On Sat, Jan 21, 2023 at 01:46:34PM -0800, patrick keshishian wrote: > On 1/20/23, David Gwynne <da...@gwynne.id.au> wrote: > > On Fri, Jan 20, 2023 at 11:09:47AM -0800, patrick keshishian wrote: > >> Hello, > >> > >> I am trying get a new ISP setup working. The Router is > >> causing some pain. There is a /28 public block assigned. > >> The DSL router can't be configured in transparent bridge > >> mode (they say). It holds on to one of the /28 addresses. > > > > i'm sure they say that, but that doesn't mean it's impossible. this > > will be a lot easier and more useful if you can get a dsl modem > > into bridge/transparent mode and do all the routing on your own > > box. > > OK. So the situation was a bit worse than I had actually > anticipated. After I got the described setup configured > I noticed that the DSL Router/Modem wouldn't send out > any traffic unless it had an arp entry for the source. > e.g., nat-to an unassigned IP from the /28 wouldn't go out. > > Again, in my limited networking knowledge, it meant I had > to do proxy arp entries for /28 public IPs in the $dmz. > This was quite frustrating. > > So I started poking around in the DSL Router/modem settings > (cuing off your "doesn't mean it's impossible") and I > have it now acting as a transparent bridge! > > I spent most of Tues on the phone with their techs, and I > was assured that is not possible/unsupported. Now maybe > they actually meant "unsupported" mode as far as their > support is concerned. > > But things seem to running as expect (so far)! So thanks > for the bit of "encouragement"!
Does that mean you have the WAN IP on your router now? And you can do whatever you want with the /28? > > that would also give you the option to do fun stuff like NOT putting > > the /28 onto an ethernet network so you could you use all 16 of the > > IPs on dmz hosts instead of losing some to network/broadcast/gateway. > > I am curious how you would go about doing what you suggest: > Using all 16 of /28. The simple (and currently best supported) way is to set up a tunnel interface for every IP in the /28 and connect the tunnel to the server providing the service. The router would have a config like this: ifconfig gif0 create ifconfig gif0 tunnel $router_lan_ip $server_lan_ip ifconfig gif0 inet $router_gif_ip $server_slash28_ip > > Thanks for your reply, > --patrick > > > >> The setup looks something like this: > >> (and hopefully the ascii "art" remains intact from gmail) > >> > >> ( internet ) > >> | > >> | [WAN IP] > >> +-----o------+ > >> / DSL ROUTER / <-- Transparent bridge mode NOT possible > >> +-----o------+ > >> | [ one of /28 Public IPs = $dslgw_ip ] > >> | > >> | > >> | $ext > >> +-----o------+ > >> | | > >> | OpenBSD/pf o--- ( rest of /28 Public IP network ) > >> | | $dmz (DMZ: httpd, smtpd, ...) > >> +-----o------+ > >> $lan | [10.x.x.1] > >> | > >> ( 10.x.x.x network ) > >> > >> > >> As far as networking goes, I need to be spoken to as if I'm > >> a fledgling. > >> > >> I want to do the obvious: use OpenBSD/pf(4) to: > >> - Filter traffic from $ext to $dmz > >> - Filter traffic from $dmz outbound > >> - Filter traffic from $lan (10.x.x.x) to $dmz > >> - NAT traffic from $lan (10.x.x.x) outbound to internet > >> > >> > >> I'm bridge(4)-ing $ext and $dmz. Which means I must give > >> one of the /28 public IP addresses to either $ext or $dmz > >> to be able to do: > >> > >> # route add default $dslgw_ip > >> > >> (!?) > >> > >> Am I missing something? > >> Is there a better way to configure things? > >> > >> Thanks, > >> --patrick > >> > >
