Bridging + VLANS + RSTP / MSTP

kevin k at kevinkevin.com
Fri Feb 18 18:13:33 UTC 2011 

Hello,

I have a fairly straightforward network in a collocated facility. I have a
FreeBSD PF Bridging firewall (2 interfaces bridged, 1 interface for access).

The FreeBSD 8.0-RELEASE firewall provides inbound filtering through a Dell
PowerConnect 5448 switch, divided into two vlans.

My network is best described by the following diagram :

	[ISP GW]
          |
[------switch 1 [vlan1]------]
           |
      [FW1 BRIDGE] 
           |
 [------switch 1 [vlan2]------]
          |
      [clients]

I have been playing around with the possibility to add another FreeBSD
Bridging firewall to provide access from vlan1 > vlan2 for the clients. I
originally posted on the freebsd-pf list, and the only viable solution would
be to employ STP on the two freebsd server's bridge ports on vlan1 , and
turn stp off for every other port.

My switch also supports MSTP and RSTP protocols. Honestly I have little
experience with this, but I was hoping to get some general insight as to how
I could employ my switch and a redundant freebsd firewall for hardware
failovers.

My current testing has shown little promise -- both firewalls will go up,
traffic will only go to the first firewall. If I reboot that first firewall,
no traffic will flow to the second bridging firewall. Note that all IPs on
my network (inside and out) are public IPs, there are no private ips on my
network.


Here is my rc.conf :

defaultrouter="x.x.x.x"
gateway_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="up addm bge0 stp bge0 addm bge1 stp bge1"
ifconfig_bge0="up"
ifconfig_bge1="up"
ifconfig_em0="inet y.y.y.y netmask 255.255.255.0"

# PF Options
pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                  # additional flags for pflogd startup






My pf.conf is really standard, I don't think there is really a point to
posting it. just a block in all and a series of pass in's. nothing fancy.

Any help or ideas or insight is GREATLY appreciated -- I have been tackling
this for about a year (not actively, passively) and would LOVE to employ
this properly. I see commercial firewalls like Juniper offer transparent
bridging and failover hardware redundancies so I'm pretty sure this would be
possible with FreeBSD, but again my switching and networking experience is
somewhat limited.

Thanks,

Kevin

More information about the freebsd-net mailing list