Can one interface have an IP address and bridge as well?

2011-06-21 Thread Paul Suh 
Folks,

Is this possible and/or a good idea? I have a router with three interfaces:

sis0: external interface, IPv4 address 1.2.3.4/24
sis1: internal interface, IPv4 address 192.168.1.1/24
sis2: DMZ interface, IPv4 address 192.168.2.1/24

NAT rules pass all traffic from the internal and DMZ zones through the
external IP address. I have a couple of servers with IPv4 addresses
192.168.2.2 and 192.168.2.3 in the DMZ, with rdr-to rules that send traffic in
to them from 1.2.3.4.

I need to place a server at 1.2.3.5, and the software I have to run needs the
server itself to have the IPv4 address 1.2.3.5 -- I can't NAT it and give the
server the address 192.168.2.4 in the DMZ. (Don't ask. *shudder*) Can I set up
a bridge between sis0 and sis2 so that traffic for 1.2.3.5 gets passed through
to the server via sis2 as well as having the IPv4 address 1.2.3.4 on sis0? Or
is there a better way to do this?


--Paul

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Can one interface have an IP address and bridge as well?

2011-06-21 Thread Shane Lazarus 
Heya

On Wed, Jun 22, 2011 at 12:13 PM, Paul Suh  wrote:

> Folks,
>
> Is this possible and/or a good idea? I have a router with three interfaces:
>
> sis0: external interface, IPv4 address 1.2.3.4/24
> sis1: internal interface, IPv4 address 192.168.1.1/24
> sis2 : DMZ interface, IPv4 address
> 192.168.2.1/24
>
> NAT rules pass all traffic from the internal and DMZ zones through the
> external IP address. I have a couple of servers with IPv4 addresses
> 192.168.2.2 and 192.168.2.3 in the DMZ, with rdr-to rules that send traffic
> in
> to them from 1.2.3.4.
>
> I need to place a server at 1.2.3.5, and the software I have to run needs
> the
> server itself to have the IPv4 address 1.2.3.5 -- I can't NAT it and give
> the
> server the address 192.168.2.4 in the DMZ. (Don't ask. *shudder*) Can I set
> up
> a bridge between sis0 and sis2 so that traffic for 1.2.3.5 gets passed
> through
> to the server via sis2 as well as having the IPv4 address 1.2.3.4 on sis0?
> Or
> is there a better way to do this?
>
>
> --Paul
>
> [demime 1.01d removed an attachment of type application/pkcs7-signature
> which had a name of smime.p7s]
>
>
I personally would check to see if you could get a /30 routed to 1.2.3.4.
5.6.7.8 - 5.6.7.11

Append one of the /30 to the sis2 interface, and the other to your new
server.

If 1.2.3.4 & 1.2.3.5 are part of a bigger block that you own, see if you
can't allocate a /30 from that larger pool.
( 1.2.3.8 - 1.2.3.11 ?? )


Shane

Re: Can one interface have an IP address and bridge as well?

2011-06-22 Thread Stuart Henderson 
Seconded, or alternatively can you add another interface (physical
or vlan) to place the server on?

It might be possible to do bridging and nat on the same interface
(possibly using bridge rules and PF tags) but at best you're setting
yourself up for a complicated and fragile ruleset.

On 2011-06-22, Shane Lazarus  wrote:
> Heya
>
> On Wed, Jun 22, 2011 at 12:13 PM, Paul Suh  wrote:
>
>> Folks,
>>
>> Is this possible and/or a good idea? I have a router with three interfaces:
>>
>> sis0: external interface, IPv4 address 1.2.3.4/24
>> sis1: internal interface, IPv4 address 192.168.1.1/24
>> sis2 : DMZ interface, IPv4 address
>> 192.168.2.1/24
>>
>> NAT rules pass all traffic from the internal and DMZ zones through the
>> external IP address. I have a couple of servers with IPv4 addresses
>> 192.168.2.2 and 192.168.2.3 in the DMZ, with rdr-to rules that send traffic
>> in
>> to them from 1.2.3.4.
>>
>> I need to place a server at 1.2.3.5, and the software I have to run needs
>> the
>> server itself to have the IPv4 address 1.2.3.5 -- I can't NAT it and give
>> the
>> server the address 192.168.2.4 in the DMZ. (Don't ask. *shudder*) Can I set
>> up
>> a bridge between sis0 and sis2 so that traffic for 1.2.3.5 gets passed
>> through
>> to the server via sis2 as well as having the IPv4 address 1.2.3.4 on sis0?
>> Or
>> is there a better way to do this?
>>
>>
>> --Paul
>>
>> [demime 1.01d removed an attachment of type application/pkcs7-signature
>> which had a name of smime.p7s]
>>
>>
> I personally would check to see if you could get a /30 routed to 1.2.3.4.
> 5.6.7.8 - 5.6.7.11
>
> Append one of the /30 to the sis2 interface, and the other to your new
> server.
>
> If 1.2.3.4 & 1.2.3.5 are part of a bigger block that you own, see if you
> can't allocate a /30 from that larger pool.
> ( 1.2.3.8 - 1.2.3.11 ?? )
>
>
> Shane

Re: Can one interface have an IP address and bridge as well?

2011-06-22 Thread Paul Suh 
Folks,

I could add another physical interface for the internal end of the bridge, but
not for the external end. Would this work?


--Paul


On Jun 22, 2011, at 6:56 AM, Stuart Henderson wrote:

> Seconded, or alternatively can you add another interface (physical
> or vlan) to place the server on?
>
> It might be possible to do bridging and nat on the same interface
> (possibly using bridge rules and PF tags) but at best you're setting
> yourself up for a complicated and fragile ruleset.
>
> On 2011-06-22, Shane Lazarus  wrote:
>> Heya
>>
>> On Wed, Jun 22, 2011 at 12:13 PM, Paul Suh  wrote:
>>
>>> Folks,
>>>
>>> Is this possible and/or a good idea? I have a router with three
interfaces:
>>>
>>> sis0: external interface, IPv4 address 1.2.3.4/24
>>> sis1: internal interface, IPv4 address 192.168.1.1/24
>>> sis2 : DMZ interface, IPv4 address
>>> 192.168.2.1/24
>>>
>>> NAT rules pass all traffic from the internal and DMZ zones through the
>>> external IP address. I have a couple of servers with IPv4 addresses
>>> 192.168.2.2 and 192.168.2.3 in the DMZ, with rdr-to rules that send
traffic
>>> in
>>> to them from 1.2.3.4.
>>>
>>> I need to place a server at 1.2.3.5, and the software I have to run needs
>>> the
>>> server itself to have the IPv4 address 1.2.3.5 -- I can't NAT it and give
>>> the
>>> server the address 192.168.2.4 in the DMZ. (Don't ask. *shudder*) Can I
set
>>> up
>>> a bridge between sis0 and sis2 so that traffic for 1.2.3.5 gets passed
>>> through
>>> to the server via sis2 as well as having the IPv4 address 1.2.3.4 on
sis0?
>>> Or
>>> is there a better way to do this?
>>>
>>>
>>> --Paul
>>>
>>> [demime 1.01d removed an attachment of type application/pkcs7-signature
>>> which had a name of smime.p7s]
>>>
>>>
>> I personally would check to see if you could get a /30 routed to 1.2.3.4.
>> 5.6.7.8 - 5.6.7.11
>>
>> Append one of the /30 to the sis2 interface, and the other to your new
>> server.
>>
>> If 1.2.3.4 & 1.2.3.5 are part of a bigger block that you own, see if you
>> can't allocate a /30 from that larger pool.
>> ( 1.2.3.8 - 1.2.3.11 ?? )
>>
>>
>> Shane

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Can one interface have an IP address and bridge as well?

2011-06-22 Thread Stuart Henderson 
That would make things simpler.

On Thu, 23 Jun 2011 03:09:16 +0100, Paul Suh wrote:
> Folks,
> 
> I could add another physical interface for the internal end of the bridge, 
> but not for the external end. Would this work? 
> 
> 
> --Paul
> 
> 
> On Jun 22, 2011, at 6:56 AM, Stuart Henderson wrote:
> 
> > Seconded, or alternatively can you add another interface (physical
> > or vlan) to place the server on?
> > 
> > It might be possible to do bridging and nat on the same interface
> > (possibly using bridge rules and PF tags) but at best you're setting
> > yourself up for a complicated and fragile ruleset.
> > 
> > On 2011-06-22, Shane Lazarus  wrote:
> >> Heya
> >> 
> >> On Wed, Jun 22, 2011 at 12:13 PM, Paul Suh  wrote:
> >> 
> >>> Folks,
> >>> 
> >>> Is this possible and/or a good idea? I have a router with three 
> >>> interfaces:
> >>> 
> >>> sis0: external interface, IPv4 address 1.2.3.4/24
> >>> sis1: internal interface, IPv4 address 192.168.1.1/24
> >>> sis2 : DMZ interface, IPv4 address
> >>> 192.168.2.1/24
> >>> 
> >>> NAT rules pass all traffic from the internal and DMZ zones through the
> >>> external IP address. I have a couple of servers with IPv4 addresses
> >>> 192.168.2.2 and 192.168.2.3 in the DMZ, with rdr-to rules that send 
> >>> traffic
> >>> in
> >>> to them from 1.2.3.4.
> >>> 
> >>> I need to place a server at 1.2.3.5, and the software I have to run needs
> >>> the
> >>> server itself to have the IPv4 address 1.2.3.5 -- I can't NAT it and give
> >>> the
> >>> server the address 192.168.2.4 in the DMZ. (Don't ask. *shudder*) Can I 
> >>> set
> >>> up
> >>> a bridge between sis0 and sis2 so that traffic for 1.2.3.5 gets passed
> >>> through
> >>> to the server via sis2 as well as having the IPv4 address 1.2.3.4 on sis0?
> >>> Or
> >>> is there a better way to do this?
> >>> 
> >>> 
> >>> --Paul
> >>> 
> >>> [demime 1.01d removed an attachment of type application/pkcs7-signature
> >>> which had a name of smime.p7s]
> >>> 
> >>> 
> >> I personally would check to see if you could get a /30 routed to 1.2.3.4.
> >> 5.6.7.8 - 5.6.7.11
> >> 
> >> Append one of the /30 to the sis2 interface, and the other to your new
> >> server.
> >> 
> >> If 1.2.3.4 & 1.2.3.5 are part of a bigger block that you own, see if you
> >> can't allocate a /30 from that larger pool.
> >> ( 1.2.3.8 - 1.2.3.11 ?? )
> >> 
> >> 
> >> Shane