Hi Ronald, thank you for your reply.
On Sun, Mar 23, 2025 at 08:21:21PM +0100, Ronald Klop wrote:
I assume that in your setup igb0 is the host interface as well as bridge member.
That's correct.
That makes the setup a bit hard to reason about. IMHO you now have a virtual setup
which you wouldn't be able to replace with physical hardware. To mimic a physical
setup you could add another epair interface to act as the host interface and
leave igb0 as a bridge member only.
that's something I've not considered
igb0 ---+--- tap0 -- vmnet
|
+--- tap1 -- vmnet
|
+-- epair0a -- epair0b (this is where the host should listen on)
And instead of putting the host IP address on igb0 you should put this
on epair0b.
By default the ipfw firewall will then see the IP traffic of epair0b. As all
the other interfaces only pass ethernet traffic around.
Something like this in /etc/rc.conf should do the trick.
cloned_interfaces="bridge0 epair0 tap0 tap1"
ifconfig_bridge0="addm igb0 addm epair0a addm tap0 addm tap1"
ifconfig_igb0="up"
ifconfig_epair0a="up"
ifconfig_epair0b="SYNCDHCP" # or some other inet config
ok I'll try that.
What I have tried, just for interest, in pf.conf (I know pf is unsuitable, but
for an
experiment), in /etc/rc.conf, there is
cloned_interfaces="bridge0 tap0 tap1"
ifconfig_bridge0="addm igb0 addm tap0 tap1"
in /etc/pf.conf, there's
int_if="igb0"
ext_if="igb1"
int_taps="{ tap0, tap1 }"
snip<
set skip on lo0
set skip on $int_taps
set block-policy drop
snip<
this gets weird effects like the vm on tap0 cant ping tap1 and so on.
I was wondering if something like "set skip on mac_address would work"
in the ipfw context, and what its syntax was for specific layer2
filtering.
--
