Multiple if_bridge devices

Chris Pratt eagletree at hughes.net
Tue Jan 29 13:40:26 PST 2008 

On Jan 29, 2008, at 12:31 PM, Andrew Thompson wrote:

> On Tue, Jan 29, 2008 at 11:58:53AM -0800, Chris wrote:
>> (I am reposting this. I posted to FreeBSD-Questions but
>> it appears OT for that list. I didn't come here first
>> because I felt it was too non-technical, but I'd appreciate
>> any insights)
>>
>> I have 3 transparent firewalls on 3 T1s with a LAN behind each
>> supporting multiple servers.
>>
>> Existing:
>> Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1
>> Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2
>> Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3
>>
> ...
>> I got as far as attempting this:
>>
>> ifconfig bridge0 create
>> ifconfig bridge0 addm rl0 addm em0 up
>> ifconfig bridge1 create
>> ifconfig bridge1 addm vx0 up
>>
>> It created the devices but obviously is not something I could
>> test to see if it actually worked as two discrete bridges. I've
>> no additional hardware, but before I buy anything, I thought
>> I could simply ask if if_bridge is meant to do this. I have
>> googled, checked man (if_bridge, ipfirewall, ipfw), and the
>> handbook, but I can't find anywhere that specifically says
>> if_bridge is designed to support multiple bridges on one
>> computer.
>>
>> My questions are:
>>
>> 1. Is if_bridge designed to support more than one bridge
>> on a single machine by creating multiple bridge devices (only,
>> of course with multiple NICs on the second and tertiary
>> bridges)?
>
> Yes, the number of bridges are unlimited except by resources (memory).
>
>> 2. If so, does it retain complete isolation of the bridges (e.g.
>> for ARP) while allowing ipfw to examine all three simultaneously?
>
> The bridges are completly seperate. Note that you can only add a  
> nic to
> one bridge at a time, so you could have 6 nics, two per bridge.
>
>> 3. Should I be exploring a different FreeBSD route to
>> implement this.
>
> Maybe the private flag on interfaces could help you here? You can put
> the three server networks on different nics (or vlans) and set the
> private flag, this stops all traffic going between them. See the
> bridging section of the Handbook for an example or my slides here
> http://conference.nznog.org/presentations/20080125_01-01-bridge- 
> seperation_andrew-thompson.pdf

Thank you very much. That gives me enough assurance to proceed
as it looks like either method would be safe for the routers. I missed
the significance of the private flag in the handbook first time. It
suggests a bridge0-only implementation would restrict the routers
from receiving each others arp if the 3 WAN interfaces had it set.
Thanks again.

More information about the freebsd-net mailing list