On Fri, Jun 23, 2023 at 6:18 PM David Gwynne <da...@gwynne.id.au> wrote:
>
> looks good to me after a quick read.
>
> > On 23 Jun 2023, at 12:15, Amarendra Godbole <amarendra.godb...@gmail.com>
> > wrote:
> >
> > I am planning to experiment with veb on my PC Engines apu2e4 board. It
> > has three ports (em0, 1 and 2). Current configuration has em0 hooked
> > up to cable modem, while em1 and em2 are internal LAN. I don't have a
> > good ability to troubleshoot via a serial console, since the apu board
> > sits in the garage on top of a cabinet -- running serial cable to a
> > laptop is challenging, though not impossible. So I am looking for
> > feedback so as to keep this troubleshooting time minimal.
[...]
Thanks for the review, David. I finally managed to find a window when
my family was away from the internet, so I could experiment. :-) My
internet is delivered via Comcast cable modem, hooked to the APU's em0
port. A Ruckus wireless AP connects to em1.
Here is a fully working configuration:
$ cat hostname.em0
dhcp description "comcast uplink"
$ cat hostname.em1
mtu 9000
up
$ cat hostname.em2
mtu 9000
up
$ cat hostname.veb0
add em1
add em2
add vport0
link0
up
$ cat hostname.vport0
inet 192.168.1.1 255.255.255.0 192.168.1.255
mtu 9000
group internal
up
$ cat pf.conf
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24
224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15
198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for egress
block in from no-route
block in quick from urpf-failed
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
match out on egress nat-to (egress)
pass out quick inet
pass in on internal inet
block return in quick on internal proto { udp tcp } to ! internal port
{ domain domain-s }
$ cat rc.conf.local
dhcpd_flags=vport0
unbound_flags=
unbound_timeout=240
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
em0: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
lladdr 00:0d:b9:56:f4:fc
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 98.35.243.87 netmask 0xffffff00 broadcast 98.35.243.255
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 9000
lladdr 00:0d:b9:56:f4:fd
index 2 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
em2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 9000
lladdr 00:0d:b9:56:f4:fe
index 3 priority 0 llprio 3
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0<>
index 4 priority 0 llprio 3
groups: enc
status: active
veb0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST>
index 6 llprio 3
groups: veb
em1 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 0 ifcost 0
em2 flags=3<LEARNING,DISCOVER>
port 3 ifpriority 0 ifcost 0
vport0 flags=3<LEARNING,DISCOVER>
port 7 ifpriority 0 ifcost 0
vport0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 9000
lladdr fe:e1:ba:d0:18:bd
index 7 priority 0 llprio 3
groups: vport internal
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 8 priority 0 llprio 3
groups: pflog
Thanks.
-Amarendra
