Hi again Jens,
On 10/11/06, Stuart Henderson <[EMAIL PROTECTED]> wrote:
On 2006/10/12 01:15, ropers wrote:
> Or maybe I have gotten a small chunk off of that big fat 123.0.0.0/8
> network to play with. So let's say I have been allocated
> 123.123.123.0/24.
Normally, you get a separate address _as_well_. Let's say 123.4.5.6/30.
Say you don't run a dynamic routing protocol you would set the default
route to 123.4.5.5. The internal network 123.123.123.0 is yours to play
with and carve up as you like, say you take 123.123.123.1 and tell the
other hosts in the subnet that's their default gateway.
I think what confused my about your suggestion of using bridging is
because I'm used to having setups like the one Stuart mentioned: that
is, having an ISP assign an IP for the external interface of my
firewall (a /30 one in the case of a point-to-point link) and giving
me a range of public IPs for which the next hop router will be
configured as the IP assigned to the external interface. This info
will be configured in the ISP's router (the default gateway from my
firewall's point of view) and I'll use the range of public IPs on the
internal interface. In these types of cases I wouldn't use bridging;
simply IP forwarding.
Yes, bridging firewalls are useful where you don't have IP traffic for
the whole subnet forwarded to your router by normal IP routing. The
situation you describe is one. ISPs giving a `managed router' where they
can't be bothered to manage it enough to add routing-table entries for
you is another.
I've never had to deal with the cases mentioned in the paragraph
above, which explains why I've never looked into bridging.
Also, I am a bit concerned about having the phones and the office
computers on the same subnet: some of these brands of VoIP phones (at
least the Cisco 7940s) have a TELNET interface on them and can boot
off of a TFTPd server. I think it'd be safer to have the phones on
their own subnets, protected by the OpenBSD firewall, so that some
curious office worker armed with nmap doesn't start trying to figure
out the IPs of all the phone and begins trying to access them just for
the fun of it. Also, by separating the phones from the PCs in two
different subnets you save a bit on broadcast and possible multicast
(if your switch is not IGMP-aware) traffic. Anyway, I guess that's how
I'd do it.
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
--Bill Vaughan
