IPFW/Dummynet/Bridging with VLAN trunks?
Chris Cowart
ccowart at rescomp.berkeley.edu
Tue Apr 21 18:47:43 UTC 2009
Howard Jones wrote:
> I'm trying to use Dummynet+IPFW and bridging to make a packet shaper
> that runs across multiple VLANs. So my intended set up is:
>
> [users]->[Aggregate Switch]=>[FreeBSD]=>[Upstream Switch (with IP
> interfaces for each vlan)]->The World
>
> where -> is a single VLAN, and => is a tagged dot1q trunk. The aim is to
> drop the FreeBSD box in the middle, in one trunked uplink, and cover all
> the VLANs downstream of that.
>
> Should this work?
>
> In practice, the bridging seems to work OK, but as soon as I add rules
> to match traffic passing through and apply it to pipes, everything
> stops. I can use tcpdump's vlan option to filter traffic on em0, em1 or
> bridge0 and it does show only traffic for that vlan, so tags are being
> preserved...
>
> Ideally, I'd like to use the dot1q tag in ipfw rules directly, and avoid
> ip ranges, but I don't think that's possible. Is there some special
> incantation to make ipfw vlan-aware?
>
> Has anyone else done this successfully?
This is how I do it:
ipfw pipe 1 all from any to any in via vlan20
ipfw pipe 2 all from any to any in via vlan40
But in my configuration, bridge0 has members vlan20 and vlan40. I would
create a separate bridge with vlan21 and vlan41.
I don't think ipfw can filter on dot1q tags yet, though. There was a lot
of layer 2 filtering capability in a patch floating around for
8-CURRENT, but I'm not sure of its status, nor whether dot1q filtering
was implemented.
--
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090421/18ab2ed1/attachment.pgp
More information about the freebsd-questions
mailing list