On 1/21/23, David Gwynne <da...@gwynne.id.au> wrote: > On Sat, Jan 21, 2023 at 01:46:34PM -0800, patrick keshishian wrote: >> On 1/20/23, David Gwynne <da...@gwynne.id.au> wrote: >> > On Fri, Jan 20, 2023 at 11:09:47AM -0800, patrick keshishian wrote: >> >> Hello, >> >> >> >> I am trying get a new ISP setup working. The Router is >> >> causing some pain. There is a /28 public block assigned. >> >> The DSL router can't be configured in transparent bridge >> >> mode (they say). It holds on to one of the /28 addresses. >> > >> > i'm sure they say that, but that doesn't mean it's impossible. this >> > will be a lot easier and more useful if you can get a dsl modem >> > into bridge/transparent mode and do all the routing on your own >> > box. >> >> OK. So the situation was a bit worse than I had actually >> anticipated. After I got the described setup configured >> I noticed that the DSL Router/Modem wouldn't send out >> any traffic unless it had an arp entry for the source. >> e.g., nat-to an unassigned IP from the /28 wouldn't go out. >> >> Again, in my limited networking knowledge, it meant I had >> to do proxy arp entries for /28 public IPs in the $dmz. >> This was quite frustrating. >> >> So I started poking around in the DSL Router/modem settings >> (cuing off your "doesn't mean it's impossible") and I >> have it now acting as a transparent bridge! >> >> I spent most of Tues on the phone with their techs, and I >> was assured that is not possible/unsupported. Now maybe >> they actually meant "unsupported" mode as far as their >> support is concerned. >> >> But things seem to running as expect (so far)! So thanks >> for the bit of "encouragement"! > > Does that mean you have the WAN IP on your router now? And you can do > whatever you want with the /28?
Yep! And it made things so much easier to set up. >> > that would also give you the option to do fun stuff like NOT putting >> > the /28 onto an ethernet network so you could you use all 16 of the >> > IPs on dmz hosts instead of losing some to network/broadcast/gateway. >> >> I am curious how you would go about doing what you suggest: >> Using all 16 of /28. > > The simple (and currently best supported) way is to set up a tunnel > interface for every IP in the /28 and connect the tunnel to the server > providing the service. The router would have a config like this: > > ifconfig gif0 create > ifconfig gif0 tunnel $router_lan_ip $server_lan_ip > ifconfig gif0 inet $router_gif_ip $server_slash28_ip A bit above my pay-grade. I'll need to study this later on. Thanks again for the hints/help! --patrick >> >> Thanks for your reply, >> --patrick >> >> >> >> The setup looks something like this: >> >> (and hopefully the ascii "art" remains intact from gmail) >> >> >> >> ( internet ) >> >> | >> >> | [WAN IP] >> >> +-----o------+ >> >> / DSL ROUTER / <-- Transparent bridge mode NOT possible >> >> +-----o------+ >> >> | [ one of /28 Public IPs = $dslgw_ip ] >> >> | >> >> | >> >> | $ext >> >> +-----o------+ >> >> | | >> >> | OpenBSD/pf o--- ( rest of /28 Public IP network ) >> >> | | $dmz (DMZ: httpd, smtpd, ...) >> >> +-----o------+ >> >> $lan | [10.x.x.1] >> >> | >> >> ( 10.x.x.x network ) >> >> >> >> >> >> As far as networking goes, I need to be spoken to as if I'm >> >> a fledgling. >> >> >> >> I want to do the obvious: use OpenBSD/pf(4) to: >> >> - Filter traffic from $ext to $dmz >> >> - Filter traffic from $dmz outbound >> >> - Filter traffic from $lan (10.x.x.x) to $dmz >> >> - NAT traffic from $lan (10.x.x.x) outbound to internet >> >> >> >> >> >> I'm bridge(4)-ing $ext and $dmz. Which means I must give >> >> one of the /28 public IP addresses to either $ext or $dmz >> >> to be able to do: >> >> >> >> # route add default $dslgw_ip >> >> >> >> (!?) >> >> >> >> Am I missing something? >> >> Is there a better way to configure things? >> >> >> >> Thanks, >> >> --patrick >> >> >> > >
