Bridging and using the interfaces concurrently

[Eygene Ryabinkin]

Axel, good day.

Thu, Jun 18, 2009 at 09:10:19PM +0200, Axel Reinhold wrote:
> Since i would have to pay extra charges to get the "second"
> server also connected to the internet, i thought of bridging
> the em0 and em1 of "first" and to alias another ip for the
> second server (i have more ip's in the data-center left) on
> "seconds" em1.
>
> Is this possible? What would i have to setup?
> The private 192.168.102/24 network should remain intakt!

NAT the "second" box on your "first" one and that's it.  Bridging
won't help much here, because your "second"s IPs are unroutable, so
someone will still need to translate them.  If your intention is to
provide only client-level connectivity to the "second" box (when it
initiates all connections), simple NAT will work.  If you need some
port to be opened at the "second" host and the should be reachable
from the outside, then you'll additionally need port mirroring.

Or, if you really want to spend an extra IP for the second box, then
just binat (in the terms of pf.conf(5)) your private address to the
second IP on the "first" server.

The exact solution for NAT depends on the firewall type you're using on
the "first" server.  For ipfw you probably should look at the natd(8),
for ipfilter -- at ipnat(8), for pf -- at pf(4) and pf.conf(5).  May be
netgraph(4) will be of some help, but this adds some extra complexity
for people who aren't familiar with Netgraph concepts and tools.


If you really want bridging, then the easiest thing will be to create
two VLAN (if_vlan(4)) interfaces on your link between two servers: one
VLAN for the 192.168.102/24 network and one for the public network.
After this, packets from 192.168 will flow as they flowed before, and
you should bridge your "first"'s external interface with the second VLAN
interface on this host.  Put your extra external IP to the other side of
the VLAN interface and it should do what you need.

NAT should be easier, bridging should be faster, but the difference
strongly depends on the type of traffic and usage of the inter-server
link.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #