--nextPart1768570.ut1thU5RKU
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=46irst, the problem.  Later, the thing I was attempting to fix, and how I=
=20
managed to hack it into place.  :)

THE PROBLEM
=2D------------------------

I have two interfaces bridged.  One (fxp1) connects directly to my DSL rout=
er,=20
and feeds me (from the DSL provider) a /28 for my viewing pleasure.  This i=
s=20
a physical wire connection, no switches or other devices involved.  The=20
second is a VLAN (vlan12 is the interface name) which is a VLAN on another=
=20
interface (fxp0).

I have created the bridge using:

	ifconfig bridge0 create
	brconfig bridge0 ipf add vlan12 add fxp1

(which, btw, does NOT work in /etc/ifconfig.bridge0, since vlan12 does not =
yet=20
exist...  But that's another issue)

If I look at brconfig, I am told that ipf is enabled.  However, nothing is=
=20
actually filtered!  I have "block in on fxp1 all" and packets come right=20
through.

Interestingly enough, the ipf "blocked packet" count seems to increase, but=
 I=20
can telnet to any port on the bridge machine, or anything behind it, from=20
anywhere outside my network.

So, is anyone else doing ipf filtering on bridge devices?

THE REASON I DO THIS
=2D--------------------------------------

Well, I have alltel DSL.  They offer PPPoE (which NetBSD can do, but will=20
reduce MTU) or PPPoA.  After breaking into my Speedstream 5200 via an=20
apparently well-known back door hack, and enabling PPPoA configuration menu=
s,=20
I managed to get the Speedstream to do PPPoA as well.  Unfortunately, it wi=
ll=20
not act as a bridge in that mode, only a router.

So, I thought I'd put NetBSD in as a filtering bridge.  Problems solved!  B=
ut=20
then the filtering part wasn't working.  Grr.

THE HACK
=2D-----------------
I ended up doing this disgusting hack:

Modem config:

	external IP from alltel
	default route out WAN interface
	static route for the /28 out the LAN interface, to 192.168.0.2
	LAN interface address of 192.168.0.8

Host config:

	fxp1:  192.168.0.2
	default route to 192.168.0.8
	static route for the router's external IP address to 192.168.0.8

	vlan13:  an address on the /28 from Alltel

	ipnat:  Does 10.42.0.0/24 translation (unknown hosts on my wireless)
	Also does translation from 192.168.0.2 -> Alltel number (the same as on
	vlan13)

So, using a mix of NAT for the host itself, I have managed to make routing=
=20
work the way I want it to.  Note that this would all be trivial to do if I=
=20
could say something like:

	route add default 192.168.0.2 localaddr 1.2.3.4

to specify the local address I want INADDR_ANY to map into, rather than hav=
ing=20
it use the interface's address.

=2D-Michael

--nextPart1768570.ut1thU5RKU
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)

iD8DBQBCSt6Cl6Nz7kJWYWYRAkYcAJ92wNwcXjDfn6doqjQBZiUYsHHgtACeIS6i
kDSzsDZdxMh8hCuyfLudSCA=
=0pst
-----END PGP SIGNATURE-----

--nextPart1768570.ut1thU5RKU--