I think you can do this on OpenBSD with https://github.com/eait-itig/commarp
and just routing on em0. I don’t think any layer 2 things like bridge or veb
are needed, and probably won’t work anyway because as Claudio said, they don’t
want to hairpin anyway.
That code doesn’t have any manpages unfortunately. commarp wants a config file
saying which interface it should run on and which IPs it should intercept ARP
for. eg:
$ cat /etc/commarp.conf
interface em0 {
allow 192.168.1.16 - 192.168.1.254
}
There’s no point rewriting ARP requests for the IP your router is using on that
subnet, or carp addresses on that subnet, etc.
> On 24 Jan 2023, at 22:16, Cristian Danila <clau...@postmail.ro> wrote:
>
> HI Tom,
>
> I am familiar with options you mentioned, veb, bridge and isolated ports.
> I am having another transparent filter based of veb also I am aware about
> protected members but my use case is different.
>
> Let me try to explain maybe with different words.
> OpenBSD box is having only one cable input, so what would be the
> benefit of having protected members?
> Protected members are isolating the communication between members of a
> bridge, in my case
> I have only one NIC, so if a bridge would be helpful, I can have a
> bridge with single member,
> therefore isolating that member from who?
> OpenBSD box has only one wire connected to a physical switch, so it
> can communicate with all members
> of the switch, but the physical switch itself do not permit
> communication between members as explained.
> So it is a desire that OpenBSD box is the one that is making possible
> communication between different
> members of the switch through same wire.
>
> Let me try to draw it, I hope will help more
>
> DEVICE1 DEVICE2 DEVICE3
> | | |
> | | |
> -----------------------------------------------------------
> PORT1 PORT2 PORT3 PORT 20
> | | |_________|
> | |_________________ |
> |__________________________ |
> PHISICAL SWITCH DEVICE |
> ---------------------------------------------------|--------
> |
> |
> |
> OPEN BSD BOX
>
>
> Thank you.
>
>
> On Tue, Jan 24, 2023 at 1:43 PM Tom Smyth <tom.sm...@wirelessconnect.eu>
> wrote:
>>
>> Hello Cristian,
>> if you want to filter on layer 2 ... you would need to use Bridge....
>> have a look at man ifconfig(8)
>> bridge filter rules can be added to ports in the bridge...
>> you can also tag traffic in bridge filter rules and then use PF to
>> filter them...
>>
>> but if your objective is to isolate ports from each other.. this can
>> be achieved with protected port groups...
>> again check out ifconfig (8)
>> TLDR version bridge ports in the same protected port group are
>> isolated from each other...
>> If port isolation if all your looking for (no other detailed filtering
>> ) if (im not sure) veb(4) supports protected ports...then this would
>> be faster...
>> but to my shame I have not tried out veb(4)
>>
>> I hope this is of some use...
>>
>>
>>
>>
>>
>>
>> On Tue, 24 Jan 2023 at 11:29, Cristian Danila <clau...@postmail.ro> wrote:
>>>
>>> Hello
>>>
>>> I have a more difficult task that I would like to solve with OpenBSD
>>> and I would really
>>> appreciate any ideas if it is possible to achieve such.
>>>
>>> I have:
>>> - one OpenBSD box with one Ethernet port
>>> - one big switch with multiple devices connected
>>>
>>> All switch ports are isolated by each other with one exception:
>>> - All ports can communicate with only one Ethernet port(let's say port 20)
>>>
>>> Now what i would like to achieve is to connect an Ethernet cable between
>>> OpenBSD box and port 20 of the switch, and make OpenBSD a transparent
>>> filtering hub.
>>>
>>> So I need OpenBSD box to be a transparent bridge and filter between
>>> clients of the switch.
>>>
>>> Can anybody suggest a point where I can think about?
>>> I was thinking initially to add the nic(em0) to veb0 then with link1
>>> achieve L3 filtering but
>>> definitely I think I miss something important.
>>> I am open to research everything is needed for it but I miss a
>>> starting point and I would
>>> really appreciate any hint.
>>>
>>> Kind regards,
>>> Claudiu
>>>
>>
>>
>> --
>> Kindest regards,
>> Tom Smyth.
>
