Oh my...
After lot of testing I think I am very close(I hope) to a working solution.
In short I got back to somehow close what David suggested regarding proxy arp
but I cannot find commarp package so for arp problem i just use static
arp entries
in different rdomain
em0 -> rdomain 1 + static arp
Hi Tom,
I am just about trying your suggestion but I'm confused regarding one thing.
You mentioned
" then in openBSD Bridge you can add em0 and em1 to the same protected port
group eg 3"
Do you mean em0 and em1 should be isolated by each other?
Then how is supposed to communicate em0 with em1?
Hi Christian,
if you have Port 20 and 21 isolated from each other ... ie in the same
protected port group 0 on the switch...
and ports 1-19 in a spearate protected port group eg 1
ports 1-19 can talk to either 20 or 21
and ports 20-21 cannot talk to each other (loop avoidance)
then in openBSD
Thank you so much Tom and David for giving me ideas where I can dig more.
Definitely it is a good start in this journey and I am researching more.
I have exact same situation with Wireless, for the moment all the clients are
isolated but I need to achieve the same, to filter between them.
I am
Hey David...
(I have learned so much from you over the years and used your gear so maybe
I can give a lttle back on this one )
"Correct use of Proxy arp" Gateway of layer 2 isolated network...
clients cannot see or hear eachothers arp traffic or discovery traffic or
other broadcast nasties
so
> On 25 Jan 2023, at 10:03, Martin Schröder wrote:
>
> Am Mi., 25. Jan. 2023 um 00:45 Uhr schrieb David Gwynne :
>> I think you can do this on OpenBSD with https://github.com/eait-itig/commarp
>> and just routing on em0. I don’t think any layer 2 things like bridge or veb
>> are needed, and
Am Mi., 25. Jan. 2023 um 00:45 Uhr schrieb David Gwynne :
> I think you can do this on OpenBSD with https://github.com/eait-itig/commarp
> and just routing on em0. I don’t think any layer 2 things like bridge or veb
> are needed, and probably won’t work anyway because as Claudio said, they
>
> On 25 Jan 2023, at 09:47, Tom Smyth wrote:
>
> Hi David is that like a local proxy arp type setup (on typical
> networking gear) .. ?
I’ve never had a clear idea about what proxy ARP is, and the only time it comes
up in converstaion is when people complain about problems it causes. Do you
Hi David is that like a local proxy arp type setup (on typical
networking gear) .. ?
On Tue, 24 Jan 2023 at 23:45, David Gwynne wrote:
>
> I think you can do this on OpenBSD with https://github.com/eait-itig/commarp
> and just routing on em0. I don’t think any layer 2 things like bridge or veb
I think you can do this on OpenBSD with https://github.com/eait-itig/commarp
and just routing on em0. I don’t think any layer 2 things like bridge or veb
are needed, and probably won’t work anyway because as Claudio said, they don’t
want to hairpin anyway.
That code doesn’t have any manpages
I agree with Claudio re Hairpin issue...
perhaps an alternate setup would be to use 2 vlans on the switch on
the uplink of the openbsd box
(to avoid the hair pin on a physical interface) but care needs to be
taken when bridging between the two vlans as 2x mac table usage will
occur ... ie mac
HI Tom,
I am familiar with options you mentioned, veb, bridge and isolated ports.
I am having another transparent filter based of veb also I am aware about
protected members but my use case is different.
Let me try to explain maybe with different words.
OpenBSD box is having only one cable
On Tue, Jan 24, 2023 at 11:43:08AM +, Tom Smyth wrote:
> Hello Cristian,
> if you want to filter on layer 2 ... you would need to use Bridge
> have a look at man ifconfig(8)
> bridge filter rules can be added to ports in the bridge...
> you can also tag traffic in bridge filter rules and
Hello Cristian,
if you want to filter on layer 2 ... you would need to use Bridge
have a look at man ifconfig(8)
bridge filter rules can be added to ports in the bridge...
you can also tag traffic in bridge filter rules and then use PF to
filter them...
but if your objective is to isolate
Hello
I have a more difficult task that I would like to solve with OpenBSD
and I would really
appreciate any ideas if it is possible to achieve such.
I have:
- one OpenBSD box with one Ethernet port
- one big switch with multiple devices connected
All switch ports are isolated by each other
15 matches
Mail list logo
