On 2015-09-25, patrick keshishian <[email protected]> wrote: > On 9/24/15, Kapetanakis Giannis <[email protected]> wrote: >> On 24/09/15 22:41, patrick keshishian wrote: >>> Hi, >>> >>> I'm pretty sure I'm over-thinking this, so I thought I'd step back and >>> see if I can get some hints as how this sort of a set-up is done >>> "properly" by pros. >>> >>> >>> Say, existing set up: >>> >>> [internet] -- [pf] -- [ public-ip-net/24 ] >>> >>> >>> Want to add/connect a private 192.168.0/24 to existing [ >>> public-ip-net/24]: >>> >>> ... [ public-ip-net/24] -?- [ obsd box ] -- [ 192.168.0/24 ] >>> >>> >>> Goals: >>> 1. Hosts in both networks "talk" with one another freely. >>> e.g., hosts in existing network see hosts in to-be-added 192 >>> network, as they are; i.e., not NAT-ed. And vice versa. >>> 2. Hosts in 192.168.0/24 have access to the internet through >>> the same/existing gateway. >>> >>> >>> I lack some knowledge wrt to the subject, where I think, I am >>> filling the "holes" with, possibly, far too complicated ideas. >>> >>> Appreciate any and all help offered. >>> >>> Thanks, >>> --patrick >> >> First of all you don't need a second obsd/pf router for this. >> >> Either put the private network on a secondary ip on the same >> vlan/interface as the public >> or use a new vlan/interface for the private network. >> >> pf can be tuned to fit you filtering needs. >> >> Do the nat on [pf] box only for packets going out on its egress interface. > > Thanks Daniel and Kapetanakis for replies. > > I read some on vlans (as I knew next to nothing about them). > I think I'm still not completely clear on how they would work, > unless vlan-capable switch is used, which the current set-up lacks; > The only reference I found, which explicitly states this, is M. Lucas's > book ("Absolute OpenBSD..."). > > --patrick > >
vlan-tagged packets can be transferred OK through most unmanaged switches, so if you have two machines with vlans specifically configured on them, they're usually able to talk to each other. Obviously with this setup there's no way to restrict which ports are used for each vlan, and all endpoints wanting to use a vlan need to handle the tags themselves. But you don't need that at all, as Giannis points out you can have an address from both subnets configured on the same interface. There's obviously no guarantee of separation between the two networks with either of these methods - by reconfiguring a host it would be able to directly access hosts from the other subnet - but as you say you want to allow full access between them anyway, it's an easy way to do this without extra NICs.
