Date: Fri, 18 Feb 2011 12:49:35 -0500 From: "kevin" <k@kevinkevin.com> To: <freebsd-net@freebsd.org> Subject: Bridging + VLANS + RSTP / MSTP Message-ID: <000c01cbcf94$35e76e20$a1b64a60$@com>
next in thread | raw e-mail | index | archive | help
Hello, I have a fairly straightforward network in a collocated facility. I have a FreeBSD PF Bridging firewall (2 interfaces bridged, 1 interface for access). The FreeBSD 8.0-RELEASE firewall provides inbound filtering through a Dell PowerConnect 5448 switch, divided into two vlans. My network is best described by the following diagram : [ISP GW] | [------switch 1 [vlan1]------] | [FW1 BRIDGE] | [------switch 1 [vlan2]------] | [clients] I have been playing around with the possibility to add another FreeBSD Bridging firewall to provide access from vlan1 > vlan2 for the clients. I originally posted on the freebsd-pf list, and the only viable solution would be to employ STP on the two freebsd server's bridge ports on vlan1 , and turn stp off for every other port. My switch also supports MSTP and RSTP protocols. Honestly I have little experience with this, but I was hoping to get some general insight as to how I could employ my switch and a redundant freebsd firewall for hardware failovers. My current testing has shown little promise -- both firewalls will go up, traffic will only go to the first firewall. If I reboot that first firewall, no traffic will flow to the second bridging firewall. Note that all IPs on my network (inside and out) are public IPs, there are no private ips on my network. Here is my rc.conf : defaultrouter="x.x.x.x" gateway_enable="YES" cloned_interfaces="bridge0" ifconfig_bridge0="up addm bge0 stp bge0 addm bge1 stp bge1" ifconfig_bge0="up" ifconfig_bge1="up" ifconfig_em0="inet y.y.y.y netmask 255.255.255.0" # PF Options pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup My pf.conf is really standard, I don't think there is really a point to posting it. just a block in all and a series of pass in's. nothing fancy. Any help or ideas or insight is GREATLY appreciated -- I have been tackling this for about a year (not actively, passively) and would LOVE to employ this properly. I see commercial firewalls like Juniper offer transparent bridging and failover hardware redundancies so I'm pretty sure this would be possible with FreeBSD, but again my switching and networking experience is somewhat limited. Thanks, Kevin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000c01cbcf94$35e76e20$a1b64a60$>