View Single Post
  #9   (View Single Post)  
Old 23rd July 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Now for your technical concerns:

1. vether

The recommendation to use vether came from a respondent to that third party "howto" you found on the Internet. To get a better understanding of how and when to use third party "howto" documents you find on the Internet, please see this post and the following posts in this earlier thread.

2. bridge

A bridge typically interconnects two (or more) network segments as if they were a single segment. Bridges are commonly used to interconnect different media types, such as wired and WiFi, or twisted pair and fiber. On these bridged networks, local network frames (such as Ethernet) transit the bridge and the varying media formats as if on a single network segment. OpenBSD's bridge(4) driver will interconnect two or more Ethernet NICs, as well as encapsulation pseudo devices such as gif(4) and vether(4). The bridge(4) will pass -- unless filtered by PF -- all Ethernet frames, not just IP packets.

Note that a bridge(4) does not itself have an IP address. As all members of the bridge are effectively on the same Ethernet segment, they share a single IP address and any aliases. FAQ 6.9 shows an example of a bridge used to combine two different media types. The twisted pair NIC gets an IP address assigned by DHCP, the coax NIC does not have an IP address assigned. When the two NICs are bridged, they share the IP address of the twisted pair NIC.

3. routing

Unlike Ethernet frames, which can only transit systems on a single LAN, IP packets are routable. Your Uncle's router also provides Network Address Translation (NAT), in that devices on the home LAN are not directly addressable on the Internet. The local network uses a private (RFC 1918) address block, and all devices share a single "real" Internet address. Devices on the local net can only accept unsolicited traffic if prearranged via "port forwarding" on your Uncle's router.

For IP routing, the only thing any system needs to know is a) the addresses of systems on the local IP subnet, and the address of any routers on the subnet to send packets elsewhere.

For example, devices on the local network may be using 192.168.1.0/24 as the local IP subnet, with 192.168.1.1 as the address of the default gateway to the Internet. IP packets destined for addresses which are not part of the 192.168.1.0/24 subnet are routed to 192.168.1.1 for sending on to the Internet.

4. bridging IP vs. routing IP

When an IP packet is routed, the router does very little. It forwards the packet, after decrementing a counter called Time To Live (TTL), which is used to ensure packets don't circulate endlessly in the event of incorrect routing. If NAT is used, the sending or receiving IP address is translated, depending on traffic direction, and the router keeps track of IP sessions in a protocol dependent state table.

In your environment, there is no observable difference other than a decremented TTL between an outbound packet which is bridged and an outbound packet which is routed. If you choose routing, no network encapsulation driver is required, and bandwidth can still be monitored / throttled / blocked.

5. IP routing

Most platforms will only ever need to have a single, default route, as described in 3. above. But platforms that can directly connect to multiple routers on their network segments need to have multiple routes.

Here is an example, where two routers are used. In this example, there is an outer "webserver" subnet, and in inner, more protected subnet for workstations and other servers. Why? The webserver might become compromised, so Router B's PF configuration could prevent any inward attack from the webserver.

{Internet} [Router A] -- [webserver] -- [Router B] -- [inner LAN]

Router A is a NAT router, and is using 192.168.1.1 on 192.168.1.0/24
Router A port forwards TCP destination ports 80 and 443 to the webserver at 192.168.1.2.

The webserver is on 192.168.1.2 on the 192.168.1.0/24 network.

Router B is on two subnets. It is device 192.168.1.3 on the webserver subnet, and it is device 10.0.0.1 on the inner LAN, which is using 10.0.0.0/24.

---

The webserver needs two routes, as it is connected to two routers. It needs a default route via Router A (192.168.1.1), and it needs a second route to the 10.0.0.0/24 network via Router B (192.168.1.3).

Router A needs two routes also -- a default route provided by the ISP, and a second route to the 10.0.0.0/24 network via Router B (192.168.1.3).

Workstations or servers on the inner LAN do not need anything other than their default route, Router B (10.0.0.1). And Router B only needs its default route, which is Router A (192.168.1.1).

Last edited by jggimi; 23rd July 2013 at 04:30 PM. Reason: typos, clarity
Reply With Quote