Howard Jones wrote:
I'm trying to use Dummynet+IPFW and bridging to make a packet shaper
that runs across multiple VLANs. So my intended set up is:
[users]-[Aggregate Switch]=[FreeBSD]=[Upstream Switch (with IP
interfaces for each vlan)]-The World
where - is a single VLAN, and = is a tagged dot1q trunk. The aim is to
drop the FreeBSD box in the middle, in one trunked uplink, and cover all
the VLANs downstream of that.
Should this work?
In practice, the bridging seems to work OK, but as soon as I add rules
to match traffic passing through and apply it to pipes, everything
stops. I can use tcpdump's vlan option to filter traffic on em0, em1 or
bridge0 and it does show only traffic for that vlan, so tags are being
preserved...
Ideally, I'd like to use the dot1q tag in ipfw rules directly, and avoid
ip ranges, but I don't think that's possible. Is there some special
incantation to make ipfw vlan-aware?
Has anyone else done this successfully?
This is how I do it:
ipfw pipe 1 all from any to any in via vlan20
ipfw pipe 2 all from any to any in via vlan40
But in my configuration, bridge0 has members vlan20 and vlan40. I would
create a separate bridge with vlan21 and vlan41.
I don't think ipfw can filter on dot1q tags yet, though. There was a lot
of layer 2 filtering capability in a patch floating around for
8-CURRENT, but I'm not sure of its status, nor whether dot1q filtering
was implemented.
--
Chris Cowart
Network Technical Lead
Network Infrastructure Services, RSSP-IT
UC Berkeley
pgpZHyHXxvV8v.pgp
Description: PGP signature
