Urgent: Can't figure out if I need a bridge, gateway, or ...

I've posted a similar question in the BSD forum, but I'm kind of stuck now. The reason why is on http://coombs.anu.edu.au/~avalon/ipfilfaq.html#VII-3A where it says that "IPF does not yet support Bridging on FreeBSD, only OpenBSD... however Darren plans on implementing this soon."

Currently, I have FreeBSD 4.9 STABLE installed on the server, but before I go further I might need to switch to OpenBSD.

Sitrep: The network for our school is maintained by another company. Frequently it hangs and my group has had it with it. Now, what I want is a solution that works and I pretty much don't care what it is.

I was thinking about creating a private network and coupling this network to the existing network. So the server that I have for storage will be used for this. It is multi-homed. I guess I need a dhcp server on it to serve the private net, but I'm not so sure about the impact this will have on the current network: will I need to coordinate things with the other company? If not, well, point me to the resources that will help me determine what to do or (even better tell me how you would do it. So far, I think there are two options: a bridge or a gateway. I will be using the server for storage, mail and webserver.

The other threads didn't get any (on-topic) replies, so if we can start a dialogue asap it would be much appreciated!

There's an article in the FreeBSD base system on filtering bridges that might be useful - it's under /usr/share/doc/ usually - or google for 'freebsd filtering bridges'

Friendly tip - don't put 'urgent' in your subject - I don't usually bother reading posts like that.

I'll check that out. So you are of the opinion that I do need a bridge and not a gateway or sumpin' else?

Maybe I need to configure the box as a router? Or, reading up on ipfilter (*BSD), maybe ipfilter and ipnat are enough?

Aargh! Where are the networking gurus, this is your chance to shine once again .

You basicly want two networks correct? If you have two NICs in the server set one for one network and the other for the other network and enable routing on the server so one network can talk to the other and get familiar with IPchains to do firewalling between the two. NATing is upto you whether to enable or not. Depending on your network topology you may have to put static routes in the server and other routers.

If the server is unstable or you want to do this "professionaly" then I would get a cisco 3550 with new IOS so it can do inter-vlan routing (so you dont need a router) create 2 vlans on the switch and enble routing on the switch so it can route between the two networks and plug the one interface of the server into one vlan and the other into the other vlan etc.

Yes, two networks. IPchains is for Linux and I will be running *BSD, but, both platforms have firewalls and I think I'll go for ipfilter. However,


This worries me. How much will the configuration change in "other routers"? The company that runs the other network is not cooperative at all. They don't have to be as they were appointed by the government and will stay there forever. (Read: they don't necessarily need to serve their customers as if they were in a competitive environment.)

What I forgot to mention is that the systems behind the server will only need to get traffic through when they surf the web. That's all. All the relevent systems on the other side may choose to use the proxy on my server for web access, but will mostly use it to maintain their webpages, access their share and maybe e-mail. But, the school's network is only allowed to see the ip number of the server, and never the private network behind it. So I guess that's where nat comes into play?


Of course I want to do it professionaly, but we don't have a Cisco budget (yet -- this is however viewed as a proof of concept which might outgrow itself rather fast). That's why I would like to stay with this one server and later use older systems (still P3) that are written off to off-load the server in due time.

So, if I configure this machine as a gateway (as described in the FreeBSD handbook at http://www.freebsd.org/doc/en_US.IS...rk-routing.html) with dhcp and nat will this be sufficient for my needs? -- and will the standard routed be the enough or would you recommend using the zebra package?

Btw, thanks for replying. It's the first reply I've gotten on this subject for a couple of days on several sites!

And sorry for the long URL but I'm browsing with Firefox, and the URL button does nothing for me...

Oh, and all machines behind the server are Mac OS X.

If all you want is http traffic from the new private to go out you made this very easy then. with the the second NIC plug it into a dedicated switch/hub whatever for the new network and give it an IP address on the new network (this address will be the default gateway for the PCs in the new network. on the server setup a new DHCP scope for the new network. enable routing and NATing so it NAT's the new private addresses to the address on the other NIC thats it. Basicly at this point your new network can talk to everything, but PCs on the other network will not be able to talk to your PCs in the new network unless they changed their default gateway to the server.
(only thing that might stop you is if the school has a real firewall running as it might see your network address getting NATed and think it was spoofed and drop it, ie.. some firewalls you have to specify the networks that traverse it)

The routers for internet already know how to get to the servers address it was translated to so no routing needs to be done on any other equipment. However, if you would like people on the other network to come into yours then routes would be needed on the routers.

As for BSD I never touched it hehe which I was assuming same as linux when I reffered to IPchains which I dable in but it should be fairly straight forward to set this up in BSD.

Doesn't this describe what I want?

http://www.muine.org/~hoang/freenat.html

What do you think about that solution?

Doesnt get much more straight forward then that. just follow the directions. Im gonna save that link just incase I decide to play with BSD, Im working towards CLE ( certified linux engineer) at the moment though which is based on SuSe linux.