From owner-freebsd-questions@FreeBSD.ORG Fri Oct 24 06:31:38 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 149B916A4C0 for ; Fri, 24 Oct 2003 06:31:38 -0700 (PDT) Received: from smtp10.wxs.nl (smtp10.wxs.nl [195.121.6.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20EC843F93 for ; Fri, 24 Oct 2003 06:31:37 -0700 (PDT) (envelope-from akruijff@www.kruijff.org) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp10.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTP id <0HN90099WK4TGQ@smtp10.wxs.nl> for freebsd-questions@FreeBSD.ORG; Fri, 24 Oct 2003 15:29:37 +0200 (MEST) Received: from Alex.lan (localhost.lan [127.0.0.1]) by kruij557.speed.planet.nl (8.12.8p2/8.12.8) with ESMTP id h9ODTxUT039959; Fri, 24 Oct 2003 15:30:09 +0200 (CEST envelope-from akruijff@Alex.lan) Received: (from akruijff@localhost) by Alex.lan (8.12.8p2/8.12.8/Submit) id h9ODTdiD039633; Fri, 24 Oct 2003 15:29:39 +0200 (CEST envelope-from akruijff) Date: Fri, 24 Oct 2003 15:29:39 +0200 From: Alex de Kruijff In-reply-to: <200310102329.08549.imoore@picknowl.com.au> To: Ian Moore Message-id: <20031024132939.GD30536@dds.nl> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.1i References: <200310102329.08549.imoore@picknowl.com.au> cc: freebsd-questions Subject: Re: ADSL modem & ip addresses X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 13:31:38 -0000 On Fri, Oct 10, 2003 at 11:29:08PM +0930, Ian Moore wrote: > Hi, > I'm organising an ADSL connection and I'm a bit confused about our options. > > We need to provide web, ssh and mail access to our network for users from home > across the Internet with an ADSL connection. > I figure the best way to do this is to setup a new machine to act as a > firewall and run a web server & sendmail on this box. (or I have seen > something about using socket to divert these services to our existing server > which has a private address). > The firewall would have a NIC with a private IP address to connect to the rest > of our network. > > What's the best way then to connect it to the ADSL line? I feel its best to have a hardware modum that also knows how to build up the connection. I've set my ADSL modum up so that it builds the connection and then route the packets to my gateway computer. > Do we have a second NIC in the firewall machine with a real IP address You do need a second NIC on the gateway. Either the gateway or the modum needs to have the public (real) IP. > connected to an ADSL modem and use ppp -natd on that interface? You like to run natd yes. If you go for a build up of the connection with ppp then this is the way to go. If you don't then you can enable it in rc.conf. > Does that mean we'd need 2 static IP addresses - one for the firewall > & one for the modem? (We really don't want to pay for 2 addresses) You don't need that. Natd forwards work fine with one public IP adress. > Or can we use a USB connection instead - are there FBSD drivers for ADSL > modems? I can't see any in the supported hardware list. I wound't go for a USB connection. > Or do we use a combined modem/router device to do the nat & firewalling and > have it redirect mail, web & ssh access to our main server? (is that possible > or do such devices not allow access into the network from the 'net?) Having a modum that know how to build up the connection and route it is the soluiton in my view. I feel that its better to have a *BSD box being the router, because router have a limmited memory. (Mine only had 256 slots for routing which was not suffecient in my case, because i run mldonky or posibly kazza. This problem doesn't accoure with a BSD box.) As a side not. If you care about security assume your gateway has bin comprimised at all time. So also setup firewall on you other machines. This way you are better protected. -- Alex