Date: Fri, 22 Apr 2005 18:15:04 +0200 From: =?UTF-8?B?U3RlbiBEYW5pZWwgU8O4cnNkYWw=?= <lists@wm-access.no> To: =?UTF-8?B?VXJiw6FuIENzYWJh?= <ucsaba@freemail.hu> Cc: freebsd-isp@freebsd.org Subject: Re: IP unnumbered VLANs Message-ID: <42692308.10303@wm-access.no> In-Reply-To: <freemail.20050322142023.32596@fm4.freemail.hu> References: <freemail.20050322142023.32596@fm4.freemail.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Did anybody try something like this - with success, of course :) > Yes, had success with FreeBSD 4.x, OpenBSD and RouterOS (Linux). What you need to emphasize is a good bridge as routing gateway that has very good Layer2 filtering capabilities to filter traffic between vlans but still bridge them all together into one bridge (so they cant access each other and not be able to spoof etc). One of your imidiate weaknesses will be if two users have the same mac address, therefore i suggest a 802.1D compliant bridge (so no single customer can deny another customers service by using same mac address but instead this results in duplication of packets). Also one customer can steal another customers address by sending creative arp packets to the gateway, you might want to strengthen that with some custom code, unless it's already done. Also if they want to communicate with eachother i suggest you write a proxy arp app instead of letting them talk to eachother on L2. -- Sten Daniel Sørsdal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42692308.10303>