Firewall Wizards mailing list archives
ADSL Bridging/Firewall Issues.....
From: "Andrew Fremantle" <temp1274 () tempest yi org>
Date: Mon, 17 Dec 2001 04:38:53 -0800
Okay, i'm sure you've had many ADSL Firewalling questions in here before, and i've read some of your archives and didn't find anything that matched my situation properly. Let me describe my existing (no firewall) setup. IPs are fake, but the range is right. There's a hand-drawn diagram available at http://tempest.yi.org/skyhawk/firewall/network.jpg Of the four drawings, the two you want to be looking at are "Currently" and "Proposed" You can safely ignore the hub in the drawings, it's only there because it's got a bandwidth meter on it. It serves no function and merely acts as a pass-though. ADSL Router - 209.53.0.0/18 -- 209.53.0.0 - 209.53.63.255 I think All my machines use 209.53.36.254 as the default gw, and have 255.255.192.0 assigned as the netmask. I believe this means my ISP have supernetted a bunch of class Cs, and then subnetted it down at their router to reduce IP wastage. I've only ever seen any of my machines have IPs in the 209.53.36.* and 209.53.37.* range. ADSL Modem -- Seems to be a bridge, transparent to the network 10Base Stupid Ethernet Switch Asante FriendlyNet -- Can only remember 32 MACs, but it does the job Four computers attached to the switch. IPs are on the ASCII-art diagram. I don't think it really matters, but the OS/s are Win2k, Win98, FreeBSD, and Red Hat Linux. The Linux box isn't really mine, it's just parked on my connection. ------------- | ADSL Router | ------------- | ------------- | ADSL Modem | ------------- | --------------------------------------- | Switch (All IPs are 209.53.) | --------------------------------------- | | | | 37.140 36.25 37.125 36.74 Okay, all IPs are dynamically assigned via DHCP. I've got two problems with this setup : 1) The ADSL Router is doing proxy-arp for the entire IP subnet. Any time one of my computers wants to talk to another one, it sends an arp who-has asking for a hardware address. The router hears the request and replies with ITS OWN MAC address, making all my LAN traffic go over the ADSL link. This absolutely brutalizes performance. Currently all 4 computers have scripts that they run on startup, calling the arp command to statically assign IP-MAC addresses. Any time an IP changes, I have to go update the bloody scripts. 2) Lack of packet filtering. In particular, I must run Windows Networking over IP to talk to my Samba server, and I know for a fact this is wide open on the net. So? Any suggestions? Currently i've got an additional FreeBSD box up on the network, acting as a Bridge between my switch and the modem. It has two interfaces, neither of which is configured for IP, and isn't filtering (yet). This lets me solve my security issues, but I would like to solve my ARP issues as well. I can either tell FreeBSD to allow ARP to bridge (keeping my current problem) or tell it NOT to allow ARP to bridge (Breaking ARP completely). As far as I can determine, there is no way for me to do any kind of Proxy ARP with Bridging, and the bridge has empty ARP tables. I'd like to keep full connectivity, except for the stuff i'm going to filter (Like Windows Networking). I'm running multiple servers and I like online gaming, and NAT is not friendly to either of these options, especially the gaming. I'm partial to FreeBSD but if it isn't the right tool for the job i'm willing to experiment with something else. Sorry for the lengthy post, and if this exact or a very similar scenario has been discussed elsewhere, please point me to it so I can read up. I am subscribed to the list, but if you want to reply off band for some reason, please email me at firewall@at () tempest yi org. Andrew Fremantle _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- ADSL Bridging/Firewall Issues..... Andrew Fremantle (Dec 17)
- Re: ADSL Bridging/Firewall Issues..... Barney Wolff (Dec 17)
- Re: ADSL Bridging/Firewall Issues..... Ng Pheng Siong (Dec 17)
- Re: ADSL Bridging/Firewall Issues..... Ng Pheng Siong (Dec 19)