[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

odd bridge/firewall -- possible?



I've got a fairly typical network setup currently.  A few computers behind
a D-Link firewall/router/NAT that's connected to an ADSL modem which is
connected to the net.  Also connected to the ADSL modem (which has four
ports) is an box running OpenBSD 3.3 as my email server.  It's not
connected to anything else.

What I need to do is hook up some devices on the internal network that
make use of my external static IP addresses but are treated as local
devices (thus are not NATed).

______________
Current setup:

                            Internet
                               |
                            Gateway
Internet Provider          (x.x.x.1)
on this side                   |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
my stuff on                    |
this side                  ADSL modem
                               |
                        +------+------+
                        |             |
                    (x.x.x.2)     (x.x.x.3)
                     D-Link      OpenBSD 3.3 Box
                  (192.168.0.1)
                        |
    internal network    |
    (several computers) |
    +---+---+---+---+---+
    |   |   |   |   |
    |   |   |   |   +-192.168.0.101
    |   |   |   +-192.168.0.102
    |   |   +-192.168.0.103
    |   +-192.168.0.104
    +-192.168.0.105




So what I need to do is add a few computers that have external IP
addresses, but are still protected from the outside world with a firewall.

It seems natural to use the OpenBSD 3.3 box as a firewall, but I've never
set one up without NAT, so I'm not too sure of how to bridge between it
and the Internet, so that traffic for the devices that will be behind it
gets across.  The other way around, I'm guessing I just set those devices
to use the OpenBSD box as their default router.

The other problem is, I need the external-IP computers to be able to
access the internal network without going through the external interfaces
on the D-Link and OpenBSD firewalls (and vice versa).

I've got a couple different ideas, but don't know how this would work
best:


Idea #1:

                            Internet
                               |
                            Gateway
Internet Provider          (x.x.x.1)
on this side                   |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
my stuff on                    |
this side                  ADSL modem
                               |
                        +------+------+
                        |             |
                    (x.x.x.2)     (x.x.x.3)
                     D-Link      OpenBSD 3.3 Box
                 (192.168.0.1)   (192.168.0.2)
                        |             |
    internal network    |             |
    (several computers) |             |
    +---+---+---+---+---+-------------+-----+
    |   |   |   |   |                       |
    |   |   |   |   +-192.168.0.101         +-x.x.x.4
    |   |   |   +-192.168.0.102             |
    |   |   +-192.168.0.103                 +-x.x.x.5
    |   +-192.168.0.104                     |
    +-192.168.0.105                         +-x.x.x.6




Idea #2:

                            Internet
                               |
                            Gateway
Internet Provider          (x.x.x.1)
on this side                   |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
my stuff on                    |
this side                  ADSL modem
                               |
                        +------+------+
                        |             |
                    (x.x.x.2)     (x.x.x.3)
                     D-Link      OpenBSD 3.3 Box--(IP addr?)-+
                 (192.168.0.1)   (192.168.0.2)               |
                        |             |                      |
    internal network    |             |     +----------------+
    (several computers) |             |     |
    +---+---+---+---+---+-------------+     |
    |   |   |   |   |                       |
    |   |   |   |   +-192.168.0.101         +-x.x.x.4
    |   |   |   +-192.168.0.102             |
    |   |   +-192.168.0.103                 +-x.x.x.5
    |   +-192.168.0.104                     |
    +-192.168.0.105                         +-x.x.x.6







Is this stuff possible?  Is this convoluted (implying there's a simpler
way)?

I'd prefer not to take the D-Link thing out of the equation, if possible,
as it's working well for the existing internal network.

If anyone has any ideas, I'd be really grateful.

Thanks,
James.



Visit your host, monkey.org