Hi, I have 3 transparent firewalls on 3 T1s with a LAN behind each supporting multiple servers.
Existing: Servers1<->Switch1<->FreeBSD Firewall1<->T1 Router1 Servers2<->Switch2<->FreeBSD Firewall2<->T1 Router2 Servers3<->Switch3<->FreeBSD Firewall3<->T1 Router3 These firewalls are workstation class computers running FreeBSD 6.2, if_bridge and ipfw. This has worked quite well with the exception of hardware failures because of the workstations hardware. I can afford one server-class blade with 3 2-port NICs, but not three complete quality servers. I would like to get to one firewall machine yet maintain the isolation of the circuits and servers. Target: 1 firewall, 4 nics, if_bridge (1 bridge) and ipfw AllServers<->Switch<->FreeBSD Firewall<->T1 Router1 <->T1 Router2 <->T1 Router3 or 1 firewall 6 nics, if_bridge (3 bridges) and ipfw Servers1<->Switch1<->FreeBSD Firewall<->T1 Router1 Servers2<->Switch2<-> <->T1 Router2 Servers3<->Switch3<-> <->T1 Router3 Initially I designed the replacement using a single if_bridge with a single LAN backbone as shown first here. After trying to design the rules, I concluded that it was either illogical or beyond my ipfw rule skills. Then it occurred to me to try to run three if_bridge devices as shown in the second Target One box, 6 NICs, 3 networks kept isolated for arp but IP-managed in a single instance of ipfw. I got as far as attempting this: ifconfig bridge0 create ifconfig bridge0 addm rl0 addm em0 up ifconfig bridge1 create ifconfig bridge1 addm vx0 up It created the devices but obviously is not something I could test to see if it actually worked as two discrete bridges. I've no additional hardware, but before I buy anything, I thought I could simply ask if if_bridge is meant to do this. I have googled, checked man (if_bridge, ipfirewall, ipfw), and the handbook, but I can't find anywhere that specifically says if_bridge is designed to support multiple bridges on one computer. My questions are: 1. Is if_bridge is designed to support more than one bridge on a single machine by creating multiple bridge devices (only, of course with multiple NICs on the second and tertiary bridges)? 2. If so, does it retain complete isolation of the bridges (e.g. for ARP) while allowing ipfw to examine all three simultaneously? 3. Should I be exploring a different FreeBSD route to implement this. Please let me know if this should actually go to the FreeBSD-Net List. Thank you, Chris Pratt _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"