Multiple if_bridge devices

Chris eagletree at hughes.net
Tue Jan 29 07:30:45 PST 2008 

Hi,

I have 3 transparent firewalls on 3 T1s with a LAN behind each
supporting multiple servers.

Existing:
Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1
Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2
Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3

These firewalls are workstation class computers running
FreeBSD 6.2, if_bridge and ipfw. This has worked quite well
with the exception of hardware failures because of the
workstations hardware. I can afford one server-class blade
with 3 2-port NICs, but not three complete quality servers.
I would like to get to one firewall machine yet maintain the
isolation of the circuits and servers.

Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw
AllServers<->Switch<->FreeBSD Firewall<->T1 Router1
                                                         <->T1 Router2
                                                         <->T1 Router3
or
      1 firewall 6 nics, if_bridge (3 bridges) and ipfw
Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1
Servers2<->Switch2<->                       <->T1 Router2
Servers3<->Switch3<->                       <->T1 Router3

Initially I designed the replacement using a single if_bridge
with a single LAN backbone as shown first here. After trying
to design the rules, I concluded that it was either illogical
or beyond my ipfw rule skills. Then it occurred to me to try
to run three if_bridge devices as shown in the second Target
One box, 6 NICs, 3 networks kept isolated for arp but
IP-managed in a single instance of ipfw.

I got as far as attempting this:

ifconfig bridge0 create
ifconfig bridge0 addm rl0 addm em0 up
ifconfig bridge1 create
ifconfig bridge1 addm vx0 up

It created the devices but obviously is not something I could
test to see if it actually worked as two discrete bridges. I've
no additional hardware, but before I buy anything, I thought
I could simply ask if if_bridge is meant to do this. I have
googled, checked man (if_bridge, ipfirewall, ipfw), and the
handbook, but I can't find anywhere that specifically says
if_bridge is designed to support multiple bridges on one
computer.

My questions are:

1. Is if_bridge is designed to support more than one bridge
on a single machine by creating multiple bridge devices (only,
of course with multiple NICs on the second and tertiary
bridges)?

2. If so, does it retain complete isolation of the bridges (e.g.
for ARP) while allowing ipfw to examine all three simultaneously?

3. Should I be exploring a different FreeBSD route to
implement this.

Please let me know if this should actually go to the
FreeBSD-Net List.

Thank you,
Chris Pratt

More information about the freebsd-questions mailing list