|
||||||||
No, you can still address the default route, this is how I am doing it right now. All m0n0 is doing is passing packets from the switch to the router, basically I just added an IP to m0n0s wan side for monitoring..etc Here is a diagram of my layout (very simplified): http://www.tawifi.com/bridged.gif I have the LAN side hooked into my management network so if I need to make changes I can access the gui through there. As for filtering we do not stand on the block all policy, we just deny port on a 1-to-1 basis, except for our servers we lock them down tight, but for the clients we block what is requested and needed for trojans, viruses..etc You have no choice in taking the network down, it has to go down for the time it takes to insert the bridge, we usually plan things like this in the early morning like 2-3am that way our impact is less. One thing we also learned is to make sure your m0n0 box is running full-duplex, we had some Cisco switches not negotiate properly and cut our bandwidth in half, although the Cisco reported it was full duplex the m0n0 boxes were mismatched. So verify your duplex when its up. I also have another network out there running OpenBSD in an IP less bridge setup, but since this is not the right mailing list for it I wont go too deep into that one. Peter Lauda wrote: >Hey Eric, > >Thanks for writing. > >I looked at those examples and even tried some. However, I can't change >the IP address scheme and the monowall box will have to have at least 1 >IP address. Given that this IP would be in the same network as the >router and as the internal network to be routed. Given that, and that >politically, I have no ability to test this without taking services down >and without the guarantee I can see the old gateway through the new >monwall bridge. So for instance I have. > >T1->adtrans tsu120->cisco 1600->etho0@60.60.60.1-> feeding the rest of >that class c subnetted address. I'm using a different one for the same >political reasons. > >So I read it as you have to give the monowall at least 1 address. I'm >not convinced it will route traffic to the .1 address from the machines >beyond it's bridged interface. Machines internally that use .1 as their >gateway must be able to continue to do so. I think that is why I can't >do the 1 IP bridge. > >Or, am I wrong? > >Thanks again... > >--p > > > >On Thu, 2006-03-02 at 12:28, Eric Collins wrote: > > >>I use m0n0 as a filtering bridge for a network with a DS3 (routed by a >>Cisco), 35 servers and around 500 active subscribers behind it, and it >>has not failed in months (last failure was a power supply) I just >>followed the guide at >>http://doc.m0n0.ch/handbook/examples-filtered-bridge.html simple & easy. >> >>The m0n0 box sits between my Cisco router and the main switch. I used >>Intel PRO 10/100 cards in a P4 2.8Ghz with 512Mb of ram, and it sustains >>30+Mbps but I tested it out at around 90Mbps sustained. >> >>-Eric >> >> >>Peter Lauda wrote: >> >> >> >>>I'm wondering if the idea of using a monowall box to act as a >>>replacement for something like a Cisco 1600 is possible. I have tried >>>many different configurations to get mono running between my external >>>network and the internal. For various reasons (none of which I can solve >>>with the political corporate climate) I have to look for a different >>>solution. I need to be able to firewall a connection between a Sprint T1 >>>and an ethernet network. >>> >>>Has anyone had any experience using a PCI interface to an ADTRAN csu/dsu >>>(model tsu120) using monowall? Is such a thing possible? >>> >>>Getting desperate here. I might have to go buy an ethernet non-ip >>>filtering bridge. At 10,000.00 for a checkpoint device I'd rather gnaw >>>my foot off. >>> >>>--p >>> >>> >>> >>> >>>--------------------------------------------------------------------- >>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >>> >>> >>> >>> >>> >>> >>> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >> >> >> > > > > > > |