From owner-freebsd-questions@FreeBSD.ORG Wed Aug 13 20:53:25 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 334CB106568F for ; Wed, 13 Aug 2008 20:53:25 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 2133E8FC16 for ; Wed, 13 Aug 2008 20:53:25 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id B832D3C0490; Wed, 13 Aug 2008 13:53:24 -0700 (PDT) Date: Wed, 13 Aug 2008 13:53:24 -0700 From: Christopher Cowart To: Mike Sweetser - Adhost Message-ID: <20080813205324.GC25990@hal.rescomp.berkeley.edu> Mail-Followup-To: Mike Sweetser - Adhost , freebsd-questions@freebsd.org References: <17838240D9A5544AAA5FF95F8D5203160472C95E@ad-exh01.adhost.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="KDt/GgjP6HVcx58l" Content-Disposition: inline In-Reply-To: <17838240D9A5544AAA5FF95F8D5203160472C95E@ad-exh01.adhost.lan> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: Transparent Bridge with VLAN Tagging - How? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Aug 2008 20:53:25 -0000 --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike Sweetser - Adhost wrote: > Hello, >=20 > I'm attempting to set up a transparent bridge in FreeBSD 7.0 to > eventually act as a PF/Snort box, and it needs to be VLAN aware. > However, I don't seem to be on the right track as far as setting it up. >=20 > I have, for instance, VLAN 10 that it needs to be aware of, and this > network segment is on VLAN 10 from a switch higher up. I have the > current setup, but once it's running, I can't ping anything. bge0 is > the outside interface, bge1 is inside: >=20 > defaultrouter=3D"192.168.1.1" > gateway_enable=3D"YES" > cloned_interfaces=3D"bridge0 vlan0 vlan1" > ifconfig_vlan0=3D"vlan 10 vlandev bge0" > ifconfig_vlan1=3D"vlan 10 vlandev bge1" > ifconfig_bridge0=3D"inet 192.168.1.10 netmask 255.255.0.0 addm bge0 addm > bge1 addm vlan0 addm vlan1 up" > ifconfig_bge0=3D"up" > ifconfig_bge1=3D"up" >=20 > What am I doing wrong? I'm pretty sure you *don't* want to bridge the interfaces with their parents (vlan0 shouldn't be bridged with bge0 -- if it even works, it would cause tagged packets to be untagged and retransmitted out the incoming interface (what cisco calls the native vlan) and vice versa). I've only bridged vlan interfaces -- not their parents. E.g.: cloned_interfaces=3D"bridge0 vlan190 vlan590" ifconfig_bge0=3D"up" ifconfig_vlan190=3D"vlan 190 vlandev bge1" ifconfig_vlan590=3D"vlan 590 vlandev bge1" ifconfig_bridge0=3D"addm vlan190 addm vlan590" If you want to bridge the parents, I think it would look like this (YMMV): cloned_interfaces=3D"bridge0 vlan10" ifconfig_bge0=3D"up" ifconfig_bge1=3D"up" ifconfig_bridge0=3D"addm bge0 addm bge1" ifconfig_vlan10=3D"vlan 10 vlandev bridge0" I don't know how well if_bridge(4) copes with vlan tags -- I know it breaks if you bridge a vlan(4) with a gif(4). I also don't know if a vlan interface will happily accept a bridge parent. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --KDt/GgjP6HVcx58l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJIo0nEAAoJEIGh6j3cHUNPAskP/RA9yIcpCMVLvkwOs6P6JGTn 4CSwpyA/JUk0+YZj668ElWf8O3sA1evNxs0Xx/3qYJtaYofp1The7h3QzGbTCcOR fRheRpbNwtfwwEvIVIS4SQEnJj4DtwEvXC16OthVLN/a6WvX0FbpNmN5P4ZhQwz3 RmO7UNOohVdJ/+lNuveag+VwYpDHIUOrFOsW0sc1R3nNROLsbyY8TJ7YG6e+Q1/r EMJBeb3s0+4m7slQK+7K0vLTITT2oOmXSPTu2gcfQdSiW3rTWBalWEt5TbEoh0DP 7y1rxhb62Klc8Nu/mkM7QYXjuMtSah4NkNleYr5L9OZ+TVAuUWtM3wWfpmNzpMts AJGhJnRnlBbgx0z6f1O3UVquENp7A2aVtL2RKifYn6mEWpygsKkPSVrkghpVGSc0 HxdobF8koZk4HBUKCLLdIHr6nVAZbFnTnhh91AJA9M4F/9nTHQmFmgjHX842S4EI 3aNMdMDHYwxfAUlJvmaSIGKUVszzAdsfM3btwabUClqs8uUcCEsKw/n4iXoT+6Xs 2iaVy5fu5UAKbQWAk9+kaZ5iDJqRqBrNWX6HsbDEMJWLceE5Ag+ht4KfO/xMjCbs WHWyfL/GTwe49JBIoJqmCcvXKJTWp094jZmdK3pVHgGj6Wkhg0r35qHQC9phtep2 nmZi7q1eR/AAmz92KAf+ =GfvX -----END PGP SIGNATURE----- --KDt/GgjP6HVcx58l--