[ previous ] [ next ] [ threads ]
 From:  "Bruce A. Mah" <bmah at acm dot org>
 To:  Bostjan Hojkar <bostjan dot hojkar at fov dot uni dash mb dot si>
 Cc:  "Bruce A. Mah" <bmah at acm dot org>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Bridge again :)
 Date:  Wed, 19 Nov 2003 08:34:00 -0800
If memory serves me right, Bostjan Hojkar wrote:
> >It's important to note that all of the server interfaces, plus the
> >m0n0wall WAN port, are on the same IP subnet.  They all have identical
> >subnet masks and default gateway settings (the default gateway is off
> >this diagram, to the right).  This all works because of the bridging
> >functionality.
> >
> >The m0n0wall LAN port has an address in RFC 1918 space.  Normally
> >nothing is connected to it, except when I hook up a laptop to do some
> >configuration changes.
> >
> I think i understand a little better now. I guess i was a bit confused
> because i didn't read only m0n0wall's bridge funcionality but also bridge(4)
> in freebsd and linux bridging. I made some assumptions how things should be
> from there..

OK.  There's not a lot of documentation on this stuff (and some of
this is my fault since I seem to have popularized the bridging
functionality a bit).

> >Let me reiterate Manuel's comment:  It's pointless to connect the two
> >sides of a filtering bridge to the same switch.  Whatever you're
> >trying to do, that's almost certainly not the answer.
> >
> I'm not connecting TWO sides of bridge to the same switch. I never said
> that, whoever got that idea - it's wrong. I'm using your scheme, only my
> network behind "OPT1" is /25.
> My problem was LAN, that i kept conected to same switch as OPT1 for the sake
> of administering switch and checking logs from any computer behind firewall.

OK.  I *did* read your original message, and I had that impression
too, but whatever.  It sounds like you are *actually* doing has a much
higher chance of success than what I originally thought, so this is a
good thing.

> >I admit I am a little confused as to what you want to accomplish, but
> >I hope this helps.
> In two words: "bridged firewall". That's all. I usualy do it by hand and it
> works, but right now i'm in need of webgui ;). From all the firewalls on PC
> box i found and tryed, m0n0wall comes closest to this..
> And it should be possible with only 2 interfaces so i don't see why bridging
> LAN with WAN would be such a big problem.. .I'll go into that after i make
> things work.

If you want to bridge LAN and WAN, the main thing you'll need to do (I
think) is to turn off all the features that require an IP address on
the LAN interface (DHCP server, DNS services, NAT, etc.).  In older
versions of m0n0wall this was impossible because you needed HTTP
access to the LAN interface for administration.  If you are
comfortable with administering via HTTPS on the WAN port, this might
work.  BTW, I've never tried this (ENOTIME), so if you (or anyone
else) can make this work it would be a fairly notable fact.