Date: Tue, 29 Jan 2008 14:18:03 -0800 From: Chris Pratt <eagletree@hughes.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Multiple if_bridge devices Message-ID: <0900307E-695D-4FFD-A38D-43DF00B081C9@hughes.net> In-Reply-To: <81FC7A39-2BD6-4A37-B84E-77DAE43796E6@hughes.net> References: <81FC7A39-2BD6-4A37-B84E-77DAE43796E6@hughes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 29, 2008, at 6:50 AM, Chris wrote: > Hi, > > I have 3 transparent firewalls on 3 T1s with a LAN behind each > supporting multiple servers. > > Existing: > Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1 > Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2 > Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3 > > These firewalls are workstation class computers running > FreeBSD 6.2, if_bridge and ipfw. This has worked quite well > with the exception of hardware failures because of the > workstations hardware. I can afford one server-class blade > with 3 2-port NICs, but not three complete quality servers. > I would like to get to one firewall machine yet maintain the > isolation of the circuits and servers. > > Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw > AllServers<->Switch<->FreeBSD Firewall<->T1 Router1 > <->T1 Router2 > <->T1 Router3 > or > 1 firewall 6 nics, if_bridge (3 bridges) and ipfw > Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1 > Servers2<->Switch2<-> <->T1 Router2 > Servers3<->Switch3<-> <->T1 Router3 > > Initially I designed the replacement using a single if_bridge > with a single LAN backbone as shown first here. After trying > to design the rules, I concluded that it was either illogical > or beyond my ipfw rule skills. Then it occurred to me to try > to run three if_bridge devices as shown in the second Target > One box, 6 NICs, 3 networks kept isolated for arp but > IP-managed in a single instance of ipfw. > > I got as far as attempting this: > > ifconfig bridge0 create > ifconfig bridge0 addm rl0 addm em0 up > ifconfig bridge1 create > ifconfig bridge1 addm vx0 up > > It created the devices but obviously is not something I could > test to see if it actually worked as two discrete bridges. I've > no additional hardware, but before I buy anything, I thought > I could simply ask if if_bridge is meant to do this. I have > googled, checked man (if_bridge, ipfirewall, ipfw), and the > handbook, but I can't find anywhere that specifically says > if_bridge is designed to support multiple bridges on one > computer. > > My questions are: > > 1. Is if_bridge is designed to support more than one bridge > on a single machine by creating multiple bridge devices (only, > of course with multiple NICs on the second and tertiary > bridges)? > > 2. If so, does it retain complete isolation of the bridges (e.g. > for ARP) while allowing ipfw to examine all three simultaneously? > > 3. Should I be exploring a different FreeBSD route to > implement this. > The response to this message can be found on FreeBSD-Net. The answer was affirmative on the use of multiple bridges on one FreeBSD installation using if_bridge. Alternate suggestion was to use a single bridge with private flag on each interface. Pardon the extra intrusion but I'd hate for someone to google this and not find the answer. ... and sorry I posted to the wrong list initially. Chris > > Please let me know if this should actually go to the > FreeBSD-Net List. > > Thank you, > Chris Pratt > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0900307E-695D-4FFD-A38D-43DF00B081C9>