|
|
|||||||
| OpenBSD Security Functionally paranoid! |
|
|
Thread Tools | Display Modes |
13th September 2016
|
|||
|
|||
MacVTap VEPA with OpenBSD router/firewall, need bridge to reflect on same segment
Hello community! Long time thread reader, first time poster. Here is what I would like some help with if someone is available to do so.
I'm using OpenBSD 5.0 i386 I had followed this guide posted below, and I had successfully set up a couple VEPA connections using MacVTap on my Debian KVM server running libvirt. If you are unfamiliar with this type of VM connection, it does not allow the VM's or the host to talk to each other, all frames get sent to the LAN directly. The advantage of this is that I can use my existing firewall rules in pf, and simply add the VM to the appropriate table and enjoy the benefits of OpenBSD security. All while still having my VM's isolated from the host and each other exactly the way I want them to be, managed from one location. The issue is (according to the bridge(4) man page) that "If the destination is on the same segment as the origin segment, the bridge will drop the packet because the receiver has already had a chance to see the frame." Now this is my issue here, I'm having a difficult time getting a work around together (that I'm assuming involves removing the interface in question from the bridge), mostly because I'm not sure what components of OpenBSD (like a !route line in hostname.if) are operating in the layer that I'm trying to deal with (layer2?). I have tried to disable stp on the port in question (using a line in the hostname.if), I have tried bridging vether devices together so I can merry-go-round the frames back to the interface, but the bridges won't seem to allow a vether device on more than one bridge. I have also tried integrating trunks and vlans, to no success. The biggest thing that has brought me to the forum with this issue is that my experiments with the various psudo-devices are not doing what I am predicting they will in any way. I am guessing this is a result of the psudo-devices being designed to work concisely, and not in the way that I'm using them. Linux has a 'Hairpin mode' and some physical switches offer ‘Reflective Relay’ mode, I had assumed that I could implement this in OpenBSD. If someone could describe to me a theory that I could try to implement, I would me most appreciative. https://seravo.fi/2012/virtualized-b...g-with-macvtap Thank you, Mike
__________________
The bugs will pass, but the functionality will remain. Last edited by rbigm101; 13th September 2016 at 09:33 PM. Reason: Title lacked clarity, lacked example of this functionality in other systems, lacked my OpenBSD version 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Building a Firewall/Router prepurchase questions | azarian | OpenBSD Security | 19 | 16th January 2015 11:05 AM |
| pf firewall, is it a bridge or router? | tomp | OpenBSD Security | 8 | 17th August 2011 06:12 PM |
| OpenBSD amd64 or i386 for firewall/router | J65nko | OpenBSD General | 7 | 24th December 2009 09:06 PM |
| Is there a purpose for using pf if you have a hardware router/firewall? | guitarscn | OpenBSD Security | 9 | 23rd January 2009 12:22 AM |
| FreeBSD as firewall/router on VMware ESXi | Bruco | FreeBSD General | 12 | 6th December 2008 08:37 PM |
Threaded Mode