[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Bostjan Hojkar'" <bostjan dot hojkar at fov dot uni dash mb dot si>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Bridge again :)
 Date:  Tue, 18 Nov 2003 14:52:11 +0100 
As far as I understand, your last comment could be nearly right, in a way...
:-)

I guess if you could bridge the OPT1 with the LAN connection and connect
your internet router to the OPT1 port, it should work.

Like this:

LAN Switch --- LAN m0n0wall OPT1(bridged to LAN) --- internet connection
Just leave the WAN not connected (with 0.0.0.0/32) and treat the OPT1 as
your WAN connection.

OR

LAN Switch --- OPT1(bridged to WAN) m0n0wall WAN --- Internet connection
And leave your LAN disconnected (OPT1 is now your LAN connection).

You should not put the 2 bridged interfaces on the LAN side, but one on the
intenet side too.
The reason to use 3 interfaces is that LAN to WAN bridging (or reverse for
that matter) will NOT work, so you need a 3rd interface to be the OPT1 and
be able to bridge (as you cannot assign an interface to OPT1 and not have a
LAN and WAN interface).
One of the 3 interfaces is not used, really.

Hope this clears up some things (and hope i'm right ;-)

Regards,
Joachim

-----Original Message-----
From: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si]
Sent: dinsdag 18 november 2003 12:19
To: Christiaens Joachim; Manuel Kasper
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Bridge again :)


Servers,Clients ---- LAN switch --- LAN and "OPT1 bridged with WAN" m0n0wall
+ WAN m0n0wall --- Internet

"+" showing something like a m0n0wall box :)

from old Bruce A. Mah filtering bridge page:

Practically speaking, you need three interfaces to make this work, since
these patches were designed to bridge the WAN port to one of the OPTx ports,
and the LAN port doesn't work too well in either of these roles. In fact, I
have not tested the NAT functionality of m0n0wall with these patches
applied.

So... I'm confused here...

Should i just bridge with LAN and remove OPT1??? (That would be just too
easy and i would be very happy :))

Regards, Hob

----- Original Message ----- 
From: "Christiaens Joachim" <jchristi at oce dot be>
To: "'Bostjan Hojkar'" <bostjan dot hojkar at fov dot uni dash mb dot si>; "Manuel Kasper"
<mk at neon1 dot net>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, November 18, 2003 12:05 PM
Subject: RE: [m0n0wall] Bridge again :)


I'm kinda confused here!

Can you make a little schematic like this please:

Servers/Clients --- LAN Switch --- LAN m0n0wall bridged OPT1 --- Internet
Connection router

(this, by the way should be a working example for bridged firewalling)

Regards,
Joachim

-----Original Message-----
From: Bostjan Hojkar [mailto:bostjan dot hojkar at fov dot uni dash mb dot si]
Sent: dinsdag 18 november 2003 11:59
To: Manuel Kasper
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Bridge again :)


Well my purpose is bridged firewall (filtering bridge).

The way filtering bridge would work (AFAIK) is "put 2 interfaces, into
bridged mode, ipless and connect them in the midle of your LAN - Router
connection".

The third interface is there only for sake of administering firewall via WEB
interface. As i understand it this is how Bruce designed the whole filtering
bridge thing here. Or maybe not :).

OPT1 is not DMZ for me, and my LAN is network of public IPs, so i'm not
concerned with that (i.e. security) right now :) There aren't any servers
that would be conected via OPT1.

I'd be more than happy to use only 2 interfaces, put them into bridged mode
and get away with it. But u can't bridge WAN and LAN as it is right now.
I'll be working on that when i have time, but thought i'd use what it is and
the way it's supposed to work right now

Thx, Hob

----- Original Message ----- 
> OPT1(bridged, ipless) and LAN are on same switch.

Ouch! Kinda defeats the purpose of having a separate optional
interface, doesn't it? If one of your servers is compromised -> voilà,
instant full access to your LAN.

> Access to web interface from some computer on LAN sometimes timeouts
> and is
> slow. If i disconnect OPT1 from switch, everything is allright.

So just do it the right way and use a separate switch, so having a
separate optional interface will actually make sense. ;)

> please try this patch (provided by jlemon)

FreeBSD 4.9 already has this patch. FreeBSD's ARP gets majorly confused
if it finds two interfaces connecting to the same broadcast domain (I
can't blame it, either - a setup like that just doesn't usually make
good sense).

- Manuel


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


-----------------------------------------------
MISSION STATEMENT
-----------------------------------------------
Océ enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------





-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------
Océ enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------