Hi David is that like a local proxy arp type setup (on typical networking gear) .. ?
On Tue, 24 Jan 2023 at 23:45, David Gwynne <da...@gwynne.id.au> wrote: > > I think you can do this on OpenBSD with https://github.com/eait-itig/commarp > and just routing on em0. I don’t think any layer 2 things like bridge or veb > are needed, and probably won’t work anyway because as Claudio said, they > don’t want to hairpin anyway. > > That code doesn’t have any manpages unfortunately. commarp wants a config > file saying which interface it should run on and which IPs it should > intercept ARP for. eg: > > $ cat /etc/commarp.conf > interface em0 { > allow 192.168.1.16 - 192.168.1.254 > } > > There’s no point rewriting ARP requests for the IP your router is using on > that subnet, or carp addresses on that subnet, etc. > > > > On 24 Jan 2023, at 22:16, Cristian Danila <clau...@postmail.ro> wrote: > > > > HI Tom, > > > > I am familiar with options you mentioned, veb, bridge and isolated ports. > > I am having another transparent filter based of veb also I am aware about > > protected members but my use case is different. > > > > Let me try to explain maybe with different words. > > OpenBSD box is having only one cable input, so what would be the > > benefit of having protected members? > > Protected members are isolating the communication between members of a > > bridge, in my case > > I have only one NIC, so if a bridge would be helpful, I can have a > > bridge with single member, > > therefore isolating that member from who? > > OpenBSD box has only one wire connected to a physical switch, so it > > can communicate with all members > > of the switch, but the physical switch itself do not permit > > communication between members as explained. > > So it is a desire that OpenBSD box is the one that is making possible > > communication between different > > members of the switch through same wire. > > > > Let me try to draw it, I hope will help more > > > > DEVICE1 DEVICE2 DEVICE3 > > | | | > > | | | > > ----------------------------------------------------------- > > PORT1 PORT2 PORT3 PORT 20 > > | | |_________| > > | |_________________ | > > |__________________________ | > > PHISICAL SWITCH DEVICE | > > ---------------------------------------------------|-------- > > | > > | > > | > > OPEN BSD BOX > > > > > > Thank you. > > > > > > On Tue, Jan 24, 2023 at 1:43 PM Tom Smyth <tom.sm...@wirelessconnect.eu> > > wrote: > >> > >> Hello Cristian, > >> if you want to filter on layer 2 ... you would need to use Bridge.... > >> have a look at man ifconfig(8) > >> bridge filter rules can be added to ports in the bridge... > >> you can also tag traffic in bridge filter rules and then use PF to > >> filter them... > >> > >> but if your objective is to isolate ports from each other.. this can > >> be achieved with protected port groups... > >> again check out ifconfig (8) > >> TLDR version bridge ports in the same protected port group are > >> isolated from each other... > >> If port isolation if all your looking for (no other detailed filtering > >> ) if (im not sure) veb(4) supports protected ports...then this would > >> be faster... > >> but to my shame I have not tried out veb(4) > >> > >> I hope this is of some use... > >> > >> > >> > >> > >> > >> > >> On Tue, 24 Jan 2023 at 11:29, Cristian Danila <clau...@postmail.ro> wrote: > >>> > >>> Hello > >>> > >>> I have a more difficult task that I would like to solve with OpenBSD > >>> and I would really > >>> appreciate any ideas if it is possible to achieve such. > >>> > >>> I have: > >>> - one OpenBSD box with one Ethernet port > >>> - one big switch with multiple devices connected > >>> > >>> All switch ports are isolated by each other with one exception: > >>> - All ports can communicate with only one Ethernet port(let's say port 20) > >>> > >>> Now what i would like to achieve is to connect an Ethernet cable between > >>> OpenBSD box and port 20 of the switch, and make OpenBSD a transparent > >>> filtering hub. > >>> > >>> So I need OpenBSD box to be a transparent bridge and filter between > >>> clients of the switch. > >>> > >>> Can anybody suggest a point where I can think about? > >>> I was thinking initially to add the nic(em0) to veb0 then with link1 > >>> achieve L3 filtering but > >>> definitely I think I miss something important. > >>> I am open to research everything is needed for it but I miss a > >>> starting point and I would > >>> really appreciate any hint. > >>> > >>> Kind regards, > >>> Claudiu > >>> > >> > >> > >> -- > >> Kindest regards, > >> Tom Smyth. > > > -- Kindest regards, Tom Smyth.
