[Soekris] OpenBSD pf transparent bridge - hardware tricks

Art Arica3D nikicart at gmail.com
Sun Feb 25 14:58:56 UTC 2007 

This is great, exactly the type of solution I was hoping to find.

Ok, so here is how I am considering doing this:

Reference picture: http://www.soekris.com/Pictures/net4801_E7_Open_m.jpg


========== ASCII Art, use fixed width font  ===================

[ lan1641, left, 4 ports ]     [ net4801, right, 3 ports ]
   p6   p5   p4   p3              p2     p1   p0

   **   !!   $$                   $$     !!   @@
   **   !!   $$$ crossover data $$$$     !!   @@
   **   !!                               !!   @@@ to server @@
   **   !!!!!! crossover cable admin !!!!!!
   **
   ***** incoming feed from ISP ******************************


This firewall would have 7 usable Ethernet ports.   I am only using 6
for this project.

There is one single internet feed from the ISP, it goes into port p6
and is if_bridge tied to ports p5 and p4.  Esentially making a 3 port
Ethernet hub with p6+p5+p4.

The admin interface crossover cable is connected from the virtul hub
on port p5 to the admin interface port p1.
The dirty data interface crossover cable is connected from the virtual
hub on port p4 to the dirty data interface on port p2.

A transparent bridge is created between interfaces p2 and p0 and pf
firewall software acts on the packets that go between the
protected_server on port p0 and the unfiltered internet on port p2.

This OpenBSD system has only 1 single IP address, assigned to
dedicated port p1 and is blocked by pf to only allow ssh access.


Interrupt Hell
==================
Assuming this works as I describe... am I likely to have horrible
performance?  As a single incoming packet going from internet to
server must travel:  in p6, out p4, in p2, out p0.  I do not need full
100 megabit line speed, I would be happy to get 10 megabits of data
pre second through this firewall.

Thank you.



On 2/25/07, soekris-tech-request at lists.soekris.com
<soekris-tech-request at lists.soekris.com> wrote:
> Date: Sat, 24 Feb 2007 17:19:40 -0500
> From: "Ryan McIntosh" <rmcintosh at nitemare.net>
> Subject: Re: [Soekris] OpenBSD pf transparent bridge - hardware tricks
> To: "'Luigi Rizzo'" <rizzo at icir.org>
> Cc: soekris-tech at lists.soekris.com
> Message-ID: <001701c75861$e08fa210$a1aee630$@net>
> Content-Type: text/plain;       charset="us-ascii"
>
> As per the question of switching on the lan1641, under OBSD I don't know,
> but under FreeBSD you can easily bridge ports together with the if_bridge
> module. I assume OpenBSD has the same capabilities knowing that FreeBSD uses
> a lot of similar code. If that is a simple viable solution for you, go for
> it, otherwise there's some other options depending on what kind of hardware
> you're actually using in the setup.
>
> Ryan McIntosh

More information about the Soekris-tech mailing list