On Fri, Dec 31, 2010 at 01:36:32AM -0800, S Mathias wrote:
quoted text
> Does anyone has a similar howto on OpenBSD for using private VLAN's?
> 
> like: 
> 
> http://blog.ine.com/2008/07/14/private-vlans-revisited/
> 
> I just need to separate the client's on Layer3 or better: on Layer2.
> Each client uses 1 port. But I'm not 
> 

What's your question?

AFAICS there's nothing like "ip local-proxy-arp" on OpenBSD. Linux used
to be able to do that with proxy arp entries with a mask and interface,
but they've removed the feature in newer kernels.

If you can live with the silliness of your end-stations not being able
to talk to each other at all, this has nothing to do with OpenBSD and
everything with your switch. Just put the OpenBSD router on a
promiscuous (trusted) port.

Even this is very far from a good solution since it does nothing against
arp spoofing except for spoofing the gateway. It does not allow you to
filter source ip's and it won't help with duplicate mac addresses or
other malicious behavior.

With "ip local-proxy-arp" you could put clients on different vlans and
use proxy arp to fake they're in the same subnet, allowing the same
level of isolation, source address filtering and firewalling as giving
each host a vlan and a /30, but without wasting three quarters of your
ip addresses. With some dhcp relay magic you'd have a secure ethernet
access solution.

Sadly I don't understand the kernel well enough to do it myself.