FBSD6 if_bridge

David Pierron david at wombatsweb.com
Fri Dec 2 13:11:52 GMT 2005 

I have been trying for some time to get if_bridge working on a FreeBSD 
6.0 machine.  I must be missing something simple.

I have Googled, I have previously posted here, I've IRC'd and I have 
tried 3 different installations on different hardware ...
I have read and reread the man pages for if_bridge and associated docs, 
I believe I made the correct choices.
I have posted my edits so that it may jump out at someone and I can 
proceed on my merry way into ruleset building ...

The configuration desired is a 3 NIC install ... 2 doing the bridge 
between the router and the network and the 3rd used for access I/O to 
the machine.

When I am ready to try this new configuration, I pull the two CAT5 
cables from the existing bridge (FBSD 4.11-p13 BRIDGE IPFW) and pop them 
into this new one.

I see traffic being blocked using tcpdump -i pflog0 from machines within 
the network (fxp2), but nothing outside (fxp0 and fxp1).
I see states being established and removed watching pftop but only for 
the internal network (fxp2).

It appears the bridge is not working what-so-ever ...  any ideas for me 
to try?

I install from 6.0-RELEASE-i386-bootonly.iso using a Minimal install.
Get base via FTP :: pkg_add -r cvsup-without-gui

cvsup all source and ports and recompile the kernel editing GENERIC with:

# Bridge support
device if_bridge

# PF support
device pf
device pflog
device pfsync

# ALTQ support
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
# for SMP machine
options ALTQ_NOPCC

# other stuff
#options IPSTEALTH
options HZ=1000

config SMP ; cd ../compile/SMP ; make depend ; make ; make install
reboot

/etc/sysctl.conf:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Enable bridge and allow each NIC (member) in/out filtering for PF
net.link.bridge.pfil_member=1
net.link.bridge.pfil_bridge=1
#
# Enable forwarding
#net.inet.ip.forwarding=1
# I have tried with this on as well but bridge should do forwarding
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


/etc/rc.conf:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
defaultrouter="my.c.class.xxx"
hostname="foo.mydomain.org"
ifconfig_fxp2="inet my.c.class.xxx  netmask 255.255.255.0"
#
# Create Bridge
cloned_interfaces="bridge0"
ifconfig_bridge0="addm fxp0 addm fxp1 up"
#
# Enable PF firewall
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
#
# Enable PF logging
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
#
# Start Apache2 at startup
apache2_enable="YES"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


/etc/pf.conf:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ext_if="fxp0"	# replace with actual external interface name i.e., dc0
int_if="fxp1"	# replace with actual internal interface name i.e., dc1
mgt_if="fxp2"	# replace with actual internal interface name i.e., dc2

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# localhost interface
pass  quick on lo0 all

# Block everything and log it
block log on $mgt_if all
block log on $ext_if all
block log on $int_if all

# Internal interface
pass  out on $mgt_if all keep state
pass  in  on $mgt_if proto tcp from any to $mgt_if port 80 keep state
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ifconfig output with cables unplugged from bridge:

fxp0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=8<VLAN_MTU>
	ether xx:xx:xx:xx:xx:xx
	media: Ethernet autoselect (none)
	status: no carrier
fxp1: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=8<VLAN_MTU>
	ether xx:xx:xx:xx:xx:xx
	media: Ethernet autoselect (none)
	status: no carrier
fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=8<VLAN_MTU>
	inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp2 prefixlen 64 scopeid 0x3 
	inet my.c.class.xxx netmask 0xffffff00 broadcast my.c.class.255
	ether xx:xx:xx:xx:xx:xx
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
pfsync0: flags=0<> mtu 2020
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
	inet 127.0.0.1 netmask 0xff000000 
bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500
	ether xx:xx:xx:xx:xx:xx
	priority 32768 hellotime 2 fwddelay 15 maxage 20
	member: fxp1 flags=3<LEARNING,DISCOVER>
	member: fxp0 flags=3<LEARNING,DISCOVER>

More information about the freebsd-pf mailing list