[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nat and bridge question ?

To: misc@openbsd.org
Subject: Re: nat and bridge question ?
From: Ben Goren <ben@trumpetpower.com>
Date: Mon, 1 Apr 2002 16:45:44 -0700
Content-Disposition: inline
References: <Pine.SOL.4.10.10204020658300.1072-100000@imsp234.hkstar.com>
User-Agent: Mutt/1.2.5.1i

NAT (as commonly implemented, disregarding for the moment creative
uses of joining  private networks with clashing IP  spaces and the
like) is  a kluge that  should be  avoided if at  all possible. If
you've got enough IPs to spare, use the bridge.

There's  nothing that  says  you can't  have perfectly  functional
networked computers with RFC1918  addresses and no NAT, either--so
long  as you  use a  proxy server  with a  public IP. You'll  need
another router; it'll look something like this:

+----------+
| Internet |
+----------+
     |
 +--------+
 | bridge | <- no IPs
 +--------+
     |
     +---------+--------------+--------------+ <- public IPs
     |         |              |              |
 +-------+ +--------+ +---------------+ +---------------+
 | proxy | | router | | public server | | public server |
 +-------+ +--------+ +---------------+ +---------------+
               |
	+------+----------+---------------+ <- private IPs
        |                 |               |
 +-------------+ +----------------+ +-------------+
 | workstation | | private server | | workstation |
 +-------------+ +----------------+ +-------------+

Note that you'll most certainly want packet filtering on both thee
bridge and the router. The computers  with public IPs will need to
know to use the router to reach the private computers; this can be
done with  static routes  if the  network is small  or one  of the
various routing  protocols if  not. The private computers  use the
router as the  default route; the router uses the  ISP's router as
the default route.

With this  kind of setup,  you're using IP  as it was  designed to
function.  But you do have to have the public IPs....

You  can also  combine the  roles of  some of  the computers  with
public  IPs  at  a  certain  (but  possibly  acceptable)  loss  of
security. For example, one of your public servers might be able to
do double-duty  as a proxy  server. It's even possible  to combine
them  all into  one computer  with two  NICs, but  I'd avoid  that
unless I had absolutely no other choice.

Good luck,

b&

On Tue, Apr 02, 2002 at 07:02:54AM +0800, Clarence wrote:

> Hello,
>
> After  reading  the man  bridge,  the  nat.conf and  some  email
> concerning them,  I would like to  know more about the  usage of
> them.   I  am now  using  the  nat  to forwarding  incoming  and
> outgoing ip traffic pass through  the firewall.  I would like to
> know what  the pro and cons  of the nat and  bridge.  Can anyone
> show me where can I find more information about them.  Thanks.
>
> Clarence

--
Ben Goren
 mailto:ben@trumpetpower.com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]

References:
- nat and bridge question ?
  - From: Clarence <c5666305@hkstar.com>

Prev by Date: Firewall Builder 1.0.1 with pf/ipf support
Next by Date: 3.1 beta and XF4
Prev by thread: nat and bridge question ?
Next by thread: Firewall Builder 1.0.1 with pf/ipf support
Index(es):
- Date
- Thread