From owner-freebsd-net@FreeBSD.ORG Tue Apr 26 07:56:49 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B293416A4CE for ; Tue, 26 Apr 2005 07:56:49 +0000 (GMT) Received: from fmx5.freemail.hu (fmx5.freemail.hu [195.228.242.225]) by mx1.FreeBSD.org (Postfix) with SMTP id 92A5943D3F for ; Tue, 26 Apr 2005 07:56:48 +0000 (GMT) (envelope-from ucsaba@freemail.hu) Received: (qmail 75850 invoked from network); 26 Apr 2005 09:56:33 +0200 Received: from fm14.freemail.hu (195.228.242.214) by fmx5.freemail.hu with SMTP; 26 Apr 2005 09:56:31 +0200 Received: (qmail 5459 invoked by uid 227048); 26 Apr 2005 09:56:26 +0200 Date: Tue, 26 Apr 2005 09:56:25 +0200 (CEST) From: Csaba Urban To: freebsd-net@freebsd.org Message-ID: X-Originating-IP: [62.68.176.254] X-HTTP-User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2 Subject: VLAN Bridge with layer2 filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2005 07:56:49 -0000 Hi, I have a number of users on a VLAN enabled switch - each users on his own VLAN. They have fixed IP address sharing the same IP subnet and gateway. I want to grant them access to the internet throug a FreeBSD box which prevents them from communicating with each other in Layer2 and which also prevents them to use other user's IP or MAC. I don't want to use static ARP so it seems that best solution is a VLAN enabled filtering bridge - in each VLAN only one certain IP address is allowed. I am pretty new to FreeBSD and have a couple of questions: 1. FreeBSD 5.3 and em() driver: I have a Supermicro P4SCi board with integrated Intel 82541 NICs. I see there are a lot off issues with the em driver when using VLANs and I couldn't figure it out whether they are already solved. Maybe it would be better to use other NICs? 2. Bridge setup: since in FreeBSD I can't give the bridge an IP address I think I have to create a VLAN that doesn't belong to any of the users and this vlan would have an IP - this will be the users' gateway address: ifconfig vlan0 inet 192.168.0.1 netmask 255.255.255.0 Other vlans are bridged with vlan0: sysctl net.link.ether.bridge.config=vlan0,vlan1,vlan2,vlan3 Is it the right way of doing it? 3. MAC spoofing: if a user tries to use an other users MAC then there will be two identical MACs on the bridge - in two separate VLANs. Can I have the bridge transmit packets to both destination? If so, can I filter packets later - when leaving the interface - whether the have the right VLAN-IP combination? 4. Filtering ARP: I can't simply block ARP. Is there a way in IPFW to look into ARP messages and filter out wrong VLAN-IP combinations? 5. Performance: there will be a number of VLANs here (200-300) with a 1Gbps link to the switch and 100Mbps to the internet. What performance can I expect with a 2.4GHz P4 proc and 512MB RAM? +1: if I want to set up a DHCP relay agent will it be able to determine in which VLAN the request came in? I would really appreciate any help! thanks, csaba