Subject: Re: NetBSD-based repeater
To: Chris Jones <>
From: Anders Magnusson <>
List: tech-net
Date: 02/09/1999 20:47:41
> Much to my dismay, my bosses have decided that we need a firewall.
> What really dismays me, however, is the fact that the network people
> appear unwilling or unable to provide us with a subnet for the
> machines that need to go behind the firewall.
> My original plan was to start by turning a BSD box into a router, and
> then install ipf, and gradually crank down the security until we get
> something reasonable.  However, I don't know how to make this thing be
> a router if there aren't discrete subnets to route between.  Is it
> even possible to turn a BSD box into something like an ethernet
> repeater?
> I was thinking that, if all else fails, I can run proxy ARP on it,
> with a static, manually-maintained table of ethernet addresses.  Then
> I could add a route for each of these hosts, pointing out the correct
> interface.
The thing is: The IP stack can't forward between "illegal" subnets
(even if the routing table is able to handle it). What you can do to
make a simple solution is to have a "real" net number on one interface,
and a fake number on the other ( Then you add static routes
for the machines on the fake interface. 
Arp can't be handled via the built-in arp functionality (it will reply
on the wrong interface), so you should get the arp daemon from and configure it to give the correct
ethernet replys for the machines that are isolated from each other.
We use this to make a NetBSD router act like an IP bridge in many places.

-- Ragge