Date: Wed, 22 Dec 2010 10:17:02 -0500 From: Nathan Vidican <nathan@vidican.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: Port based VLAN Message-ID: <AANLkTikJtjmqzAdKPRYe-GzN3NPnPZCBDiD9DS6tTCBW@mail.gmail.com> In-Reply-To: <4D120895.2060002@infracaninophile.co.uk> References: <F1893052-E00F-49FC-9E8F-9591B834E1D0@internode.on.net> <4D120895.2060002@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 22, 2010 at 9:17 AM, Matthew Seaman < m.seaman@infracaninophile.co.uk> wrote: > On 22/12/2010 11:15, Indexer wrote: > > Hi, > > > > I plan to make a FreeBSD based router sometime soon. I would like to be > able to do port based vlanning on the router, so that a client computer that > plugs into that socket is "dumb" to the vlans' existance. > > > > IE > > > > em0 - untagged > > em1 - vlan 1 > > em2 - vlan 2 > > > > Is what i want to achieve (as a simple example). This way i can use > unmanaged switches on em2, and all clients behind that are to the router on > vlan2 > > > > How does one go about this on freebsd. > > > > In /etc/rc.conf: > > ifconfig_em1="up -vlanhwtag" # You may or may not want hwtag -- try both > vlans_em1="vlan1" > ifconfig_em2='up -vlanhwtag" > vlans_em2="vlan2" > > create_args_vlan1="vlan 1" > ipv4_addrs_vlan1="192.168.12.34/24" > > create_args_vlan2="vlan 2" > ipv4_addrs_vlan2="192.168.56.78/24" > > The em0 i/f should be configured as usual. This will create virtual > interfaces vlan1 and vlan2 which you can apply firewall rules to etc. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > > I do this exact thing, where a single server port attaches to the switch as a trunk and carries multiple VLANS which are in-turn firewalled and routed amongst one another, my rc.conf (the pertinent parts anyways) looks like this: gateway_enable="YES" cloned_interfaces="vlan1 vlan190 vlan100 vlan200 vlan300 vlan400" ifconfig_em0="up" ifconfig_vlan1="up" ifconfig_vlan190="inet X.X.190.1/28 vlan 190 vlandev em0" ifconfig_vlan100="inet 10.0.1.1/26 vlan 100 vlandev em0" ifconfig_vlan200="inet 10.0.2.254/24 vlan 200 vlandev em0" ifconfig_vlan300="inet 10.0.3.254/24 vlan 300 vlandev em0" ifconfig_vlan400="inet 10.0.4.1/28 vlan 4 vlandev em0" firewall_enable="YES" Within my rc.firewall, the interfaces are vlan1, vlan190, vlan100, etc... the system sees each as if it were physically a different network card and I'm able to route/filter traffic as such. Note: I did have to add vlan support in my kernel for this, I'm using Intel 1000MT 1000BaseSX (fiber) card to a Cisco Catalyst 2948 which in turn connects on the other side as a trunked port. -- Nathan Vidican nathan@vidican.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikJtjmqzAdKPRYe-GzN3NPnPZCBDiD9DS6tTCBW>