Am Die, 2002-12-31 um 00.14 schrieb Martin A. Brown: > Setting the problem of the tiny network aside, I'm interested in your > suggestion, Daniel, that he use the same IP on both interfaces of the > box--I've not tried that before. The ip (and thus the size of the network) is irrelevant; actually it shouldn't even matter if one has the same IP on all or interfaces IIRC. My vision on the solution is unfortunately not really clear as we're doing a lot more perverted things as part of a bussiness solution which could simplify the simple setup a lot (upside down, eh? :) ) > Do you have an example config? What I've been doing at some point was to simply route traffic from one interface to another and vice versa using the incomming interface as selector for the iptable rules. Another (and probably more flexible aproach) would be to mark incomming from one interface with some mark, handle as if it was "normal" traffic inside the packet filters and then route the other interface based on the firewall mark. > Have you seen any problems with this configuration? Yes, the first approach (we had taken originally) had the problem that it was quite hard to intercept packets and handle them differently like push them through an transparent proxy. Also (and this is nasty for us) it's almost impossible to run services on the "bridge" and correctly let them answer back to the client. We're doing it sort of differently now: We still have the same IP on both interfaces and the machine is almost transparent, but we only have one default route pointing to the net and several host routes into the client net which are set up on demand. That way we have a mixture of a router and a bridge but can still provide services on the machine. We also have lots of special services on the machine automatically creating routes on demand and doing arp faking so it might not work that well without... -- Daniel Egger <egger@spotnic.de>
