> On 25 Jan 2023, at 09:47, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote:
>
> Hi David is that like a local proxy arp type setup (on typical
> networking gear) .. ?
I’ve never had a clear idea about what proxy ARP is, and the only time it comes
up in converstaion is when people complain about problems it causes. Do you
have a definition of what you think it means before I say yes or no?
>
> On Tue, 24 Jan 2023 at 23:45, David Gwynne <da...@gwynne.id.au> wrote:
>>
>> I think you can do this on OpenBSD with https://github.com/eait-itig/commarp
>> and just routing on em0. I don’t think any layer 2 things like bridge or veb
>> are needed, and probably won’t work anyway because as Claudio said, they
>> don’t want to hairpin anyway.
>>
>> That code doesn’t have any manpages unfortunately. commarp wants a config
>> file saying which interface it should run on and which IPs it should
>> intercept ARP for. eg:
>>
>> $ cat /etc/commarp.conf
>> interface em0 {
>> allow 192.168.1.16 - 192.168.1.254
>> }
>>
>> There’s no point rewriting ARP requests for the IP your router is using on
>> that subnet, or carp addresses on that subnet, etc.
>>
>>
>>> On 24 Jan 2023, at 22:16, Cristian Danila <clau...@postmail.ro> wrote:
>>>
>>> HI Tom,
>>>
>>> I am familiar with options you mentioned, veb, bridge and isolated ports.
>>> I am having another transparent filter based of veb also I am aware about
>>> protected members but my use case is different.
>>>
>>> Let me try to explain maybe with different words.
>>> OpenBSD box is having only one cable input, so what would be the
>>> benefit of having protected members?
>>> Protected members are isolating the communication between members of a
>>> bridge, in my case
>>> I have only one NIC, so if a bridge would be helpful, I can have a
>>> bridge with single member,
>>> therefore isolating that member from who?
>>> OpenBSD box has only one wire connected to a physical switch, so it
>>> can communicate with all members
>>> of the switch, but the physical switch itself do not permit
>>> communication between members as explained.
>>> So it is a desire that OpenBSD box is the one that is making possible
>>> communication between different
>>> members of the switch through same wire.
>>>
>>> Let me try to draw it, I hope will help more
>>>
>>> DEVICE1 DEVICE2 DEVICE3
>>> | | |
>>> | | |
>>> -----------------------------------------------------------
>>> PORT1 PORT2 PORT3 PORT 20
>>> | | |_________|
>>> | |_________________ |
>>> |__________________________ |
>>> PHISICAL SWITCH DEVICE |
>>> ---------------------------------------------------|--------
>>> |
>>> |
>>> |
>>> OPEN BSD BOX
>>>
>>>
>>> Thank you.
>>>
>>>
>>> On Tue, Jan 24, 2023 at 1:43 PM Tom Smyth <tom.sm...@wirelessconnect.eu>
>>> wrote:
>>>>
>>>> Hello Cristian,
>>>> if you want to filter on layer 2 ... you would need to use Bridge....
>>>> have a look at man ifconfig(8)
>>>> bridge filter rules can be added to ports in the bridge...
>>>> you can also tag traffic in bridge filter rules and then use PF to
>>>> filter them...
>>>>
>>>> but if your objective is to isolate ports from each other.. this can
>>>> be achieved with protected port groups...
>>>> again check out ifconfig (8)
>>>> TLDR version bridge ports in the same protected port group are
>>>> isolated from each other...
>>>> If port isolation if all your looking for (no other detailed filtering
>>>> ) if (im not sure) veb(4) supports protected ports...then this would
>>>> be faster...
>>>> but to my shame I have not tried out veb(4)
>>>>
>>>> I hope this is of some use...
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, 24 Jan 2023 at 11:29, Cristian Danila <clau...@postmail.ro> wrote:
>>>>>
>>>>> Hello
>>>>>
>>>>> I have a more difficult task that I would like to solve with OpenBSD
>>>>> and I would really
>>>>> appreciate any ideas if it is possible to achieve such.
>>>>>
>>>>> I have:
>>>>> - one OpenBSD box with one Ethernet port
>>>>> - one big switch with multiple devices connected
>>>>>
>>>>> All switch ports are isolated by each other with one exception:
>>>>> - All ports can communicate with only one Ethernet port(let's say port 20)
>>>>>
>>>>> Now what i would like to achieve is to connect an Ethernet cable between
>>>>> OpenBSD box and port 20 of the switch, and make OpenBSD a transparent
>>>>> filtering hub.
>>>>>
>>>>> So I need OpenBSD box to be a transparent bridge and filter between
>>>>> clients of the switch.
>>>>>
>>>>> Can anybody suggest a point where I can think about?
>>>>> I was thinking initially to add the nic(em0) to veb0 then with link1
>>>>> achieve L3 filtering but
>>>>> definitely I think I miss something important.
>>>>> I am open to research everything is needed for it but I miss a
>>>>> starting point and I would
>>>>> really appreciate any hint.
>>>>>
>>>>> Kind regards,
>>>>> Claudiu
>>>>>
>>>>
>>>>
>>>> --
>>>> Kindest regards,
>>>> Tom Smyth.
>>>
>>
>
>
> --
> Kindest regards,
> Tom Smyth.
