From owner-freebsd-net@FreeBSD.ORG Thu Oct 16 02:05:54 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67C3C16A4B3 for ; Thu, 16 Oct 2003 02:05:54 -0700 (PDT) Received: from karm.dyndns.org (213-182-117-102.teleos-web.de [213.182.117.102]) by mx1.FreeBSD.org (Postfix) with SMTP id 337EA43F75 for ; Thu, 16 Oct 2003 02:05:52 -0700 (PDT) (envelope-from mark@removetomailme.reidel.info) Received: (qmail 71955 invoked by uid 0); 16 Oct 2003 09:05:50 -0000 Received: from unknown (HELO removetomailme.reidel.info) (192.168.42.12) by karm.dyndns.org with SMTP; 16 Oct 2003 09:05:50 -0000 Message-ID: <3F8E5F6E.4090105@removetomailme.reidel.info> Date: Thu, 16 Oct 2003 11:05:50 +0200 From: Mark Daniel Reidel User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031016 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: VLANs and bridging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2003 09:05:54 -0000 Hello, I'm having a network-problem I cannot solve myself and am hoping you could point me in the right direction. I'm currently hosting a lot of computers, all in the same subnet. Since there are administrative servers, hosting-servers, ans so on, I want to limit access from one logical group to the other. However, the computers are at physically totally scattered locations, some in the same rack, some not. It's impossible for me to divide the network into subnets, keep that in mind. My idea was to install several VLANs, each of them holding a group of computers, and connecting them via a filtering bridge. So my setup looks like this: +--------+ +--------+ +--------+ | Switch |---| Switch |---| Switch | +--------+ +--------+ +--------+ | | | | | | | | | | | | Conputers | Computers | FreeBSD Machine | \-- Internet The obvious drawback is that all the traffic between the VLANs would have to pass through this bridge, but most of the traffic will pass to the internet and back, the traffic between the VLANs is not that much but nevertheless important. For testing, I used a FXP-card and did NOT connect the box to the internet, just to the switch. The switch was configured to give tagged packets to the BSD-machine and non-tagged to all other ports. I compiled the BRIDGE into the kernel and set up to VLANs to test: ifconfig fxp0 up ifconfig vlan1 create ifconfig vlan2 create ifconfig vlan1 vlan 1 vlandev fxp0 ifconfig vlan2 vlan 2 vlandev fxp0 The next step was to setup a bridge between vlan1 and vlan2: sysctl net.link.ether.bridge=1 sysctl net.link.ether.bridge_cfg=vlan1,vlan2 And then: nothing happens. It simply doesn't work. Using tcpdump shows me that there are ARP-packets trying to be sent and the bridge seems to be forwarding those, but I never get an answer-packet. There was no packet-filter active at this moment, so I assume there is a problem with bridging VLANs (since bridging fxp0 to rl0 works flawlessly). My question now is: I've read in some mails that bridging between tagged VLANs is currently not working really well. So what am I to do? Is there a better solution (besides subnets and using a gateway)? Is there a way to make it work? I also read about netgraph bridging but as I understand, there's no way to make it filter packets. Any suggestions or hints? - Mark