From owner-freebsd-questions@FreeBSD.ORG Tue Jan 29 15:30:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6384C16A468 for ; Tue, 29 Jan 2008 15:30:45 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from n054.sc0.he.tucows.com (smtpout1122.sc0.he.tucows.com [64.97.144.122]) by mx1.freebsd.org (Postfix) with ESMTP id 3D68213C4D3 for ; Tue, 29 Jan 2008 15:30:45 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from sc0-out02.emaildefenseservice.com (64.97.131.2) by n054.sc0.he.tucows.com (7.2.069.1) id 476BFC7B00683A8F for freebsd-questions@freebsd.org; Tue, 29 Jan 2008 14:59:26 +0000 X-SpamScore: 2 X-Spamcatcher-Summary: 2, 0, 0, 34aa21d6d819ef7d, 8fa981c1a3a1b70e, eagletree@hughes.net, -, RULES_HIT:355:379:541:617:945:946:960:966:973:988:989:1260:1261:1277:1311:1313:1314:1345:1437:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1766:1792:1801:2196:2199:2393:2559:2562:2739:2861:3354:3636:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:4039:4184:4250:4362:4385:4605:5007:6119:7652, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL: none,DNSBL:none X-Spamcatcher-Explanation: Received: from [192.168.0.3] (dpc6744118153.direcpc.com [67.44.118.153]) (Authenticated sender: eagletree@hughes.net) by sc0-out02.emaildefenseservice.com (Postfix) with ESMTP for ; Tue, 29 Jan 2008 14:59:22 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <81FC7A39-2BD6-4A37-B84E-77DAE43796E6@hughes.net> Content-Transfer-Encoding: 7bit From: Chris Date: Tue, 29 Jan 2008 06:50:53 -0800 To: FreeBSD Questions X-Mailer: Apple Mail (2.752.2) Subject: Multiple if_bridge devices X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: snagit@cbpratt.prohosting.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 15:30:45 -0000 Hi, I have 3 transparent firewalls on 3 T1s with a LAN behind each supporting multiple servers. Existing: Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1 Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2 Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3 These firewalls are workstation class computers running FreeBSD 6.2, if_bridge and ipfw. This has worked quite well with the exception of hardware failures because of the workstations hardware. I can afford one server-class blade with 3 2-port NICs, but not three complete quality servers. I would like to get to one firewall machine yet maintain the isolation of the circuits and servers. Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw AllServers<->Switch<->FreeBSD Firewall<->T1 Router1 <->T1 Router2 <->T1 Router3 or 1 firewall 6 nics, if_bridge (3 bridges) and ipfw Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1 Servers2<->Switch2<-> <->T1 Router2 Servers3<->Switch3<-> <->T1 Router3 Initially I designed the replacement using a single if_bridge with a single LAN backbone as shown first here. After trying to design the rules, I concluded that it was either illogical or beyond my ipfw rule skills. Then it occurred to me to try to run three if_bridge devices as shown in the second Target One box, 6 NICs, 3 networks kept isolated for arp but IP-managed in a single instance of ipfw. I got as far as attempting this: ifconfig bridge0 create ifconfig bridge0 addm rl0 addm em0 up ifconfig bridge1 create ifconfig bridge1 addm vx0 up It created the devices but obviously is not something I could test to see if it actually worked as two discrete bridges. I've no additional hardware, but before I buy anything, I thought I could simply ask if if_bridge is meant to do this. I have googled, checked man (if_bridge, ipfirewall, ipfw), and the handbook, but I can't find anywhere that specifically says if_bridge is designed to support multiple bridges on one computer. My questions are: 1. Is if_bridge is designed to support more than one bridge on a single machine by creating multiple bridge devices (only, of course with multiple NICs on the second and tertiary bridges)? 2. If so, does it retain complete isolation of the bridges (e.g. for ARP) while allowing ipfw to examine all three simultaneously? 3. Should I be exploring a different FreeBSD route to implement this. Please let me know if this should actually go to the FreeBSD-Net List. Thank you, Chris Pratt