On 2024-08-06, Y C <yogi9...@gmail.com> wrote: > I=E2=80=99m seeking assistance with 802.1x security support using OpenBSD 7= > .3 as a > firewall/router. > > Here=E2=80=99s a depiction of my setup: I am attempting to use 802.1x secur= > ity on a > client VM. > > **RADIUS Server VM (Ubuntu OS)** ------ connected -------- **Authenticator > VM (Ubuntu OS)** --------------connected ----- **(vic0) OpenBSD Router > (vic1)** --- **Client VM (Ubuntu)** > > When the OpenBSD Router is not present, everything functions correctly. > > With OpenBSD router, When 802.1x security is disabled, pinging between all > VMs works, and the interface is able to connect. > > On OpenBSD: > > - > > I have created a bridge. > - > > Added two interfaces, vic0 and vic1, into bridge0. > - > > Allowed `net.ip.inet.forwarding=3D1`. > - > > In pf.conf added 'pass all' one rule only. > > The RADIUS Server authenticates the client request. The Authenticator VM > passes the packets to the server using the hostapd utility. On the client, > I am using a UI-based method to set up the 802.1x security. > > My question is: Why are EAPOL packets not being forwarded by the OpenBSD > Router?
EAPoL frames wouldn't be forwarded by a _router_ anyway as they are not IP. The MAC address used, 01:80:C2:00:00:03, is part of the 01:80:C2:00:00:0x set of "MAC Bridge Filtered MAC Group Addresses" (802.1d) that a switch is not supposed to forward. There is a special purpose "mini switch" in OpenBSD, tpmr(4), that only handles two ports. That one _can_ be configured to permit these protocols (see the manual, it only talks about LACP/STP but EAPoL should be handled the same) which might let you do what you want. -- Please keep replies on the mailing list.
