Creating a "non-bridge"

Julian Elischer julian at
Wed Aug 1 06:17:53 UTC 2007

Brett Glass wrote:
> I'd like to create what might be called a "non-bridge" on a FreeBSD
> machine. I'd like to put two Ethernet interfaces on the machine which
> have the same IP address and subnet, and use those interfaces to
> communicate with clients. However, I do not want the clients on one
> interface to be able to send packets through to the clients on the
> other interface.

possibly you could just bridge them together but use 
ipfw on the bridge to enforce isolation.
OR you could possibly make a netgraph version of that..

> Why would I want to do a thing like this? Well, as you probably know,
> wireless access points often have a "client isolation" option which
> allows the clients to talk to the AP (and the Internet) but not to
> one another. This is a good thing, because it prevents users of the
> wireless LAN from hacking one another; each of them can only see
> what's "upstream" of the access point.
> I have a situation where I need to put up more than one AP, on the
> same subnet, behind a FreeBSD machine which will be serving as an
> Internet gateway. I'd plug both APs into a switch and connect the
> switch to the FreeBSD machine, but if I did this, the access points'
> "client isolation" feature would not be sufficient to isolate all of
> the clients from one another. Each AP would isolate its OWN clients
> from one another, but would let each of them communicate with ALL of
> the clients on the other AP!
> My first idea of how to solve this problem is to set the FreeBSD
> machine up as a bridge, but then block all packets that try to go in
> one Ethernet interface and out the other. But will this work? Will
> the FreeBSD machine know which interface to use to communicate with
> each client, and only send packets for each one out of the
> appropriate interface? Also, is there a way to do this without
> putting the interfaces into promiscuous mode (which slows things down
> considerably)? After all, since the FreeBSD machine is acting as a
> gateway, it should really only look at packets that are addressed to
> it.

you can't really avoid the promiscuous mode part if you use bridging...

A specific netgraph configuration might be able to do it but it's need some work.

Another possibility is to use freebsd 4 and apply the vimage patches 
to make 3 virtual machines. 

(or 7.0 and use the current vimage patches that Marko has brewing up 
in perforce)

> --Brett Glass
> _______________________________________________ 
> freebsd-net at mailing list 
> To unsubscribe,
> send any mail to "freebsd-net-unsubscribe at"

More information about the freebsd-net mailing list