VLANs is this right?

Mon Jul 5 18:36:23 UTC 2010

On Mon, Jul 5, 2010 at 1:30 PM, Modulok <modulok at gmail.com> wrote:

> It was a simplified diagram of what I thought I needed. ( Which may or
> may not be what I actually need! )
>
> Basically, I want a port on the switch that I can plug un-trusted
> devices into. Systems wich are known to be just crawling with
> malicious software. I need to provide them with an Internet
> connection, but otherwise want them separated from everybody else.
> Think DMZ isolation, but they're not providing any 'external'
> services. I was wondering if this could be done with tagging and
> address aliases, instead of buying a third network card for the BSD
> machine.
>
> If that makes any sense.
>
>
> On 7/5/10, David Kelly <dkelly at hiwaay.net> wrote:
> > On Mon, Jul 05, 2010 at 10:16:19AM -0600, Modulok wrote:
> >>
> >> Criteria:
> >>     - HostA must never directly talk to HostB.
> >>     - Both hostA and hostB have an Internet connection.
> >>
> >> What I have to work with:
> >>     proCurve switch which supports VLANs.
> >>     2x Intel NICs in FreeBSD which support VLANs.
> >
> > Am thinking you are approaching it the wrong way.
> >
> > Not familiar with the specifics of a ProCurve switch but that's a high
> > end unit, not a Netgear. I would expect you could configure the switch
> > to disallow the MAC addresses from talking to each other of hostA and
> > hostB.
> >
> > Furthermore, it would be even easier to disallow hostB from within
> > hostA's firewall. And do the same at hostB.
> >
> > --
> > David Kelly N4HHE, dkelly at HiWAAY.net
> > ========================================================================
> > Whom computers would destroy, they must first drive mad.
> >
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

I have almost the exact same setup as you're looking for currently running
on a FreeBSD box acting as a server/router for multiple VLANS as follows:

Internet
----------
    FreeBSD (Sun Sparc SunFire v120 w/ Intel PCI 100BaseSX fibre card)
    ----------
        Cisco Catalyst 2948G - configured with:
        - 4 distinct VLANS, each with their own subnet
        - 802.1q (dot1q) trunks between switches carrying specified VLANS
        - 802.1q trunk between switch and FreeBSD box
       -----------
       Each subnet (VLAN) has it's own gateway which is the IP of the
FreeBSD machine.

They key is that the switch must connect to the FreeBSD machine using TRUNK
not access mode. I am not that familiar with the HP procurve series but I'd
imagine it's not that dissimilar from others I've worked with. The key on
the FreeBSD machine is to use cloned interfaces for each seperate VLAN and
assign that cloned vlan interface to 'transmit via ' the real interface. You
will need the 'vlan' pseudo device compiled into your kernel. The pertinent
parts of my rc.conf are as follows for an example:

# rc.conf excerpt:
hostname="gw.xx.xx.com"
gateway_enable="YES"
cloned_interfaces="vlan190 vlan100 vlan200 vlan300"
ifconfig_em0="up"
ifconfig_vlan190="inet 69.16.x.x/26 vlan 190 vlandev em0"
ifconfig_vlan100="inet 10.10.1.1/26 vlan 100 vlandev em0"
ifconfig_vlan200="inet 10.10.2.254/24 vlan 200 vlandev em0"
ifconfig_vlan300="inet 10.10.3.254/24 vlan 300 vlandev em0"
ifconfig_vlan400="inet 10.10.4.254/24 vlan 400 vlandev em0"
ifconfig_vlan700="inet 10.10.7.254/25 vlan 700 vlandev em0"
# end of rc.conf excerpt

I then add a host (for example) as '10.10.1.11/26 on vlan 100' via a
different port on the switch; the ONLY way for that particular host to talk
to another beyond that vlan is to go through the freebsd box (which also
acts as a firewall, NAT, etc).

Hope this helps, but what you're trying to do is definetly possible. Not all
NIC card drivers support vlan tagging/trunks though, check documentation as
need be. In general all the intel and most of the broadcom cards do and
that's all I've really had any experience with. I've worked with Cisco,
Netgear, and linksys units on the switch side for the vlan/trunk/access
ports.

-- 
Nathan Vidican
nathan at vidican.com
Happy FreeBSD user since 2.0 :)