So far I’ve used OpenBSD as a layer 3 (routing) and layer 4 (firewalling) device, but it also has layer 2 functionality. For example, it’s possible to bridge between interfaces and use two, three, or more NICs as a logical switch.
Setting it up is quite easy:
- All interfaces part of the bridge have to be up, which can be done by making their respective /etc/hostname.int files and adding the word ‘up’ in each file.
- The bridge has to be defined with /etc/hostname.bridge0. Add one line per interface: ‘add interface‘, and the word ‘up’ again.
- There’s no IP needed on each port as it’s a layer 2 thing now. You can define an IP though.
- net.inet.ip.forwarding and net.inet6.ip6.forwarding do not have to be activated for this, as it’s not forwarding, but bridging.
You can now still use pf for filtering on the interfaces, and create a layer 2 transparent firewall. Keep in mind that if you’re used to hardware switching, this is all done in software now, and the NICs will be in promiscuous mode, so high throughput will require high processing power. According to ifconfig, spanning-tree seems to be active on the interfaces too (which should be!) but I was unable to test it.
Update 28/01/2012: spanning tree works after adding the lines ‘stp interface’ to /etc/hostname.bridge0, one for each interface.
Using one interface as a trunk link is possible already with simple bridging, as any frame will be passed on, but to let OpenBSD participate in the VLANs, an SVI can be defined:
- Create a file /etc/hostname.vlan, e.g. /etc/hostname.vlan5 . Add the IP address line, just like in a physical interface, but bind it to the trunk link with the ‘vlandev’ command: ‘inet ip-address subnetmask vlan vlan vlandev interface‘
- If you want to do inter-VLAN routing, net.inet.ip.forwarding and net.inet6.ip6.forwarding need to be set to 1. Otherwise the interface will work, but no routing will take place.
- Unfortunately, it only works on one physical interface, so it restricts the OpenBSD to a router-on-a-stick kind of configuration.
Now the OpenBSD can do inter-VLAN routing, and accepts 802.1q tagged frames. Note that the physical interface can still have an IP address which will be used for the untagged traffic on the interface.
Reggle 
Do you assign the /etc/hostname.bridge0 a ip address or the /etc/hostname.fx0 a ip address if you want it to act as a router and switch?
Hi Mike,
Sorry for the late reply. I assigned the IP to the fx0 interface. It didn’t make sense to me, as the whole bridge is one logical entity, but I couldn’t assign an IP to the bridge0. Perhaps I did something wrong?
Greetings!
Thanks for the reply Reggle. 🙂
I finally ended up getting a soekris and I ended up assigning a ip to /etc/hostname.vr1 and /etc/hostname.vr2 (192.168.1.1 and 192.168.1.2) and joining those both to the bridge. and in the pf.conf I added:
pass quick on { vr1 vr2 }
I am able to see devices off of ether of these ports to the other. It works great.
Next project on my list will be to figure out how to set up OpenVPN to have layer 2 access to my home network. Any suggestions for openBSD 5.0 and OpenVPN reading material is appreciated.
Hi,
To add one of those adapters for example.. em0 as an interface connecting to a CISCO vlan trunk port, you would add in like this?:
# nano /etc/hostname.em0
up
# nano /etc/hostname.vlan1
vlan 1 vlandev em0
That would be correct?