[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

another bridge query

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: another bridge query
From: Gary Law <gary_(_at_)_sportev_(_dot_)_com>
Date: Thu, 01 Mar 2001 20:24:55 +0000

Hi

I've got a machine that's acting as a firewall. I've have a half a dozen fixed IPs, and applied them as aliases to interface xl0 and port mapped the services to 10.x.x.x range. The idea here is to enable us to run more web servers by portmapping different ports to different machines (ie 195.a.b.c:80 goes to one machine, 195.a.b.c:81 goes to another...). We're planning to host some very large files and this seems like an elegant way to avoid demanding more address space. And it works a treat.

However, I want to put the mail gateway and LAN NATter, a linux box, behind the firewall too, thus keeping all my rules in one place. I realise I can port map 25 to the linux machine and NAT that too but I don't like seeing mail headers with NATted addresses in them. I can't subnet as I've not enough address space to make it work sensibly.

So I tried bridging sis1 to xl0 and hoped that any traffic not for the aliased addys would fall out of sis1. No such luck, everything broke. (Can this be made to work?)

                   -----
       -------xl0-|     |-sis0-------[DMZ machines]
cisco [           |oBSD |
       -------sis2|     |-sis1-------[mail gateway & LAN natting box]
                   -----

So i tried bridging sis2 and sis1 together with

ifconfig sis1 up
ifconfig sis2 up
brconfig bridge0 add sis1 add sis2 up
brconfig bridge0 rule pass in on sis1
brconfig bridge0 rule pass in on sis2
brconfig bridge0 rule pass out on sis1
brconfig bridge0 rule pass out on sis2

then set my ipf to let everything in and out so as not to cloud the issue.
Which has the following, peculiar, results:

can't ping interface xl0 from LAN

can't ping LAN from oBSD

attempting to ping inet gateway (cisco in diagram) from the LAN result in a 'destination host unreachable' error from the LAN NATter.

internet activity on the LAN goes nowhere, obviously

brconfig -a shows that three MAC addys have been learned; two on sis2 and one on sis1 (which is correct I think).

anyone got any clue what is going on?

thanks

Gary

--
Gary Law, Systems Administrator, Sportev Ltd
39 - 43 Brewer St, W1R 3FD  tel: +44 20 7734 3511 fax: +44 20 7287 0773
gary_(_at_)_sportev_(_dot_)_com

Prev by Date: using wscons / wsmouse
Next by Date: Re: Quick bridging question
Previous by thread: using wscons / wsmouse
Next by thread: blocking spam with 2.6
Index(es):
- Date
- Thread

Visit your host, monkey.org