Date: Tue, 26 Apr 2005 09:56:25 +0200 (CEST) From: Csaba Urban <ucsaba@freemail.hu> To: freebsd-net@freebsd.org Subject: VLAN Bridge with layer2 filtering Message-ID: <freemail.20050326095625.5363@fm14.freemail.hu>
next in thread | raw e-mail | index | archive | help
Hi, I have a number of users on a VLAN enabled switch - each users on his own VLAN. They have fixed IP address sharing the same IP subnet and gateway. I want to grant them access to the internet throug a FreeBSD box which prevents them from communicating with each other in Layer2 and which also prevents them to use other user's IP or MAC. I don't want to use static ARP so it seems that best solution is a VLAN enabled filtering bridge - in each VLAN only one certain IP address is allowed. I am pretty new to FreeBSD and have a couple of questions: 1. FreeBSD 5.3 and em() driver: I have a Supermicro P4SCi board with integrated Intel 82541 NICs. I see there are a lot off issues with the em driver when using VLANs and I couldn't figure it out whether they are already solved. Maybe it would be better to use other NICs? 2. Bridge setup: since in FreeBSD I can't give the bridge an IP address I think I have to create a VLAN that doesn't belong to any of the users and this vlan would have an IP - this will be the users' gateway address: ifconfig vlan0 inet 192.168.0.1 netmask 255.255.255.0 Other vlans are bridged with vlan0: sysctl net.link.ether.bridge.config=vlan0,vlan1,vlan2,vlan3 Is it the right way of doing it? 3. MAC spoofing: if a user tries to use an other users MAC then there will be two identical MACs on the bridge - in two separate VLANs. Can I have the bridge transmit packets to both destination? If so, can I filter packets later - when leaving the interface - whether the have the right VLAN-IP combination? 4. Filtering ARP: I can't simply block ARP. Is there a way in IPFW to look into ARP messages and filter out wrong VLAN-IP combinations? 5. Performance: there will be a number of VLANs here (200-300) with a 1Gbps link to the switch and 100Mbps to the internet. What performance can I expect with a 2.4GHz P4 proc and 512MB RAM? +1: if I want to set up a DHCP relay agent will it be able to determine in which VLAN the request came in? I would really appreciate any help! thanks, csaba
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?freemail.20050326095625.5363>