I have an Internet connection with 5 static IP addresses (a /29 subnet), using a DSL modem, and also a LAN with private IP addresses. I have a standard 3-NIC Linux firewall box. No PPPoE or USB is needed, it just connects to a basic Ethernet DSL modem that does its job. This Linux setup is great. My uptime is over 460 days! eth0 = DSL modem to the Internet eth1 = public static IP addresses (our DMZ) eth2 = private IP addresses (behind NAT provided by the Linux box) br0 = eth0 + eth1 Our Internet connection has a gateway on the same subnet as our static IP addresses! (Like many people, we don't have a proper /30 routing subnet, because of the IP address shortage. So, the untrusted gateway is on the same subnet that contains our production machines. This "fox in the henhouse" problem necessitates the use of a bridging firewall.) So, I've bridged eth0 and eth1 into br0. This works well. I have firewall rules set up to be very careful about what traffic is allowed onto our DMZ network (the public /29 subnet). From the DSL modem's point of view, all machines are on the same subnet, so routing and ARP works great. The Linux box acts as a filter for what packets are actually allowed to reach my other machines, though, which is good. The Linux box also provides NAT for other machines not on the DMZ, via private IP addresses. Everything's routed through the Linux box. So, we have 2 LAN's: one for the public IP addresses, and another for the private IP addresses. Both DMZ machines and private machines are able to reach each other via TCP/IP, and it works great. There's no connectivity issues here at all. Even Windows network neighborhood, with Samba running a WINS server and Linux serving it via DHCP, works great and all machines can be seen, even across these two LAN's. All machines can see the Internet, of course. I'm running a 2.2 kernel. (I haven't upgraded to 2.4 yet, because I hear there's still some problems with bridging firewalls like this.) I do have a slight problem, though. Some people want to play a multiplayer game that only speaks IPX. It needs to run between the DMZ machines and the private machines. I don't have any Novell software runnning, and I don't want to have to set up an IPX program on my Linux box to handle IPX packets. What I would love to do is blindly pass IPX packets back and forth. I don't want to do any processing whatsoever on IPX packets. I just want to be a transparent bridge for them. Is this possible? My understanding of IPX is limited, but it is very good at just finding other machines on the network automatically via broadcast, without needing any configuration whatsoever. This makes it useful for multiplayer games, and was heavily used back in the days of DOS, before TCP/IP became mainstream. I already have a TCP/IP bridge running between eth0 and eth1. Would it also be possible to run an IPX bridge between eth1 and eth2, without disrupting the first bridge? Is is possible for bridges to coexist like this, using the protocol to separate them, so that they don't overlap with each other? What I want to very much avoid having to do is to have all 3 NIC's bound together in one huge bridge. This would lead to many routing problems, it would seem. Advice is appreciated :) Thanks! Josh
