DSL Bridge Hack

DSL PPP Bridging hack
If your ISP doesn't support bridging mode, and you want to put a firewall behind your cisco 678 dsl modem, you'll need a second IP - or so your ISP will tell you. With this neat hack (thanks bilbo!), you can set it all up with just one static IP.

So, it'll look like this:

Internet -> Cisco 678 -> Firewall -> Internal NAT'd lan

I used OpenBSD for my firewall, so that's what i'll use in my description.

The basic idea here is that your ISP will route all of your packets to your router, regardless of your router's IP address. That's just how ppp works. So, what we do is set our internal interface on our cisco to a private ip -- 192.168.0.1. Then, we alias our external interface on our firewall to 192.168.0.2 and set the primary IP of the same interface to our assigned static IP address. Then, set the internal address on your firewall to an address family other than 192.168.0.0 (for example 10.0.0.0/24).

The cisco config: en set nvram erase write reboot

en set int wan0-0 disable set int wan0-0 close set int wan0-0 vpi 0 set int wan0-0 vci 32 set int wan0-0 enable set ppp wan0-0 login username set ppp wan0-0 password flubbernuts set ppp restart enabled set broadcast forwarding disabled set web disabled set rip disabled set interface eth0 address 192.168.0.1 set password exec badonkadonk set password enable badonkadonk write reboot

en set route add ip my_static_ip gw 192.168.0.2 write reboot

Then, on the firewall, set your external interface to nat all packets from either 192.168.0.0/24 or 10.0.0.0/24 to your public IP addy. Make sure you have your inet address on that external interface set to your static, and aliased to 192.168.0.2. Don't forget to set the default gateway to 192.168.0.1.