I agree with Claudio re Hairpin issue... perhaps an alternate setup would be to use 2 vlans on the switch on the uplink of the openbsd box (to avoid the hair pin on a physical interface) but care needs to be taken when bridging between the two vlans as 2x mac table usage will occur ... ie mac address on one device may be present in two vlans (if you have a filtering bridge between the two vlans ) and isolation is turned off at any stage... ( I have been badly caught out on this when aggregating n vlans ... n bridged vlans x (original mactable usage ) = new mac address table size Hope this helps...
On Tue, 24 Jan 2023 at 12:24, Claudio Jeker <cje...@diehard.n-r-g.com> wrote: > > On Tue, Jan 24, 2023 at 11:43:08AM +0000, Tom Smyth wrote: > > Hello Cristian, > > if you want to filter on layer 2 ... you would need to use Bridge.... > > have a look at man ifconfig(8) > > bridge filter rules can be added to ports in the bridge... > > you can also tag traffic in bridge filter rules and then use PF to > > filter them... > > > > but if your objective is to isolate ports from each other.. this can > > be achieved with protected port groups... > > again check out ifconfig (8) > > TLDR version bridge ports in the same protected port group are > > isolated from each other... > > If port isolation if all your looking for (no other detailed filtering > > ) if (im not sure) veb(4) supports protected ports...then this would > > be faster... > > but to my shame I have not tried out veb(4) > > > > I hope this is of some use... > > > > The problem is not veb(4) vs bridge(4) (both should work and I would > suggest you try to stay away from brigde(4)). The problem is the hairpin > on the single interface to the switch. AFAIK neither veb(4) nor bridge(4) > will send back a packet on the same port it was received on. Doing so > can result in packet loops. > > > > On Tue, 24 Jan 2023 at 11:29, Cristian Danila <clau...@postmail.ro> wrote: > > > > > > Hello > > > > > > I have a more difficult task that I would like to solve with OpenBSD > > > and I would really > > > appreciate any ideas if it is possible to achieve such. > > > > > > I have: > > > - one OpenBSD box with one Ethernet port > > > - one big switch with multiple devices connected > > > > > > All switch ports are isolated by each other with one exception: > > > - All ports can communicate with only one Ethernet port(let's say port 20) > > > > > > Now what i would like to achieve is to connect an Ethernet cable between > > > OpenBSD box and port 20 of the switch, and make OpenBSD a transparent > > > filtering hub. > > > > > > So I need OpenBSD box to be a transparent bridge and filter between > > > clients of the switch. > > > > > > Can anybody suggest a point where I can think about? > > > I was thinking initially to add the nic(em0) to veb0 then with link1 > > > achieve L3 filtering but > > > definitely I think I miss something important. > > > I am open to research everything is needed for it but I miss a > > > starting point and I would > > > really appreciate any hint. > > > > > > Kind regards, > > > Claudiu > > > > > > > > > -- > > Kindest regards, > > Tom Smyth. > > > > -- > :wq Claudio > -- Kindest regards, Tom Smyth.