on $ext_if all block log on $int_if all # Internal interface pass out on $mgt_if all keep state pass in on $mgt_if proto tcp from any to $mgt_if port 80 keep state - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ifconfig output with cables unplugged from bridge: fxp0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (none) status: no carrier fxp1: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (none) status: no carrier fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp2 prefixlen 64 scopeid 0x3 inet my.c.class.xxx netmask 0xffffff00 broadcast my.c.class.255 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (100baseTX <full-duplex>) status: active plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500 pfsync0: flags=0<> mtu 2020 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500 ether xx:xx:xx:xx:xx:xx priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp1 flags=3<LEARNING,DISCOVER> member: fxp0 flags=3<LEARNING,DISCOVER>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43904815.4070805>