[ previous ] [ next ] [ threads ]
 From:  "Bruce A. Mah" <bmah at acm dot org>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  bmah at acm dot org, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Things to think about.
 Date:  Tue, 14 Dec 2004 16:37:47 -0800
If memory serves me right, Chris Buechler wrote:
> On Tue, 14 Dec 2004 15:38:13 -0800, Phill R Kenoyer <phill at bmg50 dot com> wrote:
> >
> > WAN to LAN bridging.
> > 
> I second that.  It's silly to have to have an unused LAN interface on
> strictly filtering bridge setups.  I'm sure it was done that way to
> protect people from accidently doing something stupid and bridging
> their LAN to the WAN, but that makes it really inconvenient when
> setting up something like a filtering bridge at a colo.

No, it was done that way because that's how I knew how to make it work.
As m0n0wall stands right now, both the LAN and WAN ports need to have IP
addresses assigned to them (for various reasons), and the "other side of
the bridge" port needs to be unnumbered.  Thus the requirement for three
interfaces.  If you can figure out how to remove at least one of these
requirements, you'll be on your way.

Please don't ask me to improve this feature.  It works for me as it
stands right now, and I have more Ethernet ports than I have free time.
The source code is right there for anyone who wants to try to fix up
this "silly" state of affairs, but IMNSHO, it's harder than it sounds.
Feel free to prove me wrong.


PS.  One thing I thought of was:  On a machine with two network
interfaces, configure a VLAN on one of the interfaces and use that for a
LAN port; this would allow you to do a filtering bridge setup with only
two physical interfaces.  I believe I suggested this before, but
apparently nobody has investigated to see if this works or not.
signature.asc (0.2 KB, application/pgp-signature)