network-bridging.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Bridging</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="Advanced Networking" href="advanced-networking.html" />
<link rel="PREVIOUS" title="Bluetooth" href="network-bluetooth.html" />
<link rel="NEXT" title="NFS" href="network-nfs.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="network-bluetooth.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 19. Advanced Networking</td>
<td width="10%" align="right" valign="bottom"><a href="network-nfs.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="NETWORK-BRIDGING" name="NETWORK-BRIDGING">19.5.
Bridging</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Written by</span> Steve Peterson.</i> 

<div class="SECT2">
<h2 class="SECT2"><a id="AEN26008" name="AEN26008">19.5.1. Introduction</a></h2>

<p>It is sometimes useful to divide one physical network (such as an Ethernet segment)
into two separate network segments without having to create IP subnets and use a router
to connect the segments together. A device that connects two networks together in this
fashion is called a ``bridge''. A FreeBSD system with two network interface cards can act
as a bridge.</p>

<p>The bridge works by learning the MAC layer addresses (Ethernet addresses) of the
devices on each of its network interfaces. It forwards traffic between two networks only
when its source and destination are on different networks.</p>

<p>In many respects, a bridge is like an Ethernet switch with very few ports.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN26018" name="AEN26018">19.5.2. Situations Where Bridging Is
Appropriate</a></h2>

<p>There are two common situations in which a bridge is used today.</p>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN26021" name="AEN26021">19.5.2.1. High Traffic on a
Segment</a></h3>

<p>Situation one is where your physical network segment is overloaded with traffic, but
you do not want for whatever reason to subnet the network and interconnect the subnets
with a router.</p>

<p>Let us consider an example of a newspaper where the Editorial and Production
departments are on the same subnetwork. The Editorial users all use server A for file
service, and the Production users are on server B. An Ethernet is used to connect all
users together, and high loads on the network are slowing things down.</p>

<p>If the Editorial users could be segregated on one network segment and the Production
users on another, the two network segments could be connected with a bridge. Only the
network traffic destined for interfaces on the ``other'' side of the bridge would be sent
to the other network, reducing congestion on each network segment.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN26027" name="AEN26027">19.5.2.2. Filtering/Traffic Shaping
Firewall</a></h3>

<p>The second common situation is where firewall functionality is needed without IP
Masquerading (NAT).</p>

<p>An example is a small company that is connected via DSL or ISDN to their ISP. They
have a 13 globally-accessible IP addresses from their ISP and have 10 PCs on their
network. In this situation, using a router-based firewall is difficult because of
subnetting issues.</p>

<p>A bridge-based firewall can be configured and dropped into the path just downstream of
their DSL/ISDN router without any IP numbering issues.</p>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN26042" name="AEN26042">19.5.3. Configuring a Bridge</a></h2>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN26044" name="AEN26044">19.5.3.1. Network Interface Card
Selection</a></h3>

<p>A bridge requires at least two network cards to function. Unfortunately, not all
network interface cards as of FreeBSD&nbsp;4.0 support bridging. Read <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">bridge</span>(4)</span> for details on
the cards that are supported.</p>

<p>Install and test the two network cards before continuing.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN26051" name="AEN26051">19.5.3.2. Kernel Configuration
Changes</a></h3>

<p>To enable kernel support for bridging, add the:</p>

<pre class="PROGRAMLISTING">
options BRIDGE
</pre>

<p>statement to your kernel configuration file, and rebuild your kernel.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN26059" name="AEN26059">19.5.3.3. Firewall Support</a></h3>

<p>If you are planning to use the bridge as a firewall, you will need to add the <var
class="VARNAME">IPFIREWALL</var> option as well. Read <a href="firewalls.html">Section
10.8</a> for general information on configuring the bridge as a firewall.</p>

<p>If you need to allow non-IP packets (such as ARP) to flow through the bridge, there is
an undocumented firewall option that must be set. This option is <var
class="LITERAL">IPFIREWALL_DEFAULT_TO_ACCEPT</var>. Note that this changes the default
rule for the firewall to accept any packet. Make sure you know how this changes the
meaning of your ruleset before you set it.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN26068" name="AEN26068">19.5.3.4. Traffic Shaping
Support</a></h3>

<p>If you want to use the bridge as a traffic shaper, you will need to add the <var
class="LITERAL">DUMMYNET</var> option to your kernel configuration. Read <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">dummynet</span>(4)</span> for further
information.</p>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN26075" name="AEN26075">19.5.4. Enabling the Bridge</a></h2>

<p>Add the line:</p>

<pre class="PROGRAMLISTING">
net.link.ether.bridge=1
</pre>

<p>to <tt class="FILENAME">/etc/sysctl.conf</tt> to enable the bridge at runtime, and the
line:</p>

<pre class="PROGRAMLISTING">
net.link.ether.bridge_cfg=<var class="REPLACEABLE">if1</var>,<var
class="REPLACEABLE">if2</var>
</pre>

<p>to enable bridging on the specified interfaces (replace <var
class="REPLACEABLE">if1</var> and <var class="REPLACEABLE">if2</var> with the names of
your two network interfaces). If you want the bridged packets to be filtered by <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ipfw</span>(8)</span>, you should
add:</p>

<pre class="PROGRAMLISTING">
net.link.ether.bridge_ipfw=1
</pre>

<p>as well.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN26092" name="AEN26092">19.5.5. Other Information</a></h2>

<p>If you want to be able to telnet into the bridge from the network, it is OK to assign
one of the network cards an IP address. The consensus is that assigning both cards an
address is a bad idea.</p>

<p>If you have multiple bridges on your network, there cannot be more than one path
between any two workstations. Technically, this means that there is no support for
spanning tree link management.</p>

<p>A bridge can add latency to your ping times, especially for traffic from one segment
to another.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="network-bluetooth.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="network-nfs.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Bluetooth</td>
<td width="34%" align="center" valign="top"><a href="advanced-networking.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">NFS</td>
</tr>
</table>
</div>
</body>
</html>