Date: Sun, 5 Nov 2000 19:06:23 -0500 (EST) From: Darren Henderson <darren@nighttide.net> To: freebsd-ipfw@freebsd.org Subject: ipfw + bridging + divert (or what would be the solution of choice) Message-ID: <Pine.BSF.4.21.0011051833080.15259-100000@jasper.nighttide.net> In-Reply-To: <20001105222230.E300637B4CF@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Howdy,
We're in the process of swaping providers and now I have to decide the
best way to configure the resources we're going to have.
From my searching I'm guessing that the following is probably not possible
but some of the docs and discussions were a bit dated so perhaps things
are changed....
Essentially I would like to bridge and route in one box, doing natd on the
routed net, using three cards. ie
isdn firewall
isp ------ Cisco804 -------- ed0 ed1 -------- intranet/non-private ip's
dmz ed2
| (natd)
+------------ intranet/private 10/8
I've got a 4 bit subnet from the isp that I want to split between the
segements attatched to ed0 and ed1 as flexibly as possible so I would like
to bridge between ed0 (which I gather should be configured with an ip) and
ed1 (which should not have an ip). All possible and the function of a
bridging firewall.
Now, I would like to also have another private address segment which
utilizes natd and is able to talk to both the ed0 and ed1 side.
All the while being able to make use of ipfw's rules of course.
Possible or out of the question?
My basic problem is deciding how to make the best use of the ip addresses
they are giving us. Currently we have 1 ip address and are using natd
over a dedicated dial up. Moving to a new provider and we're being given
15 addresses. Now I could keep my current intranet just as it is and
replace my ppp0 interface with an ed1 and using the ip addresses for
things in the dmz. So....
isdn firewall
isp ------ Cisco804 -------- ed0 ed1 -------- intranet/private ip's
dmz natd
Just that I don't have a use currently for all of the ips in the dmz and
its like that I won't in the near future. I could slpit them in two but
that only leave's 6 addresses that could be used on the intranet and isn't
sufficient for the device count without having the mixxed
private(natd') and non-private addresses.
Another alternatve I've seen mentioned is to use a private network space
in the dmz and use all the rest on the intranet side but this doesn't seem
as flexible.
Thoughts, ideas or directions?
Thanks.
______________________________________________________________________
Darren Henderson darren@nighttide.net
Help fight junk e-mail, visit http://www.cauce.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011051833080.15259-100000>