Desired outcome: I would like to be able to use the second port on my FreeBSD firewall's 10G adapter (Intel X520-DA2) to act as a switch port so that I can connect another FreeBSD system. Ideally, the secondary host would connect to the firewall's ix1 port directly to provide network and Internet access to jails and bhyve guests running on both the untagged LAN and various VLAN's. This is proving to be much more challenging than I had originally anticipated, and I am going in circles with AI platforms trying to figure this out.
Background: my FreeBSD firewalls are running in high-availability mode using CARP. The primary firewall connects to my core switch using a 10G connection, the backup firewall connects via a 1G connection. I only have two 10G ports on my core switch, one of which is connected to the primary firewall, the other is connected to another FreeBSD server. I am not in a position to replace the core switch, add additional switches, etc.
I cannot use a bridge interface on my ix0 and ix1 connections, since the ix0 interface is acting as the parent device for a number of VLAN's. In addition to acting as the parent interface for my VLAN's, ix0 is also configured to act as my primary untagged LAN uplink and has an IP address of 10.0.1.2/24 (with CARP running on 10.0.1.1/24).
I've attempted to use the ether.bridge script to create a netgraph bridge, but the bridge only passes untagged traffic, no VLAN traffic passes over the netgraph bridge.
I've attempted to configure the ix1 interface in a different FIB (after adding an IP address within the same subnet as ix0, 10.0.1.4/24), but I am unable to create the necessary pf rules to address the asymmetrical routing issues (two interfaces in the same network address space attempting to pass traffic back and forth to one another). As a result, I cannot ping the firewall from one of the jails and vise-versa. I am not in a position to re-IP the jails to use a different network subnet, I need them to remain on the 10.0.1.0/24 network.
I've also attempted to configure the two ports on a Chelsio T6225 to act as a small switch, but that was a lost cause.
I am hoping someone is able to provide some insight as to how to achieve my desired outcome without needing to migrate to another operating system (Linux or OpenBSD). Any assistance is appreciated.
Background: my FreeBSD firewalls are running in high-availability mode using CARP. The primary firewall connects to my core switch using a 10G connection, the backup firewall connects via a 1G connection. I only have two 10G ports on my core switch, one of which is connected to the primary firewall, the other is connected to another FreeBSD server. I am not in a position to replace the core switch, add additional switches, etc.
I cannot use a bridge interface on my ix0 and ix1 connections, since the ix0 interface is acting as the parent device for a number of VLAN's. In addition to acting as the parent interface for my VLAN's, ix0 is also configured to act as my primary untagged LAN uplink and has an IP address of 10.0.1.2/24 (with CARP running on 10.0.1.1/24).
I've attempted to use the ether.bridge script to create a netgraph bridge, but the bridge only passes untagged traffic, no VLAN traffic passes over the netgraph bridge.
I've attempted to configure the ix1 interface in a different FIB (after adding an IP address within the same subnet as ix0, 10.0.1.4/24), but I am unable to create the necessary pf rules to address the asymmetrical routing issues (two interfaces in the same network address space attempting to pass traffic back and forth to one another). As a result, I cannot ping the firewall from one of the jails and vise-versa. I am not in a position to re-IP the jails to use a different network subnet, I need them to remain on the 10.0.1.0/24 network.
I've also attempted to configure the two ports on a Chelsio T6225 to act as a small switch, but that was a lost cause.
I am hoping someone is able to provide some insight as to how to achieve my desired outcome without needing to migrate to another operating system (Linux or OpenBSD). Any assistance is appreciated.
