I've been looking into building a transparent bridge running PF to filter multiple vlan's here at work. My question to the forum is this:

Has anyone tried to do this & if so have you met with any success?

The basic story goes like this. I work for a university. We currently are working to take control of the filtering of our subnets back from another department. We currently have a half dozen vlans handed off from the rest
of the university via a GigE connection. The plan is to drop an OpenBSD
box into that GigE line & filter from there. Trouble is we have not quite been able to "make it work". Worse than that is that we don't even know if it *should* work.

-Will

You can get this working as I have done it. Problem you're goiong to run into is with having a bunch of gige cards in one box. see here:

http://screamingelectron.org/phpBB2/viewtopic.php?t=240

That being said. If you have the hardware this really won't be that big of a deal and I'm sure we can help out. :)

There are a few misc@ threads you may want to read through, like:

Comments on hardware/throughput at gigabit speeds:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=104839756610557&w=2

Comments on RAM/state entries:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=104630461821280&w=2

Some lazy Sundays i wish i had the hardware to benchmark throughput; i like making charts and graphs.

So far we have tried using a couple of Syskonnect bge fiber cards that we have around the shop. The first try almost worked, but the cards complained about a "non-standard mtu" when the bridge came up. Got a diff from a guy I contacted who has been working on improving some of the gige drivers in OpenBSD. Comple that in & the firewall will get past the point that the "non-standard mtu" error came up, but the box dumps me to the debugger shortly thereafter.

Elmore, I would love to compare notes with you on how to do this! Could you perhaps explain to me how you "bound" the vlans to your interfaces? Most of the (hard) work has been done for me by a student worker we have here so I am not 100% sure of the details of what he has done. I know that he has tried both Open & Free and neither solution has quite worked. I suspect there is some concept we don't quite have right in our heads.

My boss has committed the cash needed for whatever hardware I need to pass the packets, I just need to prove that I can make this model work before he signs any P.O.'s

-Will

Survive -

Sorry it's taken me so long to get to this. It's one I want to answer but takes some time, as the answer is quite lengthy.

Without any further adue here's how I did the one in my house. Keep in mind my house is much smaller than your work environment. What you really want is an msfc with a transparent bridge on each arm.

With that being said I have done many setups like this.
http://www.screamingelectron.org/Users/elmore/mapex1.PNG

Where your firewall has an ext. IP and and an internal IP in subnet A or vlan 1.

Then that firewall needs the following added to /etc/netstart.

route add subnet A <gateway>
route add subnet B <gateway>
route add subnet C <gateway>

Where the gateway will be the IP of Bridge 1, 2, and 3's IP on the main subnet. If your going transparent then you'll still need something to route to the other subnet, an MSFC presumably. So just substitute that IP. Vice versa, the other side of each bridge will serve as the default gateway for the corresponding subnet. Make sense?

You could do this on the same box, however all those gig cards are lible to cause PCI bus issues. Can anyone else confirm?

If you are using 6 gigabit connections on 66Mhz/64bit bus or greater then you should be able to pass your traffic without blocking issues. I would look at using dual port cards and putting the higher traffic segments together on a card to reduce bus contention as much as possible. For example, if segment 1 and segment 3 are going to be passing a lot of traffic back and forth to each other, put them on the same card. Your filtering rules could affect how much they will pass over the buss but this should reduce some traffic across it.

I'm not an engineer so you can take all this with a grain of salt. 8)

Couple of things.....

First, elmore, it looks like your layout is more of a routed solution using multiple firewalls. For our project we are looking for a single box to sit in front of our distribution switch. That said we are also looking to do this with 2 nics.

Fortunately we appear to have made this box work the way we "want" it to.

We currently have a group of boxes (actually workstations from a video editing lab) that all have GigE connections running off a GigE switch behind this transparent filtering bridge. Each box is sitting on a different vlan & it works like a champ!

Believe me when I say it is ugly. Seems you need to to make a "bridge of bridges" for all the vlans you want to filter.....

Hell, I'm not even a 100% sure what my co-worker did to get the darn thing up, but I plan on getting a full breifing tomorrow.

Please let me know if you guys have any questions.

-Will

I'd love to see the configs. I'm sure others would as well.

The other thing is mine is routed for sure. I suppose I just always think of a multiple vlan setup to mean multiple subnets. Mainly because that's the way I've always set them up.