bridge with access on both interfaces
Ian Smith
smithi at nimnet.asn.au
Tue Dec 23 11:41:21 PST 2003
On Tue, 23 Dec 2003, Michael W. Oliver wrote:
> On Wed, Dec 24, 2003 at 04:38:32AM +1100, Ian Smith wrote:
> [...]
>
> > In short, ifconfig appears unwilling to have two NICs covering the same
> > /24. Can this be set up? I'm also at a bit of a loss with the routing,
> > so inside packets to the bridge box (ie unbridged packets) are responded
> > to on the same interface, and outside unbridged packets go only to/from
> > the gw. Some tcpdumps on both in and outside interfaces suggest an ARP
> > response problem also, perhaps; no responses on the inside iface at all.
> You can't have two interfaces within the same IP subnet, with the same
> mask, on one box. What you can do is configure the primary interface
> with the /24 mask, and then configure the other interface with a /32
> mask. This is the same process that you would use to put two (or more)
> addresses from the same IP subnet on a single interface.
Ah, thankyou. In that case, what we'd seem to need is the outside (gw)
interface as the /32 - since only the gw is outside here - and the /24
inside, since all the internal boxes need access to its servers. Will
try that out tomorrow (family / holiday plans permitting :)
> Regarding the other stuff, if a particular service is configured to
> listen on any interface (noted by the "*.*" under "Local Address" in a
> netstat listing), then it should be available via either interface of
> the bridge, assuming that the bridge is configured correctly (sysctl's
> and such).
Sounds good, and as I'd hoped initially. Webmin/apache/samba listen
where they're told to anyway, and IPFW will be moderating all that.
> What are your /etc/rc.conf settings with regards to the bridge
> configuration?
So far, only gateway_enable="NO" and basic IPFW setup ("open" till this
much goes, on a protected subnet currently so no worries there), 4.8-R
GENERIC kernel - brought the bridge up with kldload and sysctls, as per
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/
Specifically, in /etc/rc.local for now, pre invoking IPFW, just:
kldload bridge
sysctl net.link.ether.bridge_cfg=ed0,ed1
sysctl net.link.ether.bridge=1
tubi# kldstat
Id Refs Address Size Name
1 7 0xc0100000 41b538 kernel
2 1 0xc0d32000 6000 ipfw.ko
3 1 0xc0d9c000 2000 green_saver.ko
4 1 0xc0d9f000 15000 linux.ko
5 1 0xc0dcd000 3000 streams.ko
6 1 0xc0dd0000 11000 svr4.ko
7 1 0xc0df3000 7000 bridge.ko
Of course I'll be building it a proper kernel after proving concept. I
see at 4.8 it's no longer necessary to use IPFIREWALL_DEFAULT_TO_ACCEPT
to pass ARP and other non-IP traffic (after reading many earlier docs!)
As mentioned, no problems seen with bridging; this session is doing a
round trip through ssh into a box behind the bridge, back to this gw;
rebooting the box hasn't even murdered ssh sessions bridged through it.
I can't see any problem with just having a /32 on the gw side, and will
swap the ifconfig over to bring up the /24 on the inside iface instead.
Thanks heaps Mike,
Cheers, Ian
More information about the freebsd-net
mailing list