Prev: brute force attacks
Next: 9,000 ZFS mount points
From: Pete on 2 Jan 2010 13:30
Is it possible to implement a point-to-point link on FreeBSD without
using PPP? I'm trying to create a "tappable" link between a fbsd
firewall and router that can be used to monitor multiple networks
(connected to the router) using Snort. I realize that I could just as
easily use a /30, but I'm just curious if it could be done with a /31
not using PPP. NAT for the internet connection is performed by the
firewall

Here is a rude drawing of the network (hopefully Google Groups, doesnt
distort it too much).

Internet -----> Firewall --------------------> Router -----> 3 subnets
|
Tap

Thanks in advance.
From: Lowell Gilbert on 2 Jan 2010 15:19
Pete <news(a)redlamb.net> writes:

> Is it possible to implement a point-to-point link on FreeBSD without
> using PPP? I'm trying to create a "tappable" link between a fbsd
> firewall and router that can be used to monitor multiple networks
> (connected to the router) using Snort. I realize that I could just as
> easily use a /30, but I'm just curious if it could be done with a /31
> not using PPP. NAT for the internet connection is performed by the
> firewall
>
> Here is a rude drawing of the network (hopefully Google Groups, doesnt
> distort it too much).
>
> Internet -----> Firewall --------------------> Router -----> 3 subnets
> |
> Tap

You want an "unnumbered" link. You can monitor the interface, even
though it doesn't have an IP address.

--
Lowell Gilbert, embedded/networking software engineer
http://be-well.ilk.org/~lowell/
From: Pete on 2 Jan 2010 19:33
On Jan 2, 3:19 pm, Lowell Gilbert <lguse...(a)be-well.ilk.org> wrote:
> Pete <n...(a)redlamb.net> writes:
> > Is it possible to implement a point-to-point link on FreeBSD without
> > using PPP? I'm trying to create a "tappable" link between a fbsd
> > firewall and router that can be used to monitor multiple networks
> > (connected to the router) using Snort. I realize that I could just as
> > easily use a /30, but I'm just curious if it could be done with a /31
> > not using PPP. NAT for the internet connection is performed by the
> > firewall
>
> > Here is a rude drawing of the network (hopefully Google Groups, doesnt
> > distort it too much).
>
> > Internet -----> Firewall --------------------> Router -----> 3 subnets
> >                                          |
> >                                        Tap
>
> You want an "unnumbered" link.  You can monitor the interface, even
> though it doesn't have an IP address.
>
> --
> Lowell Gilbert, embedded/networking software engineer
>          http://be-well.ilk.org/~lowell/

Thanks for the info... Any advice on how to configure an "unnumbered"
link? I've been searching google all afternoon and am not having much
luck. However that might be because I dont completely understand how
an "unnumbered" link works. Would the "unnumbered" link be configured
on the firewall, the router, or both?

Also, is there a negative side to using an "unnumbered" link? It
appears that the biggest negative is the inability to administer the
router from the "unnumbered" side, but is there anything else I'm
missing?\\

Thanks again for the help.
From: Lowell Gilbert on 3 Jan 2010 11:39
Pete <news(a)redlamb.net> writes:

> On Jan 2, 3:19�pm, Lowell Gilbert <lguse...(a)be-well.ilk.org> wrote:
>> Pete <n...(a)redlamb.net> writes:
>> > Is it possible to implement a point-to-point link on FreeBSD without
>> > using PPP? I'm trying to create a "tappable" link between a fbsd
>> > firewall and router that can be used to monitor multiple networks
>> > (connected to the router) using Snort. I realize that I could just as
>> > easily use a /30, but I'm just curious if it could be done with a /31
>> > not using PPP. NAT for the internet connection is performed by the
>> > firewall
>>
>> > Here is a rude drawing of the network (hopefully Google Groups, doesnt
>> > distort it too much).
>>
>> > Internet -----> Firewall --------------------> Router -----> 3 subnets
>> > � � � � � � � � � � � � � � � � � � � � �|
>> > � � � � � � � � � � � � � � � � � � � �Tap
>>
>> You want an "unnumbered" link. �You can monitor the interface, even
>> though it doesn't have an IP address.
>>
>> --
>> Lowell Gilbert, embedded/networking software engineer
>> � � � � �http://be-well.ilk.org/~lowell/
>
> Thanks for the info... Any advice on how to configure an "unnumbered"
> link? I've been searching google all afternoon and am not having much
> luck. However that might be because I dont completely understand how
> an "unnumbered" link works. Would the "unnumbered" link be configured
> on the firewall, the router, or both?
>
> Also, is there a negative side to using an "unnumbered" link? It
> appears that the biggest negative is the inability to administer the
> router from the "unnumbered" side, but is there anything else I'm
> missing?\\

You should still be able to connect over the unnumbered link, using a
different address (probably one attached to a different interface).

I don't remember the precise syntax, because it's been a while since I
used such a feature (I think it was for a test network of virtual
machines using qemu). Basically, you bring the interface up without an
address, and add routes to the *interface* for any networks (even /32)
you want to reach through that interface.

The unnumbered link has to be configured on both sides. It's still an
IP link; it just doesn't have an IP address on the interface of either
side.

--
Lowell Gilbert, embedded/networking software engineer
http://be-well.ilk.org/~lowell/
 | 
Pages: 1
Prev: brute force attacks
Next: 9,000 ZFS mount points