i386/177618: Bridge firewall with trunk ports and vlans
Jean Aumont
jaumont at mediagrif.com
Wed Apr 3 19:40:01 UTC 2013
>Number: 177618
>Category: i386
>Synopsis: Bridge firewall with trunk ports and vlans
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 03 19:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Jean Aumont
>Release: Version 8.2 (also 7.2)
>Organization:
Mediagrif
>Environment:
FreeBSD TestFW 8.2-Release FreeBSD 8.2-Release #0: Fri Mar 2 10.11:53 EST 2012
root@:/usr/obj/usr/src/sys/MDFKERNEL i386
>Description:
First lest clarify that the kernel has been recompiled to support Pf, Carp and ALTQ, by adding the following options in the config file for the kernel compile:
device pf
device pflog
device pfsync
device carp
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
I do no beleive that those option have an impact on the problem, but just to be clear, I wanted to mention it. The following can be replicated on FreeBSD 8.2 and 7.2
Here is the problem.
I have 2 cisco switchs, both of them caring 2 vlans: 10 and 50.
Those 2 switch are connected to my FreeBSD firewall with a dot1q trunk port that carry those 2 vlans.
One switch is connected to the bge0: interface and the other switch is connected to the xl0: interface.
I want to filter the traffic using FreeBSD as a bridge firewall without mixing vlan 10 and 50, and be able to control the spanning tree priority.
The configuration I used in /etc/rc.conf is as follow:
cloned_interfaces="vlan100 vlan101 vlan500 vlan501 bridge0 bridge1"
ifconfig_bridge0="fwddelay 12 \
maxage 16 \
priority 4096 \
addm vlan100 \
addm vlan101 \
stp vlan100 \
stp vlan101 \
-learn vlan100 \
-learn vlan101 \
up"
ifconfig_bridge1="fwddelay 12 \
maxage 16 \
priority 45056 \
addm vlan500 \
addm vlan501 \
stp vlan500 \
stp vlan501 \
-learn vlan500 \
-learn vlan501 \
up"
ifconfig_vlan100="vlan 10 vlandev bge0 up"
ifconfig_vlan101="vlan 10 vlandev xl0 up"
ifconfig_vlan500="vlan 50 vlandev bge0 up"
ifconfig_vlan501="vlan 50 vlandev xl0 up"
ifconfig_bge0="up"
ifconfig_xl0="up"
I tried to separate the traffic from vlan 10 and 50 on bridge 0 and 1 respectively by using intermediate vlans that are mapped to the trunk port.
For vlan 10, I used vlan100 from interface bge0: and used vlan101 from xl0:.
For vlan 50, I used vlan500 from interface bge0: and used vlan501 from xl0:.
The traffic is seperated properly between vlan 10 and 50, and using tcpdump on the bridges I could confirmed that.
The problem, is that the bridge priority is not respected, even if using the command "ifconfig bridge0", shows that the right value is set for the priority.
Using tcpdump on the bridge0 or bridge1, you can see stp traffic passing through through the bridge.
Also, both bridges, do not acquired a bridge id, it is left to 00:00:00:00:00:00.
I also tried to create the bridge manually using shell commands, here is the results:
ifconfig bridge0 create
ifconfig bridge0 priority 4096
ifconfig bridge0 addm vlan100
ifconfig bridge0 addm vlam101
==> bridge0: error setting interface capability on vlan100
ifconfig bridge0 stp vlan100
==> ifconfig: unable to set bridge flags: invalid argunment
ifconfig bridge0 -learn vlan100
ifconfig bridge0 -learn vlan101
ifconfig bridge0 fwddelay 12
ifconfig bridge0 maxage 16
As you can see, there was some errors ....
Am I using the right technique to accomplish what I want.
Thanks.
Jean Aumont
>How-To-Repeat:
Just used the configuration from the description
>Fix:
Do not know
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list