> On 22 Jan 2023, at 10:44, David Gwynne <da...@gwynne.id.au> wrote:
>
> On Sat, Jan 21, 2023 at 01:46:34PM -0800, patrick keshishian wrote:
>> On 1/20/23, David Gwynne <da...@gwynne.id.au> wrote:
>>> On Fri, Jan 20, 2023 at 11:09:47AM -0800, patrick keshishian wrote:
>>>> Hello,
>>>>
>>>> I am trying get a new ISP setup working. The Router is
>>>> causing some pain. There is a /28 public block assigned.
>>>> The DSL router can't be configured in transparent bridge
>>>> mode (they say). It holds on to one of the /28 addresses.
>>>
>>> i'm sure they say that, but that doesn't mean it's impossible. this
>>> will be a lot easier and more useful if you can get a dsl modem
>>> into bridge/transparent mode and do all the routing on your own
>>> box.
>>
>> OK. So the situation was a bit worse than I had actually
>> anticipated. After I got the described setup configured
>> I noticed that the DSL Router/Modem wouldn't send out
>> any traffic unless it had an arp entry for the source.
>> e.g., nat-to an unassigned IP from the /28 wouldn't go out.
>>
>> Again, in my limited networking knowledge, it meant I had
>> to do proxy arp entries for /28 public IPs in the $dmz.
>> This was quite frustrating.
>>
>> So I started poking around in the DSL Router/modem settings
>> (cuing off your "doesn't mean it's impossible") and I
>> have it now acting as a transparent bridge!
>>
>> I spent most of Tues on the phone with their techs, and I
>> was assured that is not possible/unsupported. Now maybe
>> they actually meant "unsupported" mode as far as their
>> support is concerned.
>>
>> But things seem to running as expect (so far)! So thanks
>> for the bit of "encouragement"!
>
> Does that mean you have the WAN IP on your router now? And you can do
> whatever you want with the /28?
>
>>> that would also give you the option to do fun stuff like NOT putting
>>> the /28 onto an ethernet network so you could you use all 16 of the
>>> IPs on dmz hosts instead of losing some to network/broadcast/gateway.
>>
>> I am curious how you would go about doing what you suggest:
>> Using all 16 of /28.
>
> The simple (and currently best supported) way is to set up a tunnel
> interface for every IP in the /28 and connect the tunnel to the server
> providing the service. The router would have a config like this:
>
> ifconfig gif0 create
> ifconfig gif0 tunnel $router_lan_ip $server_lan_ip
> ifconfig gif0 inet $router_gif_ip $server_slash28_ip
you can also just rdr connections to the /28 IPs to things, they don’t have to
be real IPs assigned to hosts anywhere.
>
>>
>> Thanks for your reply,
>> --patrick
>>
>>
>>>> The setup looks something like this:
>>>> (and hopefully the ascii "art" remains intact from gmail)
>>>>
>>>> ( internet )
>>>> |
>>>> | [WAN IP]
>>>> +-----o------+
>>>> / DSL ROUTER / <-- Transparent bridge mode NOT possible
>>>> +-----o------+
>>>> | [ one of /28 Public IPs = $dslgw_ip ]
>>>> |
>>>> |
>>>> | $ext
>>>> +-----o------+
>>>> | |
>>>> | OpenBSD/pf o--- ( rest of /28 Public IP network )
>>>> | | $dmz (DMZ: httpd, smtpd, ...)
>>>> +-----o------+
>>>> $lan | [10.x.x.1]
>>>> |
>>>> ( 10.x.x.x network )
>>>>
>>>>
>>>> As far as networking goes, I need to be spoken to as if I'm
>>>> a fledgling.
>>>>
>>>> I want to do the obvious: use OpenBSD/pf(4) to:
>>>> - Filter traffic from $ext to $dmz
>>>> - Filter traffic from $dmz outbound
>>>> - Filter traffic from $lan (10.x.x.x) to $dmz
>>>> - NAT traffic from $lan (10.x.x.x) outbound to internet
>>>>
>>>>
>>>> I'm bridge(4)-ing $ext and $dmz. Which means I must give
>>>> one of the /28 public IP addresses to either $ext or $dmz
>>>> to be able to do:
>>>>
>>>> # route add default $dslgw_ip
>>>>
>>>> (!?)
>>>>
>>>> Am I missing something?
>>>> Is there a better way to configure things?
>>>>
>>>> Thanks,
>>>> --patrick
