Re: Point-to-point link without PPP on freebsd? Is it possible?

Pete <news@xxxxxxxxxxx> writes:

On Jan 2, 3:19 pm, Lowell Gilbert <lguse...@xxxxxxxxxxxxxxx> wrote:
Pete <n...@xxxxxxxxxxx> writes:
Is it possible to implement a point-to-point link on FreeBSD without
using PPP? I'm trying to create a "tappable" link between a fbsd
firewall and router that can be used to monitor multiple networks
(connected to the router) using Snort. I realize that I could just as
easily use a /30, but I'm just curious if it could be done with a /31
not using PPP. NAT for the internet connection is performed by the
firewall

Here is a rude drawing of the network (hopefully Google Groups, doesnt
distort it too much).

Internet -----> Firewall --------------------> Router -----> 3 subnets
                                         |
                                       Tap

You want an "unnumbered" link.  You can monitor the interface, even
though it doesn't have an IP address.

--
Lowell Gilbert, embedded/networking software engineer
         http://be-well.ilk.org/~lowell/

Thanks for the info... Any advice on how to configure an "unnumbered"
link? I've been searching google all afternoon and am not having much
luck. However that might be because I dont completely understand how
an "unnumbered" link works. Would the "unnumbered" link be configured
on the firewall, the router, or both?

Also, is there a negative side to using an "unnumbered" link? It
appears that the biggest negative is the inability to administer the
router from the "unnumbered" side, but is there anything else I'm
missing?\\

You should still be able to connect over the unnumbered link, using a
different address (probably one attached to a different interface).

I don't remember the precise syntax, because it's been a while since I
used such a feature (I think it was for a test network of virtual
machines using qemu). Basically, you bring the interface up without an
address, and add routes to the *interface* for any networks (even /32)
you want to reach through that interface.

The unnumbered link has to be configured on both sides. It's still an
IP link; it just doesn't have an IP address on the interface of either
side.

--
Lowell Gilbert, embedded/networking software engineer
http://be-well.ilk.org/~lowell/
.

Relevant Pages

  • Re: Using two internet connections with one firewall
    ... :> and so I won't be able to add the satellite link to the Firewall. ... You need a separate firewall for each internet connection. ... sides of the firewalls to a hub/switch and then into another router. ... connections or a router with an interface to the firewall, ...
    (comp.security.firewalls)
  • Re: IP Addressing
    ... firewall and router). ... On the firewall create a static NAT entry as I wrote ... !we 're doing NAT to publish my Exchange server on the Internet ... external or any physical / logical interface. ...
    (comp.dcom.sys.cisco)
  • Re: adding new ip range to fw-1
    ... Remember you are ADDING another subnet. ... -- My first problem was that the internet facing router had not been ... My firewall is a nokia ip with ng ai r55. ... Did you add the subnet to a new DMZ interface? ...
    (comp.security.firewalls)
  • re: Syslog server placement- open 514
    ... Configure the external interface of the router to ... Create a firewall rule that allows you to accept ... >>DMZ that you want to collect syslog messages from? ...
    (Security-Basics)
  • Re: Firewall trouble
    ... Is xxx.xxx.xxx.89 a server that you wish to give external users access ... enters the Interface. ... Remove any "ip inspect firewall out" commands ... Now the router will dynamically open ports in the access-list attached ...
    (comp.dcom.sys.cisco)