At 02:40 PM 10/28/02 -0800, Craig wrote:
Who knows? Whether it is a bridge or not depends on how you implement it (though I don't actually know of a way to bridge AND to encrypt the link).Hi folks, Charles, please help me clarify this in my mind if you would please...if I want my Private Student LAN to have the internet public addresses, isn't this really a bridge? Here's what I mean-Internet-----Bering Box 1----(School LAN)-----Bering Box 2-----Private Student LAN I want the private student LAN to have the public, internet addresses from Bering Box 1. And because I have to go through the existing, school LAN I want the traffic encrypted. But, in my mind, because I want the Private Student LAN to have those public addresses...this is a bridge isn't it? Thank you for your help!
Terminology: when two networks are connected at the Data Link Layer (in practice, usually Ethernet, transporting Ethernet frames), the device that connects them is called a bridge. When two networks are connected at the Network Layer (in practice, IP addresses, transporting ip datagrams), the device that connects them is called a router. LEAF devices (Linux devices generally) can operate as either bridges or routers.
You are not exactly clear here on what "the public, internet addresses from Bering Box" means, but from what I recall of your earlier e-mail, I think you want to have the Bering 1 router accept traffic to some set of public IP addresses, which I will call here network a.b.c.d/netmask, and forward it on to the Private Student LAN. The LAN machines will use those same addresses as their own IP addresses (that is, you do not want to use 1-to-1 NAT, sometimes called static NAT, for these addreses).
For this to work, whatever exists to the left (in your diagram) of Bering 1 needs to know that Bering 1 is the route to those addresses. There are only three real ways that this can be accomplished:
1. Everything that is "immediately" to the left of Bering 1 (that is, everything that does not reach it by going through a router) knows that Bering 1's external IP address is its route to network a.b.c.d/netmask.
2. Bering 1 itself is set up so that whenever something immediately to its left attempts to reach any of the addresses in network a.b.c.d/netmask, Bering 1 itself responds to those attempts. In an Ethernet context, this means that Bering 1 does proxy-arp for those addresses.
3. Bering 1 is set up as a bridge, so it passes all Ethernet-level traffic, including the arp requests from hosts to its left for those on network a.b.c.d/netmask . (Fancier bridges "learn" what MAC addresses lay on either side and pass only the needed frames; I don't know how sophisticated Linux's bridging code is in this regard.)
At this level of discusion, any of the three solutions will work, with the choice of which is best for a specific application resting on circumstances specific to the particular application.
You have the additional requirement that Bering 1 and Bering 2 be connected by a VPN. (In previous discussions, I and I think others have suggested that such a VPN will not accomplish your goal of protecting the School LAN from the Private Student LAN ... keeping Bering 1 and Bering 2 themselves secure and being careful about their routing tables does that ... but we can put that aside for the moment and focus on the technical requirements for using such a VPN.)
I don't believe you can run a bridge over a VPN (it is not impossible in principle, but I've never seen it actually done ... since a VPN is a Network-Layer link, you'd have to encapsulate Ethernet frames in IP datagrams ... this isn't quite as weird as it sounds, but it is *almost* as weird as it sounds ... so you are unlikely to find what you need off the shelf). So we scratch approach #3 and stick with routing rahter than bridging.
From other things you have said, I infer that you cannot affect the routing tables of devices to the left of Bering 1, so we scratch approach #1.
That leaves proxy arp (approach #2). I have not seen that combined with a VPN, but I can't think of any reason why the two would not work together. You establish a VPN between Bering 1 and Bering 2, then tell Bering 1 that that VPN interface is its route to network a.b.c.d/netmask . You also tell it to proxy-arp network a.b.c.d/netmask on its external interface.
The docs for Bering probably explain how to do each of these two (quite separate) things. If not, you may want to follow up with specific questions.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
