We currently have a firewall using a Cisco PIX server. Everything on this firewall is using a static ip of some sort. There is a range of IP addresses inside the PIX firewall that are being used for DHCP.
Just to make sure: you say everything on this firewall is using a static IP of some sort, yet you mention a range of IPs inside the PIX are used for DHCP? Which is it? All static or some static and some DHCP? I have to admit I'm a bit confused. Could it be that you are using the term "static IP" when in fact you mean to say "public IP"? For example, I'm thinking that you currently have all public IPs configured on your network (by public, I mean non-RFC 1918 addresses). Now I believe what you want to do is start using some *private* IP addresses (one of the ranges defined in RFC 1918) and dispense them using a *dynamic* means, such as DHCP. Am I understanding it better? I do agree with you that you should have a subnet (or multiple subnets) of DHCP-assigned private IP addresses for all the office computers that will be web surfing and such. To save on bandwidth you could install a web proxy such as Squid -- unless you already have one -- and automatically redirect all outbound traffic destined for ports 80 and 443 towards the Squid proxy using the redirect function of pf (you wouldn't even have to explicitly configure any web proxy in the users' browsers as the firewall would do all interception and redirection for you). You should then have a separate subnet (or subnets, if you'll be splitting your class C) for your phones. If you're using VLAN-capable switches then you'll put the PCs on one VLAN and the phones on another. If you're lucky enough to have a whole class C network assigned to you by your ISP (such as 216.139.44.0/24), then you can put all of that class C *behind* the firewall, much like you'll put your private network 10.30.1.0/24 behind it as well. If you only have two NICs on the firewall though, you'll need to create two VLAN interfaces on the internal NIC so that this single NIC can see the two VLANs, have a unique IP for each of them, and be able to filter discreetly on each. Your physical NIC won't even have to have an IP address itself; only the VLAN interfaces will need to. All you'll need is for the physical NIC to appear as "UP" with 'ifconfig'. You can then create your pf filters using 'vlan0' and 'vlan1' interfaces instead of something like 'fxp0'. If your ISP gave you a whole class C they probably also gave you a public IP address outside of the 216.139.44.0/24 subnet to be used as the external IP of your firewall device. They are then telling their router to forward all IP traffic with a destination of 216.139.44.0/24 to that public IP address they gave you.
Given this information, what is the best route to go to set this up? A friend suggested giving the first NIC an external IP address, and giving the second NIC both an internal address (10.30.1.1, since it will be the gateway for the office computers) as well as an external IP address, and then enable the gateway option in OpenBSD.
Your friend basically suggested what I'm mentioning above, although he didn't mention VLAN tagging and trunking, which is what you'll need if you want to run two different IP subnets on the same physical interface. I've done this kind of setup before, but I only had one NIC with many VLANs going through it (this kind of setup is usually called router-on-a-stick http://www.gurulabs.com/goodies/routeronastick.php) -Martin -- "Suburbia is where the developer bulldozes out the trees, then names the streets after them." --Bill Vaughan
