Hellos to all.
Our setup has two different wifi access points, each to cover a different p=
art of the building. Any user or device might connect to either one of the =
access points at any one time, depending on signal strength and phase of th=
e moon. From the firewall's perspective, packets coming out of or going int=
o either AP are considered as identical in all respects.
In olden times, I simply connected the two APs together to a physical dumb =
switch, and then connected that switch to single port on the pf/openbsd fir=
ewall. So by definition they were treated the same by pf, since they were c=
oming in on the same wire. All good. And I could still do that if I had to.
However, I'm bringing up a spiffy new Soekris firewall that has multiple p=
orts (4, specifically) available. In theory I can eliminate the physical sw=
itch (fewer electrons! one less point of failure!) by connecting the two AP=
s directly to the Soekris, using, say, em2 and em3.
The question is how best to create a "virtual switch" out of em2 and em3, s=
o I don't have to firewall each one separately in my bridge and pf rules. =
I thought I could just do this with interface groups, by declaring em2 and =
em3 were part of the same group using ifconfig(), but that doesn't seem to =
fly. At least, to give just one example, this didn't work when I tried to s=
et up a packet-inspecting bridge using my group name ('APgroup'):
# /sbin/ifconfig em2 group APgroup
# /sbin/ifconfig em3 group APgroup
# /sbin/ifconfig bridge0 rule pass in on APgroup src 00:11:22:33:44:55 ta=
g goodpacket
ifconfig: bridge0: No such file or directory
(but if I replace "APgroup" with a real interface, like em3, it works fine)
So what is my plan B here? I see there are lots of ways potentially to acco=
mplish this, but I'm confused about the pros and cons:
- Another bridge, this one between em2 and em3?
- Some kind of span interface?
- Using trunk()?
- Something else?
I'd love some advice on what the "best" way to accomplish this is. ("Best" =
in my particular case means first, lowest total firewall cpu cost to route/=
filter; second, lowest PF ruleset complexity; and third, lowest network tr=
affic [ie, no packets going out ports that will just drop them anyways]. An=
d I guess fourth, future lexibility in case I need to add a third or fouth =
damn access point...)
Thanks for some salient discussion. I know this must have been asked before=
but I'm not finding a relevant answer on how best to do this.
Bonnie P.
