[ previous ] [ next ] [ threads ]
 From:  "Bruce A. Mah" <bmah at acm dot org>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bridge all 3 ports (lan+wan+opt1) possible?
 Date:  Tue, 14 Feb 2006 22:43:34 -0800
If memory serves me right, Chris Buechler wrote:
> On 2/13/06, JIm Thompson <jim at netgate dot com> wrote:
>> the "can't bridge LAN to anything else" makes it real tough to create a
>> traditional AP
>> with a single Ethernet and WiFi device.
>> In particular, if you run the WRAP.2C board (single Ethernet) with a
>> single 802.11 NIC, you
>> can't bridge the two.
> Yep.
>> So consider this an "enhancement request".
> I requested this quite a while back and got shot down by Bruce Mah
> (FreeBSD committer), who wrote the bridging parts of m0n0wall.  The
> reason you cannot is because, in FreeBSD 4.x, an interface that is
> bridged cannot have an IP address.  There are "several reasons" that
> the LAN interface needs an IP address, and "NIC's are easier to come
> by than time" (true, except when you have a one-interface fixed
> hardware platform).  Quotes are paraphrasing what Bruce said at the
> time.

Chris, I object to your characterization that I "shot down" the idea of
a two-port bridge.  I didn't say that a m0n0wall filtering bridge with
two ports was a bad idea...I think it'd be great if m0n0wall could do
this.  I pointed out that due to some fundamental aspects of the design
of both bridge(4) and m0n0wall, this is hard.  It's not like I created
these reasons myself or made them up.

The "I have more NICs than time" comment (which is what I think I
*really* said) was why I didn't pursue this any further.  For my
situation it was easier to use up another sis0 port on my net4801 than
to try to figure out how to hack bridge(4).  I would never be silly
enough to generalize this to the entire m0n0wall user community.

If somebody really needs to make this work with only two network ports,
and they can figure out how to do this, that's great.  I'm sure there
are smarter people than me on this list who have a better chance of
making it work.

> With FreeBSD 6.x, you can have an IP on a bridged interface, so this
> is probably something that can, and should, be allowed in 1.3.

It's definitely possible.  The if_bridge(4) driver eliminates the
problems that prevented this from working with bridge(4) (or
ng_bridge(4), which I also investigated).  It's actually very nice to
work with, and as you pointed out, it supports STP, which could be
important in some applications.  Recent versions of if_bridge(4) also
include the software equivalent of a SPAN port.

I guess I should mention that I've replaced m0n0wall on my net4801 with
a fairly-stock nanobsd-style FreeBSD 6.0-STABLE.  I found that this
setup gives me more flexiblity to build the appliance that I *really*
wanted when I started working on filtered bridging in m0n0wall.  That
having been said, I still think that m0n0wall is a great system, and I
would not hesitate to recommend it to someone who needs an
easy-to-setup, out-of-the-box, solution.


signature.asc (0.2 KB, application/pgp-signature)