On 1/20/23, Hrvoje Popovski <hrv...@srce.hr> wrote: > On 20.1.2023. 20:09, patrick keshishian wrote: >> Hello, >> >> I am trying get a new ISP setup working. The Router is >> causing some pain. There is a /28 public block assigned. >> The DSL router can't be configured in transparent bridge >> mode (they say). It holds on to one of the /28 addresses. >> >> The setup looks something like this: >> (and hopefully the ascii "art" remains intact from gmail) >> >> ( internet ) >> | >> | [WAN IP] >> +-----o------+ >> / DSL ROUTER / <-- Transparent bridge mode NOT possible >> +-----o------+ >> | [ one of /28 Public IPs = $dslgw_ip ] >> | >> | >> | $ext >> +-----o------+ >> | | >> | OpenBSD/pf o--- ( rest of /28 Public IP network ) >> | | $dmz (DMZ: httpd, smtpd, ...) >> +-----o------+ >> $lan | [10.x.x.1] >> | >> ( 10.x.x.x network ) >> >> >> As far as networking goes, I need to be spoken to as if I'm >> a fledgling. >> >> I want to do the obvious: use OpenBSD/pf(4) to: >> - Filter traffic from $ext to $dmz >> - Filter traffic from $dmz outbound >> - Filter traffic from $lan (10.x.x.x) to $dmz >> - NAT traffic from $lan (10.x.x.x) outbound to internet >> >> >> I'm bridge(4)-ing $ext and $dmz. Which means I must give >> one of the /28 public IP addresses to either $ext or $dmz >> to be able to do: >> >> # route add default $dslgw_ip >> >> (!?) >> >> Am I missing something? >> Is there a better way to configure things? >> >> Thanks, >> --patrick >> > > Hi, > > If your ext interface is in same subnet as that /28 from your ISP then > you could: > > - use veb(4) to bridge ext, dmz and vport(4) interface and add default > route to dslgw_ip. vport is ip interface for veb
I started out looking at veb(4) but I wasn't confident how I could filter traffic in/out of $dmz. Also, the description of vport(4) which states "packets traversing vport interfaces appear to travel in the opposite direction to packets travelling over other ports" confused me even more. So I started using bridge(4). > - or on ext interface put ip alias with ip addresses from /28 public > range and than do binat-to or nat-to in pf to hosts in dmz > > or maybe i totally misunderstood you :) I think you understood me fine. I'm just not too familiar with how networking actually works. Thanks, --patrick
