Date: Thu, 23 Mar 2006 21:27:25 +0100 From: Andrew Seguin <asegu_fbsdnet@borgtech.ca> To: freebsd-net@freebsd.org Subject: net.link.ether.bridge.config effeciency for more then 2 interfaces? Message-ID: <442304AD.1010709@borgtech.ca>
next in thread | raw e-mail | index | archive | help
I'm trying to get a vlan based firewall working, but having a problem
with ARP & DHCP not working well
(dhcp could be maybe not working well because of ARP)
The network is setup:
IP: xyz.zyx.xzy.0/24
[ISP router -> ISP Switch] -> firewall ->{vlans-tagged}->layer2
switch->other switches
(I don't have the authoritzation to put the firewall between the ISP
router/switch unfortunatly)
I've configured a local layer2 managed switch to have all vlans as
tagged on port 1, and then configured two ports per vlan.
In the firewall I have it configured as follows:
network cards:
fxp0 -> to the ISP switch (.14/28)
fxp1 -> unused at the moment
fxp2 -> receives the vlans
vlan3 vlan 3 vlandev fxp2; (IP:.17/28)
vlan4 vlan 4 vlandev fxp2; (IP:.33/27)
vlan5 vlan 5 vlandev fxp2; (IP:.65/26)
vlan7 vlan 7 vlandev fxp2; (IP.129/25)
vlan8 vlan 8 vlandev fxp2; (IP:10.1.0.0/16) (nat is arranged by
PF to .13 on fxp0)
Having only gateway_enable="YES" in rc.conf, the traffic between vlans
flows fine (until I put in IPFW restrictions that is), but from vlans to
internet it doesn't (ping to router doesn't work). So I decided simply
to bridge all the vlans together (if you have a possible solution around
this, I'd appreciate it!). And that's where my problem begins.
For what could be best described as 'political' reasons, I want at all
costs to avoid having the ISP router reconfigured (the ISP is ready to
do it, people here aren't)
if I configure net.link.ether.bridge.config=fxp0,vlan7 for example, all
is fine. Traffic flows normally. If I configure
net.link.ether.bridge.config=fxp0,vlan3,vlan7 then I start having major
problems with arp requests making it through. DHCP is as well seriously
affected, leaving computers in a pretty bad situation. CPU usage in
either case ranges from 2-4% (internet's only a SDSL link, so it's no
trouble for the firewall)
I've put below a summary of the loaded ipfw rules. I sorta think my
problem could be related to the bridging of arps, but I'm not
unconvinced that the traffic shapping is affecting as well although the
firewall rules don't change, only the bridge configuration to go from
problematic to OK.
I thank you all for your time,
Andrew
ipfw.rules:
----------
1 allow ip from ...0/24 to ...0/24
100 count ip from any to any via fxp0
...
108 count ip from any to any via vlan8
201 - 205 allow tcp/udp ssh,dhcp,snmp and dns
300 - deny netbios traffic
401&402 - pipe 10/11 (bw 300kbps, mask src/dst 0x000000ff) // max speed
per computer
410-420 allow some stuff like web/email to go to max speed
490&491 - pipe 30/31 (bw 1000kbps) // max speed for 'bulk' stuff like
P2P, FTP...
492&493 - pipe 20/21 (bw 200kbps, mask src/dst 0x000000ff) // max bulk
speed per computer
65535 - allow all
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?442304AD.1010709>