Skip to content

How-To LAN bridge: removal of port isolation#890

Open
Sumpfdotter wants to merge 1 commit into
opnsense:masterfrom
Sumpfdotter:howto-bridge-merge-broadcast-domains
Open

How-To LAN bridge: removal of port isolation#890
Sumpfdotter wants to merge 1 commit into
opnsense:masterfrom
Sumpfdotter:howto-bridge-merge-broadcast-domains

Conversation

@Sumpfdotter

Copy link
Copy Markdown

Added a new "Port Isolation" section ("Step 7") to the LAN bridge how-to.

Fixes: opnsense/core#10468

The original how-to leaves users with ARP port isolation disabled but IP port isolation still enabled because traffic between bridge member interfaces is filtered by the firewall by default.

The new section explains this behavior and shows how to allow IP traffic between bridge member interfaces when port isolation is not desired.

**Step Seven**
-----------------

OPT1, OPT2, and OPT3 are now configured as a single broadcast domain. However, IP traffic between bridge member

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest mentioning net.link.bridge.pfil_onlyip here for completeness as it influences the claim of "single broadcast domain".

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had the same thought at first. Then I reviewed the document again while looking at all bridge-related tunables:

net.link.bridge.ipfw: 0
net.link.bridge.member_ifaddrs: 1
net.link.bridge.log_mac_flap: 1
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 0

It turned out that the document only mentions tunables that need to be changed from their default values.

I want to either explain all of the bridge tunables or only document the ones that deviate from the defaults. Since the current how-to intentionally contains very little low-level technical detail, I chose not to clutter it with a complete list of tunables.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defaults may change and people have different focus to the document. It's ok for me to leave as suggested but I wanted to illustrate how you think to close the gap in the document but also introduce another point of future contention from someone else. Not everyone who is dissatisfied with the documentation will raise a ticket or mention it somewhere for us to see.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

OPNsense 26.4.1 Business Edition: Bridge interface blocks L2-forward for IP (while ARP is working)

2 participants