From owner-freebsd-net@FreeBSD.ORG Wed Dec 24 15:45:31 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 767D216A4CE for ; Wed, 24 Dec 2003 15:45:31 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF9CA43D39 for ; Wed, 24 Dec 2003 15:45:29 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id hBONiTUd026572; Wed, 24 Dec 2003 18:44:29 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)hBONiM0u026569; Wed, 24 Dec 2003 18:44:29 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Wed, 24 Dec 2003 18:44:22 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Ian Smith In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: bridge with access on both interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2003 23:45:31 -0000 On Wed, 24 Dec 2003, Ian Smith wrote: > What I can't get to is setting up both NICs for the same /24, using > either one or two separate addresses. I'd hoped to get away with one > IP, which some of the docs (and bridge.c, skimmed) led me to believe > that any local IPs of this host, on whatever of the bridged interfaces, > should provide unbridged local stack access - however if we need to have > 'inside' and 'outside' IPs separately on each bridge interface, fine. > > In short, ifconfig appears unwilling to have two NICs covering the same > /24. Can this be set up? I'm also at a bit of a loss with the routing, > so inside packets to the bridge box (ie unbridged packets) are responded > to on the same interface, and outside unbridged packets go only to/from > the gw. Some tcpdumps on both in and outside interfaces suggest an ARP > response problem also, perhaps; no responses on the inside iface at all. > > I'm unsure if that's too little initial detail or too much? If you want to use IP while bridging, you'll typically want to configure IP on one of the interfaces making up the bridge, and then simply "ifconfig up" the remaining interfaces without explicitly configuring IP on them. If you get ARP warnings, you can silence them using a sysctl (I can't remember if I got them last time I did this, however). At one point I rewrote bits of our bridge code to create virtual bridge interfaces, the idea being that you'd configure IP on the virtual interface rather than on one of the member interfaces. However, I never got around to merging those changes -- my real goal was to allow sniffing of packets to/from the host on any component interface, and BPF only picked up packets from/to a specific interface (or leaked bridge packets for unknown target addresses). I'm sure at some point, someone will get to reimplementing our bridge code to take this approach, however. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research