On Fri, Dec 31, 2010 at 01:36:32AM -0800, S Mathias wrote: > Does anyone has a similar howto on OpenBSD for using private VLAN's? > > like: > > http://blog.ine.com/2008/07/14/private-vlans-revisited/ > > I just need to separate the client's on Layer3 or better: on Layer2. > Each client uses 1 port. But I'm not >
What's your question? AFAICS there's nothing like "ip local-proxy-arp" on OpenBSD. Linux used to be able to do that with proxy arp entries with a mask and interface, but they've removed the feature in newer kernels. If you can live with the silliness of your end-stations not being able to talk to each other at all, this has nothing to do with OpenBSD and everything with your switch. Just put the OpenBSD router on a promiscuous (trusted) port. Even this is very far from a good solution since it does nothing against arp spoofing except for spoofing the gateway. It does not allow you to filter source ip's and it won't help with duplicate mac addresses or other malicious behavior. With "ip local-proxy-arp" you could put clients on different vlans and use proxy arp to fake they're in the same subnet, allowing the same level of isolation, source address filtering and firewalling as giving each host a vlan and a /30, but without wasting three quarters of your ip addresses. With some dhcp relay magic you'd have a secure ethernet access solution. Sadly I don't understand the kernel well enough to do it myself.
