Re: veb(4) with multiple vlan(4)'s

Sun, 22 Jan 2023 01:25:59 -0800 

On 22.1.2023. 3:27, Scott Colby wrote:
> Hello,
> 
> I am trying to set up a router with a fresh install of OpenBSD 7.2,
> and I'm having a hard time grokking how to use veb.
> 
> I have organized my network into 4 subnets:
> 
> - DHCP "WAN"
> - 192.168.0.0/24 "LAN"
> - 192.168.2.0/24 "IOT"
> - 192.168.3.0/24 "Guest"
> 
> My computer has 4 interfaces em{0..3} and my desired setup has the
> following qualities:
> - em0 is the WAN uplink with DHCP
> - em1 is the uplink to my WAP and carries all 3 internal networks,
>   with "LAN" untagged and "IOT" and "Guest" tagged as VLAN 1102
>   and 1103, respectively
> - em2 carries only "LAN", untagged
> - em3 carries only "IOT", untagged
> 
> I think I should have configuration files like:
> hostname.em0:
> inet autoconf
> 
> hostname.em{1..3}:
> up
> 
> hostname.veb0:
> add em1
> add em2
> add em3
> add vport0  # ??
> add vport1  # ??
> up
> 
> As for the vlan and vport interfaces, I have no idea.
> 
> After this, of course, I will want to do some filtering with pf
> (such as hosts on "IOT" and "Guest" not having access to hosts on
> "LAN.")
> 

Didn't test this but maybe something like this

hostname.em0
inet autoconf

hostname.em1
up

hostname.em2
up

hostname.em3
up

hostname.vport1
inet X.X.X.X/XX <- gateway for IOT

hostname.veb1
link1
add em1
add em2
add vport1
up

hostname.vlan1102
parent em1
vnetid 1102
up

hostname.vport2
address X.X.X.X/XX <- gateway for IOT

hostname.veb2
link1
add vlan1102
add em3
add vport2
up
        
hostname.vlan1103
parent em1
vnetid 1103
address X.X.X.X/XX <- gateway for Guest
up


if this is working than you can use pf to filter traffic between networks.

man veb
man ifconfig and search for VEB


> My questions are thus:
> 1) What is the proper network configuration to achieve the above
>    goal?
> 2) What is the right way to filter packets transiting between subnets
>    in this configuration? I see in the man page that the directionality
>    of packets emerging from a veb to the network stack is not normal.
>    I've seen things with adding groups to the interfaces, but not
>    sure what that gets me that using interface names in pf.conf
>    doesn't.
> 
> 
> Thanks in advance for any help that you can provide!
> 
> Scott
>

Reply via email to