Transparent Bridge with VLAN Tagging - How?
Christopher Cowart
ccowart at rescomp.berkeley.edu
Wed Aug 13 20:53:25 UTC 2008
Mike Sweetser - Adhost wrote:
> Hello,
>
> I'm attempting to set up a transparent bridge in FreeBSD 7.0 to
> eventually act as a PF/Snort box, and it needs to be VLAN aware.
> However, I don't seem to be on the right track as far as setting it up.
>
> I have, for instance, VLAN 10 that it needs to be aware of, and this
> network segment is on VLAN 10 from a switch higher up. I have the
> current setup, but once it's running, I can't ping anything. bge0 is
> the outside interface, bge1 is inside:
>
> defaultrouter="192.168.1.1"
> gateway_enable="YES"
> cloned_interfaces="bridge0 vlan0 vlan1"
> ifconfig_vlan0="vlan 10 vlandev bge0"
> ifconfig_vlan1="vlan 10 vlandev bge1"
> ifconfig_bridge0="inet 192.168.1.10 netmask 255.255.0.0 addm bge0 addm
> bge1 addm vlan0 addm vlan1 up"
> ifconfig_bge0="up"
> ifconfig_bge1="up"
>
> What am I doing wrong?
I'm pretty sure you *don't* want to bridge the interfaces with their
parents (vlan0 shouldn't be bridged with bge0 -- if it even works, it
would cause tagged packets to be untagged and retransmitted out the
incoming interface (what cisco calls the native vlan) and vice versa).
I've only bridged vlan interfaces -- not their parents. E.g.:
cloned_interfaces="bridge0 vlan190 vlan590"
ifconfig_bge0="up"
ifconfig_vlan190="vlan 190 vlandev bge1"
ifconfig_vlan590="vlan 590 vlandev bge1"
ifconfig_bridge0="addm vlan190 addm vlan590"
If you want to bridge the parents, I think it would look like this
(YMMV):
cloned_interfaces="bridge0 vlan10"
ifconfig_bge0="up"
ifconfig_bge1="up"
ifconfig_bridge0="addm bge0 addm bge1"
ifconfig_vlan10="vlan 10 vlandev bridge0"
I don't know how well if_bridge(4) copes with vlan tags -- I know it
breaks if you bridge a vlan(4) with a gif(4). I also don't know if a
vlan interface will happily accept a bridge parent.
--
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080813/195184d3/attachment.pgp
More information about the freebsd-questions
mailing list