From owner-freebsd-net@FreeBSD.ORG Fri Feb 18 18:13:33 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4913106566B for ; Fri, 18 Feb 2011 18:13:33 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 858ED8FC0C for ; Fri, 18 Feb 2011 18:13:33 +0000 (UTC) Received: by iwn39 with SMTP id 39so3957119iwn.13 for ; Fri, 18 Feb 2011 10:13:32 -0800 (PST) Received: by 10.42.172.70 with SMTP id m6mr1257370icz.18.1298051395116; Fri, 18 Feb 2011 09:49:55 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id z4sm1949257ibg.19.2011.02.18.09.49.53 (version=SSLv3 cipher=OTHER); Fri, 18 Feb 2011 09:49:53 -0800 (PST) From: "kevin" To: Date: Fri, 18 Feb 2011 12:49:35 -0500 Message-ID: <000c01cbcf94$35e76e20$a1b64a60$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-us Thread-Index: AcvPlDSq8cJhLCxyRt2FzU5HA8iYLQ== Subject: Bridging + VLANS + RSTP / MSTP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2011 18:13:33 -0000 Hello, I have a fairly straightforward network in a collocated facility. I have a FreeBSD PF Bridging firewall (2 interfaces bridged, 1 interface for access). The FreeBSD 8.0-RELEASE firewall provides inbound filtering through a Dell PowerConnect 5448 switch, divided into two vlans. My network is best described by the following diagram : [ISP GW] | [------switch 1 [vlan1]------] | [FW1 BRIDGE] | [------switch 1 [vlan2]------] | [clients] I have been playing around with the possibility to add another FreeBSD Bridging firewall to provide access from vlan1 > vlan2 for the clients. I originally posted on the freebsd-pf list, and the only viable solution would be to employ STP on the two freebsd server's bridge ports on vlan1 , and turn stp off for every other port. My switch also supports MSTP and RSTP protocols. Honestly I have little experience with this, but I was hoping to get some general insight as to how I could employ my switch and a redundant freebsd firewall for hardware failovers. My current testing has shown little promise -- both firewalls will go up, traffic will only go to the first firewall. If I reboot that first firewall, no traffic will flow to the second bridging firewall. Note that all IPs on my network (inside and out) are public IPs, there are no private ips on my network. Here is my rc.conf : defaultrouter="x.x.x.x" gateway_enable="YES" cloned_interfaces="bridge0" ifconfig_bridge0="up addm bge0 stp bge0 addm bge1 stp bge1" ifconfig_bge0="up" ifconfig_bge1="up" ifconfig_em0="inet y.y.y.y netmask 255.255.255.0" # PF Options pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup My pf.conf is really standard, I don't think there is really a point to posting it. just a block in all and a series of pass in's. nothing fancy. Any help or ideas or insight is GREATLY appreciated -- I have been tackling this for about a year (not actively, passively) and would LOVE to employ this properly. I see commercial firewalls like Juniper offer transparent bridging and failover hardware redundancies so I'm pretty sure this would be possible with FreeBSD, but again my switching and networking experience is somewhat limited. Thanks, Kevin