Subject: filtering a bridge
To: None <>
From: Paul Dokas <>
List: current-users
Date: 02/08/2002 14:37:09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I'm in the dubious position of having to throw out my 100Mbps firewall
because someone just ordered a 1Gbps link without asking what would be
affected.  And, I'm also going to loose my IPSec tunnels to remote sites
and the VPN (IPSec) support for my mobile userbase :-(

So, aftering talking things over with my boss, it looks like the only
workable solution is to get some X86 machines, GigE nics and build a
bridging firewall for each of my sites and then use IPSec to link them
together.   Furthermore, the firewalls must be bridging (I think).  Direct
routing is not possible as my Cisco RSM does a rather good job at GigE
speed.  The only other solution that I've found is *really* expensive
and keeps me in vendor support hell.

I've been building NetBSD based firewalls for quite some time and I've
put together IPSec tunnels between them as well.  I have no problems
with that.  However, the ability to fiter a bridge is missing.  And I
*really* want to stay with NetBSD for this project, for many reasons.

I recall a long time ago Jason Thorpe was working on something that
he called the Zembu Packet Filter (ZPF). And then it seems to have
disappeared from public view.  Is this still being worked on?  I'll
gladly do all that I can to develop and test it if it can be made
available to me.  I'm very motivated to get a NetBSD based solution

Also, WRT supporting mobile users.  It would really help if someone could
look into kern/13813 for me.  It's really easy to repeat (see the racoon
config files that I posted last week in tech-net).  Without a fix, I
can't use NetBSD to support mobile IPSec users.  However, this is not
as big a deal as filtering a bridge.

I'd love to hear any other suggestions/opinions from people in similar
situations.  Personally, I'd rather just stick with 100Mbps.  It works
and we're only pushing peaks of 10Mbps.  I guess that buzzword compliance
is just too valuable for people to give a damn how it affects me and my
ability to get my job done.  <sigh>

Also, I know that there are liable to be performance issues WRT bridging
two GigE nics.  I don't care about performance so much as just being able
to do it.  As I mentioned we'll only be pushing 1/100th of the total band-

Paul Dokas                                  
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see