[ previous ] [ next ] [ threads ]
 
 From:  "Bruce A. Mah" <bmah at acm dot org>
 To:  Bostjan Hojkar <bostjan dot hojkar at fov dot uni dash mb dot si>
 Cc:  Manuel Kasper <mk at neon1 dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bridge again :)
 Date:  Tue, 18 Nov 2003 09:49:09 -0800 
If memory serves me right, Bostjan Hojkar wrote:
> Well my purpose is bridged firewall (filtering bridge).
>
> The way filtering bridge would work (AFAIK) is "put 2 interfaces, into
> bridged mode, ipless and connect them in the midle of your LAN - Router
> connection".

I don't know if you can make both interfaces of a bridge unnumbered
with m0n0wall.  As far as I can tell, you can only bridge pairs of
interfaces together and exactly one of them *must* have an IP address
and the other one of the pair *must* be unnumbered.

I'm pretty sure m0n0wall always worked this way, even before the
filtering bridge stuff.

> The third interface is there only for sake of administering firewall via WEB
> interface. As i understand it this is how Bruce designed the whole filtering
> bridge thing here. Or maybe not :).

Well, that's kind of what my setup looks like.  Now that there's the
ability to administer m0n0wall using HTTPS on the WAN interface, it
might be possible to do the whole thing with only two interfaces.

> OPT1 is not DMZ for me, and my LAN is network of public IPs, so i'm not
> concerned with that (i.e. security) right now :) There aren't any servers
> that would be conected via OPT1.
>
> I'd be more than happy to use only 2 interfaces, put them into bridged mode
> and get away with it. But u can't bridge WAN and LAN as it is right now.
> I'll be working on that when i have time, but thought i'd use what it is and
> the way it's supposed to work right now

OK, let me draw a little picture of my home network.  I can tell you
that this works, since I'm typing to you through it.

 +---------+	|
 | server1 +----|
 +---------+	|

 +---------+	|
 | server2 +----|   OPT1        WAN
 +---------+	|     +----------+
		|-----+ m0n0wall +-----> DSL modem and Internet
 +---------+	|     +----------+    
 | server3 +----|          | LAN
 +---------+	|          |
		|          |

I have a /29 of globally-visible IP addresses (i.e. 8 addresses).  The
m0n0wall WAN interface is assigned one of these addresses.  The OPT1
is bridged to the WAN interface.  Obviously I've turned on filtered
bridging.

The three servers on the left are also assigned addresses from the /29
block.  As implied by the diagram, they are on a separate switch from
the m0n0wall WAN port.  The only way to get packets to and from these
servers is through the m0n0wall box.

It's important to note that all of the server interfaces, plus the
m0n0wall WAN port, are on the same IP subnet.  They all have identical
subnet masks and default gateway settings (the default gateway is off
this diagram, to the right).  This all works because of the bridging
functionality.

The m0n0wall LAN port has an address in RFC 1918 space.  Normally
nothing is connected to it, except when I hook up a laptop to do some
configuration changes.

Let me reiterate Manuel's comment:  It's pointless to connect the two
sides of a filtering bridge to the same switch.  Whatever you're
trying to do, that's almost certainly not the answer.

I admit I am a little confused as to what you want to accomplish, but
I hope this helps.

Bruce.