View Single Post
  #3   (View Single Post)  
Old 17th August 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by tomp View Post
My test environment is a single Win Vista PC on the "internal" side of my network, connected to the rest of the world only through the rl1 nic, which I have at 192.168.1.254. The other nic, rl0 is at 192.168.0.1. I got confused when I set up the windows machine as a static IP (192.168.1.15 with default gateway 192.168.1.254). It would communicate with nobody but 192.168.1.254.
If your intent is to have an "internal" network be separate from the Internet at large, this implies that your firewall should be configured as a router which will separate two distinct subnets. If the contract you have with your ISP is to supply you a single IP address, & you wish to have several hosts on the internal network each individually connect to the Internet independently, the only solution you have is to configured NAT at the exterior router -- in other words, configure NAT in pf(4).

If you configured your OpenBSD pf(4) system as a bridge, it will be acting as a switch with only two ports. If you are familiar with the OSI networking model, the OpenBSD system will be functioning at Layer 2/Data link layer instead of Layer 3/Networking layer (routers). As a bridge, your OpenBSD system will not have IP addresses assigned to its interfaces. However, note that configuring your OpenBSD system as a bridge will also mean that it cannot be configured for NAT. Only a single device can be connected on each side of this bridge.

If another system/device can be connected to the OpenBSD pf(4) bridge which can then act as a NAT'ed router, then a separation of functionality can be attained, however many people simply use a single device configured as a pf(4) router to take care of both filtering traffic & NAT functionality.

Which should you do? It all depends upon the contract you have with your ISP & how many machines you want to tie up implementing firewall capabilities.

Last edited by ocicat; 17th August 2011 at 04:36 PM.
Reply With Quote