Brett Glass wrote:
I'd like to create what might be called a "non-bridge" on a FreeBSD
machine. I'd like to put two Ethernet interfaces on the machine which
have the same IP address and subnet, and use those interfaces to
communicate with clients. However, I do not want the clients on one
interface to be able to send packets through to the clients on the
other interface.
possibly you could just bridge them together but use
ipfw on the bridge to enforce isolation.
OR you could possibly make a netgraph version of that..
Why would I want to do a thing like this? Well, as you probably know,
wireless access points often have a "client isolation" option which
allows the clients to talk to the AP (and the Internet) but not to
one another. This is a good thing, because it prevents users of the
wireless LAN from hacking one another; each of them can only see
what's "upstream" of the access point.
I have a situation where I need to put up more than one AP, on the
same subnet, behind a FreeBSD machine which will be serving as an
Internet gateway. I'd plug both APs into a switch and connect the
switch to the FreeBSD machine, but if I did this, the access points'
"client isolation" feature would not be sufficient to isolate all of
the clients from one another. Each AP would isolate its OWN clients
from one another, but would let each of them communicate with ALL of
the clients on the other AP!
My first idea of how to solve this problem is to set the FreeBSD
machine up as a bridge, but then block all packets that try to go in
one Ethernet interface and out the other. But will this work? Will
the FreeBSD machine know which interface to use to communicate with
each client, and only send packets for each one out of the
appropriate interface? Also, is there a way to do this without
putting the interfaces into promiscuous mode (which slows things down
considerably)? After all, since the FreeBSD machine is acting as a
gateway, it should really only look at packets that are addressed to
it.
you can't really avoid the promiscuous mode part if you use bridging...
A specific netgraph configuration might be able to do it but it's need some
work.
Another possibility is to use freebsd 4 and apply the vimage patches
to make 3 virtual machines.
(or 7.0 and use the current vimage patches that Marko has brewing up
in perforce)
--Brett Glass
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe,
send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
