View Single Post
  #4   (View Single Post)  
Old 17th August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Default Double-NAT not?

Quote:
Originally Posted by BSDfan666 View Post
I think you're confusing your terminology, if you want to setup a simple NAT router you do not configure a bridge.. also, pf is not a daemon it is the kernel packet filter.

If your modem is configured as a NAT router, assigning internal private RFC1918 addresses, then it wouldn't really make sense to have an OpenBSD system between them.. but if you did, a bridge would make sense as it would simply act as a switch or a hub.

Now, if your modem itself is in bridge mode, one of your interfaces on your OpenBSD system will have to obtain an external public address and routing information, for Cable this is usually done using dhclient(8), for DSL you need to configure a pppoe(8)/pppoe(4) client.

At that point you would then need to configure OpenBSD for NAT and pass traffic between your network and the Internet, hosts inside your local subnet can be configured statically or by setting up dhcpd(8).
Hmm. My colleague and I were talking about that--double nat thing. The DSL is not cable, the modem is using PPPoA. At some point we hope to get redundant DSL, and the other provider would be cable, but that's not possible today--subject for another time.

So, we had been assuming that the DSL Modem/router would keep doing NAT, but that the firewall would also do NAT, which does sound like belt and suspenders. When you say "if your modem itself is in bridge mode", would that be implied by turning off NAT on that device? Disabling the firewall function in that device we had planned for, but we'd assumed that NAT would still be in place... You say a bridge would make sense if we left NAT on in the Modem/router, but would the double NAT configuration work?

Thanks for clarifying about pf running in the kernel. I had thought it was odd that I never saw it in a ps listing.
Reply With Quote