Bridge network
Notice | |
Connection failure and limited availability in the network Changes to the filter rules affect the availability of the TwinCAT/BSD host, the virtual machine as well as their services in the network. |
In a Bridge network, a physical network interface of the TwinCAT/BSD host (e.g. igb0) is connected to a tap(4) device via a bridge(4) device. The tap(4) device in turn serves as a backend for a network interface of the virtual machine (see: Virtual machine network configuration).
Network communication of the virtual machine is thus bridged to the physical network interface of the TwinCAT/BSD host via the respective tap(4) device by a bridge(4) device on Ethernet level.
Configuration of the network components
A bridge(4) device is created on the TwinCAT/BSD host using ifconfig(8):
doas ifconfig bridge createThe output bridge0 appears.
Likewise, a tap(4) device is created as the backend for the virtual network interface:
doas ifconfig tap createThe output tap0 appears.
To forward network packets between a physical network interface of the TwinCAT/BSD host and a tap(4) device via the bridge0, the corresponding devices must become members of the bridge0.
The following call makes the physical network interface igb0 of the TwinCAT/BSD host and the tap0 device members of the bridge0 instance:
doas ifconfig bridge0 addm igb0 addm tap0 upDepending on the industrial PC or Ethernet interface used, the naming of the network interface under TwinCAT/BSD may vary and be displayed as em0, em1 or igb1, for example.
So that the bridge0 configuration is already created at system startup, it can be stored in the rc configuration:
doas sysrc cloned_interfaces+="bridge0 tap0"
doas sysrc ifconfig_bridge0="addm igb0 addm tap0 up"Via ifconfig bridge0 the members of the bridge0 can be checked:
ifconfig bridge0bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 58:9c:fc:10:ff:e1
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 2000000
member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 2000000
groups: bridge
nd6 options=9<PERFORMNUD,IFDISABLED>The corresponding bhyve(8) command uses only the tap0 instance to connect the virtual machine to the Bridge network:
doas bhyve \
-c sockets=1,cores=1,threads=1 \
-m 2G \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_BHF_UEFI.fd,fwcfg=qemu \
-s 0,hostbridge \
-s 2,fbuf,rfb=0.0.0.0:5900,w=1024,h=768 \
-s 3,xhci,tablet \
-s 20,virtio-net,tap0 \
-s 31,lpc \
-A -H -P \
samplevmFilter rules in the Bridge network
By default, the packet filter pf(8) under TwinCAT/BSD blocks the exchange of network packets at a bridge(4) device.
The filtering behavior on bridge(4) devices can be disabled via sysctl(8). By setting the variables net.link.bridge.pfil_member and net.link.bridge.pfil_bridge to 0:
doas sysctl net.link.bridge.pfil_member=0
doas sysctl net.link.bridge.pfil_bridge=0To set the settings persistently, the following lines must be added to the /etc/sysctl.conf file:
net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=0For more information, see the man pages for bridge(4), sysctl(8), and sysctl.conf(5).
Alternatively, filter rules can be defined for the bridge(4) and its members pf(8) to control packet exchange in the bridge network (see: Firewall).