Hellos to all. Our setup has two different wifi access points, each to cover a different p= art of the building. Any user or device might connect to either one of the = access points at any one time, depending on signal strength and phase of th= e moon. From the firewall's perspective, packets coming out of or going int= o either AP are considered as identical in all respects.
In olden times, I simply connected the two APs together to a physical dumb = switch, and then connected that switch to single port on the pf/openbsd fir= ewall. So by definition they were treated the same by pf, since they were c= oming in on the same wire. All good. And I could still do that if I had to. However, I'm bringing up a spiffy new Soekris firewall that has multiple p= orts (4, specifically) available. In theory I can eliminate the physical sw= itch (fewer electrons! one less point of failure!) by connecting the two AP= s directly to the Soekris, using, say, em2 and em3. The question is how best to create a "virtual switch" out of em2 and em3, s= o I don't have to firewall each one separately in my bridge and pf rules. = I thought I could just do this with interface groups, by declaring em2 and = em3 were part of the same group using ifconfig(), but that doesn't seem to = fly. At least, to give just one example, this didn't work when I tried to s= et up a packet-inspecting bridge using my group name ('APgroup'): # /sbin/ifconfig em2 group APgroup # /sbin/ifconfig em3 group APgroup # /sbin/ifconfig bridge0 rule pass in on APgroup src 00:11:22:33:44:55 ta= g goodpacket ifconfig: bridge0: No such file or directory (but if I replace "APgroup" with a real interface, like em3, it works fine) So what is my plan B here? I see there are lots of ways potentially to acco= mplish this, but I'm confused about the pros and cons: - Another bridge, this one between em2 and em3? - Some kind of span interface? - Using trunk()? - Something else? I'd love some advice on what the "best" way to accomplish this is. ("Best" = in my particular case means first, lowest total firewall cpu cost to route/= filter; second, lowest PF ruleset complexity; and third, lowest network tr= affic [ie, no packets going out ports that will just drop them anyways]. An= d I guess fourth, future lexibility in case I need to add a third or fouth = damn access point...) Thanks for some salient discussion. I know this must have been asked before= but I'm not finding a relevant answer on how best to do this. Bonnie P.