IP unnumbered VLANs
Sten Daniel Sørsdal
lists at wm-access.no
Fri Apr 22 09:15:19 PDT 2005
>
> Did anybody try something like this - with success, of course :)
>
Yes, had success with FreeBSD 4.x, OpenBSD and RouterOS (Linux).
What you need to emphasize is a good bridge as routing gateway that has
very good Layer2 filtering capabilities to filter traffic between vlans
but still bridge them all together into one bridge (so they cant access
each other and not be able to spoof etc).
One of your imidiate weaknesses will be if two users have the same mac
address, therefore i suggest a 802.1D compliant bridge (so no single
customer can deny another customers service by using same mac address
but instead this results in duplication of packets).
Also one customer can steal another customers address by sending
creative arp packets to the gateway, you might want to strengthen that
with some custom code, unless it's already done.
Also if they want to communicate with eachother i suggest you write a
proxy arp app instead of letting them talk to eachother on L2.
--
Sten Daniel Sørsdal
More information about the freebsd-isp
mailing list