Date: Sun, 5 Nov 2000 19:11:09 -0700 (MST) From: Nick Rogness <nick@rapidnet.com> To: Darren Henderson <darren@nighttide.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + bridging + divert (or what would be the solution of choice) Message-ID: <Pine.BSF.4.21.0011051825180.53357-100000@rapidnet.com> In-Reply-To: <Pine.BSF.4.21.0011051833080.15259-100000@jasper.nighttide.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 5 Nov 2000, Darren Henderson wrote: > > Howdy, Hello! > > We're in the process of swaping providers and now I have to decide the > best way to configure the resources we're going to have. > > >From my searching I'm guessing that the following is probably not possible > but some of the docs and discussions were a bit dated so perhaps things > are changed.... > > Essentially I would like to bridge and route in one box, doing natd on the > routed net, using three cards. ie > > isdn firewall > isp ------ Cisco804 -------- ed0 ed1 -------- intranet/non-private ip's > dmz ed2 > | (natd) > +------------ intranet/private 10/8 > > I've got a 4 bit subnet from the isp that I want to split between the > segements attatched to ed0 and ed1 as flexibly as possible so I would like > to bridge between ed0 (which I gather should be configured with an ip) and > ed1 (which should not have an ip). All possible and the function of a > bridging firewall. > Why would you want to bridge between ed0 and ed1? Why not run 2 different netblocks, 1 range on ed2 and 1 range on ed1. Running nat on the firewall. It would be the easiest way to manage (IMO). It all depends on how the ISP is assigning address to you. Use proxy arp on the firewall to handle the assigned addresses if they are assigning the address space to your dialup connection as directly connected (Your dialup interface on the cisco and the netblock they assigned are on the same network). They could also route the network to your dialup connection over an already connected ip dialup interface (Your dialup interface is on a different network then the assigned address. In this case you would route the netblock to your BSD firewall in your cisco. You can bridge though, it's just a matter of opinion ;-) > Now, I would like to also have another private address segment which > utilizes natd and is able to talk to both the ed0 and ed1 side. > > All the while being able to make use of ipfw's rules of course. > > Possible or out of the question? > Whichever way you choose, it is doable. > My basic problem is deciding how to make the best use of the ip addresses > they are giving us. Currently we have 1 ip address and are using natd > over a dedicated dial up. Moving to a new provider and we're being given > 15 addresses. Now I could keep my current intranet just as it is and > replace my ppp0 interface with an ed1 and using the ip addresses for > things in the dmz. So.... > > isdn firewall > isp ------ Cisco804 -------- ed0 ed1 -------- intranet/private ip's > dmz natd > > Just that I don't have a use currently for all of the ips in the dmz and > its like that I won't in the near future. I could slpit them in two but > that only leave's 6 addresses that could be used on the intranet and isn't > sufficient for the device count without having the mixxed > private(natd') and non-private addresses. > > Another alternatve I've seen mentioned is to use a private network space > in the dmz and use all the rest on the intranet side but this doesn't seem > as flexible. Use private addresses in your Private and DMZ. Then you will have a 1 stop shop for public IP allocation: Your firewall with natd. You can bring up machines in your DMZ without having a dramatic affect on your public assigned addresses...that is until you assigned them via natd (redirect_address) on your BSd firewall: Firewall isp ---- Cisco804 --- (NAT) --- ed0 ed1 --- DMZ (Private addresses ed2 192.168/16 or whatever) | | Private net (Private addresses 10/8) Of course if you use bridging you don't have this luxury. Just my 2 cents. Nick Rogness - Drive defensively. Buy a tank. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011051825180.53357-100000>