[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Firewalling on VLANs with redundant STP bridges?

I have a network currently partitioned using the rather dated product
called "SunScreen" from Sun Microsystems.  Obviously, I'd like to replace
it with two OpenBSD pf firewalls running as STP-capable bridges.
It would look something like this:
                   |               border gateway
                   |            managed switch
          |                    |         obsd pf0 -pfsync- obsd pf1
         |       \          /       |         |        \        /        |       <- trunks
          \        \      /         |           \        \    /         /
            \        \  /         /
             \        \/         /
              \       /\        /
               \     /  \      /
		    VLANs --- about six or so
(** is a trunk, or rather a "stack" as cisco says)
Where the master firewall updates the state tables in the backup
firewall using pfsync on a private interface, and simply bridges between
the two switches below using VLANs.  Obviously, the two switches at the
bottom will be configured securely "enough" for this network (static
VLAN membership, disabled negotiation, forced switchport mode, etc.)
My questions are as follows:
1.  Does pfsync work with bridging firewalls?  (I don't see any reason
why not, but I thought I'd ask)
2.  Does pf work on VLAN interfaces?  Specifically, if I create a bunch
of VLAN interfaces on two physical interfaces, then plug them into
trunks with those VLANs, can I then add said VLAN interfaces to pf?
This also assumes that having the same VLANs on two separate physical
interfaces won't matter, as they will be "blocked" by STP.  (Note that
each firewall connects to both switches)
3.  There will be about six VLANs on the two switches at the bottom.  I
read in a faq [1] that when running bridges
it is best to pass everything in on one interface and filter on the
other.  Obviously, since there will be multiple "interfaces" on the
bridge, do I simply have to incur the "two rule" (in + out) performance
	i.  I'd love to use physical interfaces, but the combination of
lack of switch ports and lack of ports on the OpenBSD bridges prevents
this.  Hence my interest in VLANs.
(Yes --- I realize it would be ideal from an HA standpoint to run the 
obsd pf's at layer three and replace the border gateway, but that's 
not currently an option)
I searched around with google + mailing list archives, and I didn't 
see anything saying this wouldn't work, but I thought I would ask.  If
it has been discussed before, please point me to it and I apologize.
PS: as a sidebar, I'd like to use Gigabit ethernet cards in the pf
bridges, but I don't think the card I'd need is supported:
I think its just a set of National semicondutor NICs with Intel PCI bridges.  
I can have one donated (July/August timeframe if I'm lucky) if that would 
assist in the writing of a driver.
Many thanks!
1.  http://marc.theaimsgroup.com/?l=openbsd-tech&m=100220976320265&w=2