VLAN Bridge with layer2 filtering

Csaba Urban ucsaba at freemail.hu
Tue Apr 26 00:56:49 PDT 2005 

Hi,

I have a number of users on a VLAN enabled switch - each users on his 
own VLAN. They have fixed IP address sharing the same IP subnet and 
gateway. 
I want to grant them access to the internet throug a FreeBSD box 
which prevents them from communicating with each other in Layer2 
and which also prevents them to use other user's IP or MAC. I don't 
want to use static ARP so it seems that best solution is a VLAN enabled 
filtering bridge - in each VLAN only one certain IP address is allowed.

I am pretty new to FreeBSD and have a couple of questions:

1. FreeBSD 5.3 and em() driver: I have a Supermicro P4SCi  board with 
integrated Intel 82541 NICs. I see there are a lot off issues with the 
em driver when using VLANs and I couldn't figure it out whether they 
are already solved. Maybe it would be better to use other NICs?

2. Bridge setup: since in FreeBSD I can't give the bridge an IP address I 
think I have to create a VLAN that doesn't belong to any of the users 
and this vlan would have an IP - this will be the users' gateway 
address: 

ifconfig vlan0 inet 192.168.0.1 netmask 255.255.255.0

Other vlans are bridged with vlan0:

sysctl net.link.ether.bridge.config=vlan0,vlan1,vlan2,vlan3

Is it the right way of doing it?

3. MAC spoofing: if a user tries to use an other users MAC then there 
will be two identical MACs on the bridge - in two separate VLANs. Can I 
have the bridge transmit packets to both destination? If so, can I filter 
packets later - when leaving the interface - whether the have the right 
VLAN-IP combination?

4. Filtering ARP: I can't simply block ARP. Is there a way in IPFW to look 
into ARP messages and filter out wrong VLAN-IP combinations?


5. Performance: there will be a number of VLANs here (200-300) with a 
1Gbps link to the switch and 100Mbps to the internet. What 
performance can I expect with a 2.4GHz P4 proc and 512MB RAM?

+1: if I want to set up a DHCP relay agent will it be able to determine in 
which VLAN the request came in?


I would really appreciate any help!

thanks,

csaba

More information about the freebsd-net mailing list