From owner-freebsd-questions@FreeBSD.ORG Fri Jul 11 20:03:47 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44E4037B401 for ; Fri, 11 Jul 2003 20:03:47 -0700 (PDT) Received: from wgservices.com.au (wgservices.com.au [150.101.230.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECB7343FB1 for ; Fri, 11 Jul 2003 20:03:45 -0700 (PDT) (envelope-from steven@mg2.org) Received: from mg2.org (mig15.net [150.101.230.60]) by wgservices.com.au (8.12.9/8.12.6) with ESMTP id h6C32ixM081128; Sat, 12 Jul 2003 12:32:46 +0930 (CST) (envelope-from steven@mg2.org) Message-ID: <3F0F7A6F.8090206@mg2.org> Date: Sat, 12 Jul 2003 12:33:11 +0930 From: Steven Wiltshire User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: keith@smmc.qld.edu.au References: <1074.203.221.19.86.1057977166.squirrel@localhost.smmc.qld.edu.au> In-Reply-To: <1074.203.221.19.86.1057977166.squirrel@localhost.smmc.qld.edu.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner-Information: See www.mailscanner.info for information X-MailScanner: Found to be clean X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-28.7, required 5, EMAIL_ATTRIBUTION, IN_REP_TO, REFERENCES, REPLY_WITH_QUOTES, USER_AGENT_MOZILLA_UA) cc: freebsd-questions@freebsd.org Subject: Re: Routing problem.. cisco -->fbsd-->Lan Experts?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2003 03:03:47 -0000 keith@smmc.qld.edu.au wrote: >I have a friend with a cisco 827 adsl router. It has config hassles but >when that is sorted, we need to setup a freebsd box inside the cisco >router to handle a /29 block of ips. 3 questions... > I'm running an identical setup here - a Cisco 827, a /29, and a FreeBSD machine (or two) performing NAT for my LAN. >a) Should I assume the cisco is not the worlds greatest firewall and setup >the freebsd machine as one (creating a dmz) > The Cisco will be "adequate," but I prefer the ease of use and added functions a FreeBSD machine running IP Filter/IPNAT, but that's just me. >b) The /29 block is routed by the ISP to the cisco device. I guess we >need to place a static route on the cisco gadget that directs any of the >incoming /29 block request onto the freebsd box...Correct? > I have my 827 set up as a very basic bridge. This means that instead of the /29 "terminating," so to speak, on the 827, each of my allocated IP addresses is available directly on an ethernet interface on one of two FreeBSD machines. As a partial answer to part C, if you bridge the /29 to the FreeBSD machine, you can easily configure IPF and IPNAT to port-forward to various internet servers as required. Personally, the machine I have performing NAT (with my /29 on one interface and a private /24 on the other) for my internal network also runs various services. It's not an ideal setup, but it is functional and easy to maintain. Sorry I can't answer the rest of your questions, my brain is still enjoying the aftereffects of a big Friday night :) --Steven