Quote:
Originally Posted by tomp
My test environment is a single Win Vista PC on the "internal" side of my network, connected to the rest of the world only through the rl1 nic, which I have at 192.168.1.254. The other nic, rl0 is at 192.168.0.1. I got confused when I set up the windows machine as a static IP (192.168.1.15 with default gateway 192.168.1.254). It would communicate with nobody but 192.168.1.254.
|
If your intent is to have an
"internal" network be separate from the Internet at large, this implies that your firewall should be configured as a router which will separate two distinct subnets. If the contract you have with your ISP is to supply you a
single IP address, & you wish to have
several hosts on the internal network each individually connect to the Internet independently, the only solution you have is to configured NAT at the exterior router -- in other words, configure NAT in
pf(4).
If you configured your OpenBSD
pf(4) system as a bridge, it will be acting as a switch with only two ports. If you are familiar with the
OSI networking model, the OpenBSD system will be functioning at Layer 2/Data link layer instead of Layer 3/Networking layer
(routers). As a bridge, your OpenBSD system will not have IP addresses assigned to its interfaces. However, note that configuring your OpenBSD system as a bridge will also mean that it cannot be configured for NAT. Only a single device can be connected on each side of this bridge.
If another system/device can be connected to the OpenBSD
pf(4) bridge which can then act as a NAT'ed router, then a separation of functionality can be attained, however many people simply use a single device configured as a
pf(4) router to take care of both filtering traffic & NAT functionality.
Which should you do? It all depends upon the contract you have with your ISP & how many machines you want to tie up implementing firewall capabilities.