Quote:
Originally Posted by tomp
What I hear you saying is that I have two options that will work, the first one where the DSL Modem/Router goes to bridge mode with NAT and Firewall off, and then our OpenBSD box functions as a NAT router and firewall via PF.
|
As
BSDfan666 has already stated, you need to look into what modes the modem has available.
In any event, the modem will have to serve at least one IP address. This is what will go into one interface of your OpenBSD system.
Quote:
|
And the second one where the Modem/Router does NAT, the current BSD box is a bridge, and there's another box of some kind that does the routing.
|
No. Bridging should not be set up on the internal side of whatever device does NAT. If you decide to configure your OpenBSD
pf(4) system to be a bridge, it will need to be on the outside of any device performing NAT. That is, if you want this single system to serve as the single corporate firewall.
Before proceeding further down this bridging line of thinking, you & your team needs to answer the question of whether you want to access the firewall remotely. If your OpenBSD system is configured as a bridge, it will not have an IP address associated with it. Yes, a third interface can be added to your OpenBSD box, but how will it be accessible? You will soon see that this complicates the overall network configuration, & this is why most configure their OpenBSD/
pf(4) firewall boxes as Layer 3 routers.