From owner-freebsd-questions@FreeBSD.ORG Tue Jan 29 22:26:42 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 319D116A41B for ; Tue, 29 Jan 2008 22:26:42 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from n016.sc0.he.tucows.com (smtpout1091.sc0.he.tucows.com [64.97.144.91]) by mx1.freebsd.org (Postfix) with ESMTP id 0796C13C465 for ; Tue, 29 Jan 2008 22:26:41 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from sc0-out06.emaildefenseservice.com (64.97.131.2) by n016.sc0.he.tucows.com (7.2.078) id 4794C3EA00398BCA for freebsd-questions@freebsd.org; Tue, 29 Jan 2008 22:26:41 +0000 X-SpamScore: 2 X-Spamcatcher-Summary: 2, 0, 0, e8a035fcecdfbea6, 9ea80b2d0065c3c3, eagletree@hughes.net, -, RULES_HIT:355:379:541:599:601:617:945:946:960:966:967:973:980:988:989:1260:1261:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1535:1543:1593:1594:1605:1711:1730:1747:1766:1792:1801:2196:2199:2234:2393:2525:2553:2559:2563:2682:2685:2739:2857:2859:2861:2933:2937:2939:2942:2945:2947:2951:2954:3022:3027:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:4039:4184:4250: 4385:4605:4860:5007:6119:7652:7679, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL:none, DNSBL:none X-Spamcatcher-Explanation: Received: from [192.168.0.3] (dpc6744118153.direcpc.com [67.44.118.153]) (Authenticated sender: eagletree@hughes.net) by sc0-out06.emaildefenseservice.com (Postfix) with ESMTP for ; Tue, 29 Jan 2008 22:26:34 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <81FC7A39-2BD6-4A37-B84E-77DAE43796E6@hughes.net> References: <81FC7A39-2BD6-4A37-B84E-77DAE43796E6@hughes.net> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <0900307E-695D-4FFD-A38D-43DF00B081C9@hughes.net> Content-Transfer-Encoding: 7bit From: Chris Pratt Date: Tue, 29 Jan 2008 14:18:03 -0800 To: FreeBSD Questions X-Mailer: Apple Mail (2.752.2) Subject: Re: Multiple if_bridge devices X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 22:26:42 -0000 On Jan 29, 2008, at 6:50 AM, Chris wrote: > Hi, > > I have 3 transparent firewalls on 3 T1s with a LAN behind each > supporting multiple servers. > > Existing: > Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1 > Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2 > Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3 > > These firewalls are workstation class computers running > FreeBSD 6.2, if_bridge and ipfw. This has worked quite well > with the exception of hardware failures because of the > workstations hardware. I can afford one server-class blade > with 3 2-port NICs, but not three complete quality servers. > I would like to get to one firewall machine yet maintain the > isolation of the circuits and servers. > > Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw > AllServers<->Switch<->FreeBSD Firewall<->T1 Router1 > <->T1 Router2 > <->T1 Router3 > or > 1 firewall 6 nics, if_bridge (3 bridges) and ipfw > Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1 > Servers2<->Switch2<-> <->T1 Router2 > Servers3<->Switch3<-> <->T1 Router3 > > Initially I designed the replacement using a single if_bridge > with a single LAN backbone as shown first here. After trying > to design the rules, I concluded that it was either illogical > or beyond my ipfw rule skills. Then it occurred to me to try > to run three if_bridge devices as shown in the second Target > One box, 6 NICs, 3 networks kept isolated for arp but > IP-managed in a single instance of ipfw. > > I got as far as attempting this: > > ifconfig bridge0 create > ifconfig bridge0 addm rl0 addm em0 up > ifconfig bridge1 create > ifconfig bridge1 addm vx0 up > > It created the devices but obviously is not something I could > test to see if it actually worked as two discrete bridges. I've > no additional hardware, but before I buy anything, I thought > I could simply ask if if_bridge is meant to do this. I have > googled, checked man (if_bridge, ipfirewall, ipfw), and the > handbook, but I can't find anywhere that specifically says > if_bridge is designed to support multiple bridges on one > computer. > > My questions are: > > 1. Is if_bridge is designed to support more than one bridge > on a single machine by creating multiple bridge devices (only, > of course with multiple NICs on the second and tertiary > bridges)? > > 2. If so, does it retain complete isolation of the bridges (e.g. > for ARP) while allowing ipfw to examine all three simultaneously? > > 3. Should I be exploring a different FreeBSD route to > implement this. > The response to this message can be found on FreeBSD-Net. The answer was affirmative on the use of multiple bridges on one FreeBSD installation using if_bridge. Alternate suggestion was to use a single bridge with private flag on each interface. Pardon the extra intrusion but I'd hate for someone to google this and not find the answer. ... and sorry I posted to the wrong list initially. Chris > > Please let me know if this should actually go to the > FreeBSD-Net List. > > Thank you, > Chris Pratt > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org"