Sunday, October 01, 2023

Re: Bridging em and vlan

On Sat, Sep 30, 2023 at 11:39:36AM -0400, David Higgs wrote:
> All of my devices until now have been behind my OpenBSD NAT router, but I
> recently acquired a Internet of Trash device that I would like to be
> accessible to the internet (yes, I know).
>
> My home configuration uses a Unifi AP to translate my various SSIDs into
> VLANs which plug into one of my APU em(4) ports. The IoT thing already has
> its own dedicated SSID/VLAN, but doesn't enjoy living behind my NAT.

Define "doesn't enjoy". It absolutely requires a public IP? It needs
some ports to be forwarded? Has some sort of network connection
detection that fails because some ports are blocked for outgoing
traffic?

> Is there a way for me to bridge just one of the vlan(4) logical interfaces
> with my other em(4) uplink, so that my IoT item can speak DHCP directly
> with my internet provider?

Assuming your WAN connection also gets its IP address by DHCP, will your
ISP assign you multiple IP addresses, one for your uplink, one for the
IoT device?

> Can this be done with veb/vport or bridge, or will I need to use something
> more exotic to strip the 802.1q tags before they are sent to my ISP?

If you absolutely need the IoT device to have unfiltered connection to
the internet, you can just create a DMZ of sorts for that VLAN, let all
traffic pass out, forward the necessary ports for incoming traffic, and,
assuming you don't trust the device at all, block all traffic from that
VLAN to the rest of the network (or be very selective about it), and
maybe also from other VLANs to that VLAN. Putting it in a different
rdomain altogether might also be a good idea.

> Thanks in advance,
>
> --david

--

No comments:

Post a Comment