[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

another bridge query

To: misc@openbsd.org
Subject: another bridge query
From: Gary Law <gary@sportev.com>
Date: Thu, 01 Mar 2001 20:24:55 +0000

Hi

I've got a machine that's acting as a firewall. I've have a half a dozen 
fixed IPs, and applied them as aliases to interface xl0 and port mapped the 
services to 10.x.x.x range. The idea here is to enable us to run more web 
servers by portmapping different ports to different machines (ie 
195.a.b.c:80 goes to one machine, 195.a.b.c:81 goes to another...). We're 
planning to host some very large files and this seems like an elegant way 
to avoid demanding more address space. And it works a treat.

However, I want to put the mail gateway and LAN NATter, a linux box, behind 
the firewall too, thus keeping all my rules in one place. I realise I can 
port map 25 to the linux machine and NAT that too but I don't like seeing 
mail headers with NATted addresses in them. I can't subnet as I've not 
enough address space to make it work sensibly.

So I tried bridging sis1 to xl0 and hoped that any traffic not for the 
aliased addys would fall out of sis1. No such luck, everything broke. (Can 
this be made to work?)

                    -----
        -------xl0-|     |-sis0-------[DMZ machines]
cisco [           |oBSD |
        -------sis2|     |-sis1-------[mail gateway & LAN natting box]
                    -----

So i tried bridging sis2 and sis1 together with

ifconfig sis1 up
ifconfig sis2 up
brconfig bridge0 add sis1 add sis2 up
brconfig bridge0 rule pass in on sis1
brconfig bridge0 rule pass in on sis2
brconfig bridge0 rule pass out on sis1
brconfig bridge0 rule pass out on sis2

then set my ipf to let everything in and out so as not to cloud the issue.
Which has the following, peculiar, results:

can't ping interface xl0 from LAN

can't ping LAN from oBSD

attempting to ping inet gateway (cisco in diagram) from the LAN result in a 
'destination host unreachable' error from the LAN NATter.

internet activity on the LAN goes nowhere, obviously

brconfig -a shows that three MAC addys have been learned; two on sis2 and 
one on sis1 (which is correct I think).

anyone got any clue what is going on?

thanks

Gary

--
Gary Law, Systems Administrator, Sportev Ltd
39 - 43 Brewer St, W1R 3FD  tel: +44 20 7734 3511 fax: +44 20 7287 0773
gary@sportev.com

Follow-Ups:
- Re: another bridge query
  - From: Jason Wright <jason@thought.net>

Prev by Date: Re: using wscons / wsmouse
Next by Date: Re: brconfig and ARP
Prev by thread: Re: using wscons / wsmouse
Next by thread: Re: another bridge query
Index(es):
- Date
- Thread