[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Complex setup with OpenBSD in bridge mode

To: Christo Butcher <christo@fox-it.com>
Subject: Re: Complex setup with OpenBSD in bridge mode
From: Jason Ackley <jason@ackley.net>
Date: Mon, 9 Jul 2001 09:39:24 -0700 (PDT)
Cc: "'tech@openbsd.org'" <tech@openbsd.org>

On Mon, 9 Jul 2001, Christo Butcher wrote:

> Complex setup with OpenBSD in bridge mode

 Only if you want it to be complex :)

> For management we have given the Cisco IP address x.y.z.1
> Two solutions have been tested to realise this setup:
>
> 1) Split the /26 range up into two separate IP ranges, and give one
> half to the [Cisco]---[OpenBSD] cross-cable, and the other to the DMZ.
> Ouch! But it does make the routing easy.  :)
> This solution basicly gets what we need, but at an unreasonable cost of
> half our usable IP addresses.
>
> 2) Get the OpenBSD box to function in bridged mode, so that the Cisco
> is (virtually) on the same LAN with all 62 IPs as the DMZ machines.
> This sounded like a great way to do it, but some strange problems have
> appeared.

You may want to consider:

3) Use a RFC1918/private network between the Cisco router and the
OpenBSD box. Move the entire /26 to behind the OpenBSD box.
Route the entire /26 on the router to the OpenBSD box.

This has a few features/caveats:

o Your cisco is almost removed from public address space. This
  prevents outsiders from directly talking to your cisco /
  network gear. This is good.

NOTE: Most likely you have a /30 or something on the serial link,
  so just make sure that you setup your access-lists remebering
  the /30 on your external interface!

 If your ISP has instead given you a /26 and is using unnumbered
 interfaces, you may want to request that a /30 be given out
 for the serial interface, it keeps things clean.

o No lost IPs due to subnet overhead

o Path MTU discovery should be OK up to your Cisco (icmp mesg
  would come from its external /30 addr)

o May need to play with isakmp configs to make sure that your
  OpenBSD box uses its public addr when talking to remote VPN clients.
  If VPN/IPsec is not going to be used, then ignore :)

o Mgmt of the cisco should be limited to a NAT addr for your internal
  network.

o Do not add routes for your internal addrs on the cisco. It should
  not 'know' about them. It should only communicate thru the OpenBSD
  box NATed pubilc addresses. (Optional)

I have several setups like the above, only its all cisco gear.
In theory, it should just work.

> We would be grateful for any information or help that could be offered.

 I always prefer to do things at Layer3 if I can, especially when building
 something from scratch and I don't have to worry about legacy
 configurations..

just a thought..

good luck!

cheers,
--
jason

References:
- Complex setup with OpenBSD in bridge mode
  - From: Christo Butcher <christo@fox-it.com>

Prev by Date: Complex setup with OpenBSD in bridge mode
Next by Date: Adding a USB device.
Prev by thread: Complex setup with OpenBSD in bridge mode
Next by thread: Adding a USB device.
Index(es):
- Date
- Thread