Let's say I have a router (Linux machine) with any number of interfaces attached to a bridge. The bridge interface is assigned the gateway address in a /24 network.
I want to assign the downstream users IPs from this /24, but there is no explicit trust in this relationship between the router/network admin and the downstream users. Therefore, if I allocate them a single IP, I need to prevent them from using 5, or from accidentally configuring the wrong one and causing problems for another user.
This router in question is just a Debian server, in a ROAS configuration, and we have the freedom to put each user in a VLAN, VRF, or whatever makes sense, to make this work.
My approach so far is to give each user a VLAN, trunk up to the Debain server, and attach all the VLAN interfaces on the server to a Linux bridge. Then I'll use ebtables to whitelist, based on the incoming/outgoing interface.
Is there a less shitty way? This isn't so bad really. Managing it all with Ansible makes it painless, but it seems inefficient and feels convoluted. I feel like I'm missing something easy/obvious.
No comments:
Post a Comment