How-To LAN bridge: removal of port isolation#890
Conversation
| **Step Seven** | ||
| ----------------- | ||
|
|
||
| OPT1, OPT2, and OPT3 are now configured as a single broadcast domain. However, IP traffic between bridge member |
There was a problem hiding this comment.
I'd suggest mentioning net.link.bridge.pfil_onlyip here for completeness as it influences the claim of "single broadcast domain".
There was a problem hiding this comment.
I had the same thought at first. Then I reviewed the document again while looking at all bridge-related tunables:
net.link.bridge.ipfw: 0
net.link.bridge.member_ifaddrs: 1
net.link.bridge.log_mac_flap: 1
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 0
It turned out that the document only mentions tunables that need to be changed from their default values.
I want to either explain all of the bridge tunables or only document the ones that deviate from the defaults. Since the current how-to intentionally contains very little low-level technical detail, I chose not to clutter it with a complete list of tunables.
There was a problem hiding this comment.
Defaults may change and people have different focus to the document. It's ok for me to leave as suggested but I wanted to illustrate how you think to close the gap in the document but also introduce another point of future contention from someone else. Not everyone who is dissatisfied with the documentation will raise a ticket or mention it somewhere for us to see.
Added a new "Port Isolation" section ("Step 7") to the LAN bridge how-to.
Fixes: opnsense/core#10468
The original how-to leaves users with ARP port isolation disabled but IP port isolation still enabled because traffic between bridge member interfaces is filtered by the firewall by default.
The new section explains this behavior and shows how to allow IP traffic between bridge member interfaces when port isolation is not desired.