On Tue, Jan 24, 2023 at 11:43:08AM +0000, Tom Smyth wrote: > Hello Cristian, > if you want to filter on layer 2 ... you would need to use Bridge.... > have a look at man ifconfig(8) > bridge filter rules can be added to ports in the bridge... > you can also tag traffic in bridge filter rules and then use PF to > filter them... > > but if your objective is to isolate ports from each other.. this can > be achieved with protected port groups... > again check out ifconfig (8) > TLDR version bridge ports in the same protected port group are > isolated from each other... > If port isolation if all your looking for (no other detailed filtering > ) if (im not sure) veb(4) supports protected ports...then this would > be faster... > but to my shame I have not tried out veb(4) > > I hope this is of some use... >
The problem is not veb(4) vs bridge(4) (both should work and I would suggest you try to stay away from brigde(4)). The problem is the hairpin on the single interface to the switch. AFAIK neither veb(4) nor bridge(4) will send back a packet on the same port it was received on. Doing so can result in packet loops. > On Tue, 24 Jan 2023 at 11:29, Cristian Danila <clau...@postmail.ro> wrote: > > > > Hello > > > > I have a more difficult task that I would like to solve with OpenBSD > > and I would really > > appreciate any ideas if it is possible to achieve such. > > > > I have: > > - one OpenBSD box with one Ethernet port > > - one big switch with multiple devices connected > > > > All switch ports are isolated by each other with one exception: > > - All ports can communicate with only one Ethernet port(let's say port 20) > > > > Now what i would like to achieve is to connect an Ethernet cable between > > OpenBSD box and port 20 of the switch, and make OpenBSD a transparent > > filtering hub. > > > > So I need OpenBSD box to be a transparent bridge and filter between > > clients of the switch. > > > > Can anybody suggest a point where I can think about? > > I was thinking initially to add the nic(em0) to veb0 then with link1 > > achieve L3 filtering but > > definitely I think I miss something important. > > I am open to research everything is needed for it but I miss a > > starting point and I would > > really appreciate any hint. > > > > Kind regards, > > Claudiu > > > > > -- > Kindest regards, > Tom Smyth. > -- :wq Claudio
