On Sun, Oct 1, 2023 at 9:13 AM Zé Loff <zel...@zeloff.org> wrote: > On Sat, Sep 30, 2023 at 11:39:36AM -0400, David Higgs wrote: > > All of my devices until now have been behind my OpenBSD NAT router, but I > > recently acquired a Internet of Trash device that I would like to be > > accessible to the internet (yes, I know). > > > > My home configuration uses a Unifi AP to translate my various SSIDs into > > VLANs which plug into one of my APU em(4) ports. The IoT thing already > has > > its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT. > > Define "doesn't enjoy". It absolutely requires a public IP? It needs > some ports to be forwarded? Has some sort of network connection > detection that fails because some ports are blocked for outgoing > traffic? >
I'm still trying to determine ground truth with manufacturer support. Port forwarding doesn't seem sufficient. The device can reach out just fine but is not remotely controllable as advertised. > Is there a way for me to bridge just one of the vlan(4) logical interfaces > > with my other em(4) uplink, so that my IoT item can speak DHCP directly > > with my internet provider? > > Assuming your WAN connection also gets its IP address by DHCP, will your > ISP assign you multiple IP addresses, one for your uplink, one for the > IoT device? > Hopefully so, but that's orthogonal to the question I'm asking. If you absolutely need the IoT device to have unfiltered connection to > the internet, you can just create a DMZ of sorts for that VLAN, let all > traffic pass out, forward the necessary ports for incoming traffic, and, > assuming you don't trust the device at all, block all traffic from that > VLAN to the rest of the network (or be very selective about it), and > maybe also from other VLANs to that VLAN. Putting it in a different > rdomain altogether might also be a good idea. I've already tried that without success. > Can this be done with veb/vport or bridge, or will I need to use something > > more exotic to strip the 802.1q tags before they are sent to my ISP? > Self-replying here: I don't see many examples of veb(4) use online, but it seems as if I can add my physical uplink and the IoT VLAN both to a veb and attach a vport to become my new uplink. That should be logically equivalent to putting a three-port switch between my router and my ISP CPE, with the third port for the IoT device. Is anyone able to shoot holes in this or suggest a superior alternative, before I attempt the configuration later this week? Related question: It doesn't appear that veb (and bridge) are part of either amd64 RAMDISK. Does this create any added complexity with (sys)upgrades or does it somehow Just Work(tm)? Thanks again, --david