Howard Jones wrote: > I'm trying to use Dummynet+IPFW and bridging to make a packet shaper > that runs across multiple VLANs. So my intended set up is: > > [users]->[Aggregate Switch]=>[FreeBSD]=>[Upstream Switch (with IP > interfaces for each vlan)]->The World > > where -> is a single VLAN, and => is a tagged dot1q trunk. The aim is to > drop the FreeBSD box in the middle, in one trunked uplink, and cover all > the VLANs downstream of that. > > Should this work? > > In practice, the bridging seems to work OK, but as soon as I add rules > to match traffic passing through and apply it to pipes, everything > stops. I can use tcpdump's vlan option to filter traffic on em0, em1 or > bridge0 and it does show only traffic for that vlan, so tags are being > preserved... > > Ideally, I'd like to use the dot1q tag in ipfw rules directly, and avoid > ip ranges, but I don't think that's possible. Is there some special > incantation to make ipfw vlan-aware? > > Has anyone else done this successfully?
This is how I do it: ipfw pipe 1 all from any to any in via vlan20 ipfw pipe 2 all from any to any in via vlan40 But in my configuration, bridge0 has members vlan20 and vlan40. I would create a separate bridge with vlan21 and vlan41. I don't think ipfw can filter on dot1q tags yet, though. There was a lot of layer 2 filtering capability in a patch floating around for 8-CURRENT, but I'm not sure of its status, nor whether dot1q filtering was implemented. -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley
pgpZHyHXxvV8v.pgp
Description: PGP signature
