[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bridge and features on virtual bridges

To: Hakan Olsson <ho@crt.se>
Subject: Re: bridge and features on virtual bridges
From: "Alexander C.H. Lorenz" <alexander.lorenz@x-warp.net>
Date: 27 Nov 2002 18:26:04 +0100
Cc: tech@openbsd.org
References: <Pine.BSO.4.40.0211271650310.12450-100000@bloodwine.crt.se>

On Wed, 2002-11-27 at 17:03, Hakan Olsson wrote:
> On 27 Nov 2002, Alexander C.H. Lorenz wrote:
>
> > hey list, hi theo
> >
> > we are develop on an firewall solution.
> > now we have an idea for the brodge interface:
> >
> > we would create the bridge as an more user system.
> > let me explain:
> > when a customer use an openbsd bridge for other customers (A,B,C) is
> > this not a problem, all custumers from him can use the same Internet
> > interface, right?
> > When now the operator will give to customer C another net from ripe, can
> > he use the same bridge at this moment? At the moment not, an brigde isnt
> > an router.
> > okay, this I know, but has anybody at the moment an idea for create this
> > feature? The fw1 cant this ;)
> > We discuss at the moment an mac-nat, is this possible?
>
> Hi,
Hi
>
> I'm not at all sure I understand what you are trying to do, but this does
> not sound quite right to me. Ever heard of the term "layering violation"?
> ("mac-nat", huh
>
> I recommend you use plain IP and IP filter mechanisms, and try to do less
> level-2 magic. Go there as a last resort, don't start there.
No, we know, what a bridge can't do. We have an idea, we implement an
feature for an "virtual bridge" like the scenario, how I wrote in the
last mail.
One of this ideas was, we do an mac-routing, when it is possible.
>
> (There seems to be more and more people wanting to invent needlessly
>  complicated solutions to solve problems on a lower level instead of using
>  already present solutions on the IP level. MPLS is one example. I
>  suspect the reason is part politics, but largely not understanding how
>  IP works or how to build networks.)
we understand, how ip works :) We are also know, what the OSI is and we
are also understand the layers.
See, when we can create an feature like more as one br-interface - not
physical, but virtuell like aliases for an ip-interface, then we can
implement OpenBSD in different router systems.
The idea was, we can create virtual bridge-interfaces and can use this
interfaces for different networks and the policies in this. after the
bridge is an router, he can translate in the "real" connection.

now was the question to the tech-list here:
can anybody understand this idea and is this with hacks or tricks
usefull or an complete stupid idea?

we have an box with 5 real interfaces, 2x2 as bridge and one as
management-interface. now we will create 3 more interfaces on this box
for more bridging.

thanks

alex
>
> /H
>
> --
> Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
> Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

[demime 0.98d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Follow-Ups:
- Re: bridge and features on virtual bridges
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
- Re: bridge and features on virtual bridges
  - From: Martin Schmachtel <schmadde@syscall.de>

References:
- Re: bridge and features on virtual bridges
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: Re: bridge and features on virtual bridges
Next by Date: Re: bridge and features on virtual bridges
Prev by thread: Re: bridge and features on virtual bridges
Next by thread: Re: bridge and features on virtual bridges
Index(es):
- Date
- Thread