View Single Post
Old 19th January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,446

Perhaps. As I said, I don't have ADSL, and if I did, would still want an exposed address and more complete control.

My VDSL modem (3-Wire, meh) provides a "SuperDMZ" mode to provide the exposed address to the inner router. It does not operate as a bridge, and offers a bunch of firewall-ish capabilities which I have disabled. I leave the outer subnet for IPTV traffic to the set top boxes, the inner subnets are for servers, workstations, game consoles, mobile phones, and other family TCP/IP traffic.

Edited to add:

To be clear, the VDSL box doesn't have a bridge mode available. In "SuperDMZ" mode, it remains a NAT router and forwards all packets that aren't associated with an existing state table entry to the DMZ host, which uses the exposed IP address.

Since I don't have a bridge, I let the IPTV boxes have their own RFC 1918 subnet, sharing their switched Ethernet with the "outer" NIC of my bastion OpenBSD router, so that IPTV traffic doesn't transit any of my own systems -- I did not want to have to shape it.

The webserver in my .sig is behind several NATs.
From this ISP, IPTV and VOIP traffic come through a private IP network, not the Internet, that traffic comes from a nearby point of presence. The VOIP packets are converted to analog POTS twisted pair by the 3-Wire router, and go to household wired phones.

Last edited by jggimi; 19th January 2011 at 09:34 PM.
Reply With Quote