|
Post by mikael on May 26, 2015 8:03:10 GMT
Hi everyone, I'm new here but I'm a long time m0n0wall-er, and I'm really glad you guys picked up this great project. I still have quite some sites where I have old ALIX boards with m0n0wall. Those boards have 128MB RAM and can't be upgraded, so I'm kinda hoping that smallwall takes off As much as I do like m0n0wall I do have found a few limitations compared to pfSense. Some of them are obviously because of hw limitations, but some of them are just IMO bad implementation choises. The most obvoius limitation (fo me at least) is the very limited bridge configuration possibilities in m0n0wall. I would very much like to see a more flexible bridge configuration possibilities in smallwall, perhaps the way this is solved in pfSense. I don't think that this would have any negative effect on hw requirements, if implemented well. Thanks for listening, Mikael Bak
|
|
|
Post by Lee Sharp on Jun 2, 2015 14:54:58 GMT
What is missing in the way SmallWall does bridging?
|
|
|
Post by mikael on Jul 2, 2015 10:24:35 GMT
Hi Lee, Let me first say that I have since my first post upgraded two old m0n0wall (ALIX, 128MB RAM) to smallwall latest release with the unsigned serial console images and it worked perfectly! This gives me confidence to upgrade the rest of my ALIX installations to smallwall. Thank you! I'm also glad that L2TP/IPSec is included as an alternative to PPTP. Great work! To answer your question about what's missing. Maybe there's nothing missing. Maybe the bridge configuration logic in smallwall is only different from what I expect or got used to elsewhere. I'm sort of used to create a bridge interface, put physical or virtual interfaces in that one, then give that bridge interface in IP address. In smallwall the logic is somehow different, but I'm not sure that's a limitin factor. I don't know how bridging is implemented in smallwall. In short I want to be able to have a physical interface (say OPT1) having two or more VLANs (say VLAN5, VLAN6) on it then be able to bridge VLAN5 with LAN. I' not sure exactly how I can do this in smallwall. In my example OPT1 is a trunk port with two VLANs that is connected to a wireless AP (openwrt). The wireless AP has two WLAN (one protected and one guest access - also VLAN5,VLAN6). In smallwall I therefore want to bridge VLAN5 with LAN, and VLAN6 will not access LAN at all. I have done similar configurations before, but not with smallwall/m0n0wall - I had MikroTik on that site. Any hints are appreciated. TIA, Mikael
|
|
|
Post by Lee Sharp on Jul 3, 2015 15:46:45 GMT
Ah ha! Now I get you. To start, I have not worked with this in that way. I have done a lot of Linux bridging, where two interfaces are bridged, and you work with br0 for IP address and vlan activity. And I have bridged non-vlan SmallWall interfaces. I have not bridged a vlan to an interface ever, and I am not sure how you would. What I can tell you is that if it can be done in FreeBSD, it can be done in SmallWall with the right code, and a little cursing.
|
|
|
Post by mikael on Jul 21, 2015 13:21:36 GMT
Hi again, While trying to make the above configuration work I think I have found a quite nasty bug in smallwall (probably inherited from m0n0wall).
Perhaps some of you would argue this is not a bug, but a feature. I pulled all my hair off the last coupple of days before I realized what's happening.
Reproduce bug/feature: 1) Bridge something (a VLAN or a WLAN) to LAN. Have DHCP server run on LAN. 2) Pull the LAN cable. LAN interface goes down. 3) Your bridge will no longer work no DHCP for whatever you bridged with LAN.
I found that it doesn't really matter what you plug LAN in as long as it gets the network interface to detect link up. And that brings the bridge back up too.
To sum up. It is possible to bridge a VLAN with LAN in smallwall just like I wanted. Just make sure LAN is connected to a powered up switch at all times.
|
|
|
Post by mikael on Jul 21, 2015 14:00:49 GMT
As a possible fix to the above problem could be to not assign the IP configuration to the physical LAN interface when it is a member of a bridge, but instead assign the IP configuration to the bridge interface (bridge0). Then the bridge will probably survive if the LAN interface gets link down event. This is actually the recommended way of doing bridging according to the FreeBSD documentation: "If the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces." www.freebsd.org/doc/handbook/network-bridging.html
|
|
|
Post by Lee Sharp on Jul 21, 2015 14:05:18 GMT
That is a limitation I am aware of, and it is in Linux as well. If an interface is not up, the services on that interface hang for quite a while before timing out. This makes some of my Linux systems boot very slowly. On some of my "sniffers" I bridge two interfaces, and set the dhcp client on br0 so that it can pull from either interface, but doing that on SmallWall assumes a br0, which may not be there... It is not an easy thing. But if you have any ideas, I am open to suggestion!
|
|
|
Post by mikael on Jul 21, 2015 15:10:23 GMT
If we had a chance to tell smallwall not to assign network configuration onto the physical interface when it's a member of a bridge, perhaps with an additional checkbox, that'll maybe do it.
Pfsense has another approach. No automatic stuff what so ever. If you want a bridge, you create one and you put the members in there by hand (it's a menu similar to the one where you can define VLANs in smallwall). I like that, because it gives me more flexibility.
Do not misunderstand me. I don't want smallwall to be another pfsense. I like old m0n0wall-style, but bridge configuration is not as flexible as it could be.
I will pull the source tree and have a look around. If I find some way to solve this without too much work, I'll let you know.
Thanks!
|
|
|
Post by Lee Sharp on Jul 21, 2015 18:03:51 GMT
Sounds good. There is always a compromise between ease of use, and features. It may be something that can be done with opt interfaces, since changing LAN while in use might be a challenge.
|
|