[Bridge] How to blindly pass IPX packets between LAN's?

JoSH Lehan krellan at krellan.com
Wed Jul 23 19:34:16 PDT 2003

I have an Internet connection with 5 static IP addresses (a /29 subnet), 
using a DSL modem, and also a LAN with private IP addresses.

I have a standard 3-NIC Linux firewall box.  No PPPoE or USB is needed, 
it just connects to a basic Ethernet DSL modem that does its job.  This 
Linux setup is great.  My uptime is over 460 days!

eth0 = DSL modem to the Internet
eth1 = public static IP addresses (our DMZ)
eth2 = private IP addresses (behind NAT provided by the Linux box)
br0  = eth0 + eth1

Our Internet connection has a gateway on the same subnet as our static 
IP addresses!  (Like many people, we don't have a proper /30 routing 
subnet, because of the IP address shortage.  So, the untrusted gateway 
is on the same subnet that contains our production machines.  This "fox 
in the henhouse" problem necessitates the use of a bridging firewall.)

So, I've bridged eth0 and eth1 into br0.  This works well.  I have 
firewall rules set up to be very careful about what traffic is allowed 
onto our DMZ network (the public /29 subnet).  From the DSL modem's 
point of view, all machines are on the same subnet, so routing and ARP 
works great.  The Linux box acts as a filter for what packets are 
actually allowed to reach my other machines, though, which is good.

The Linux box also provides NAT for other machines not on the DMZ, via 
private IP addresses.  Everything's routed through the Linux box.  So, 
we have 2 LAN's: one for the public IP addresses, and another for the 
private IP addresses.

Both DMZ machines and private machines are able to reach each other via 
TCP/IP, and it works great.  There's no connectivity issues here at all. 
  Even Windows network neighborhood, with Samba running a WINS server 
and Linux serving it via DHCP, works great and all machines can be seen, 
even across these two LAN's.  All machines can see the Internet, of course.

I'm running a 2.2 kernel.  (I haven't upgraded to 2.4 yet, because I 
hear there's still some problems with bridging firewalls like this.)

I do have a slight problem, though.

Some people want to play a multiplayer game that only speaks IPX.  It 
needs to run between the DMZ machines and the private machines.

I don't have any Novell software runnning, and I don't want to have to 
set up an IPX program on my Linux box to handle IPX packets.  What I 
would love to do is blindly pass IPX packets back and forth.  I don't 
want to do any processing whatsoever on IPX packets.  I just want to be 
a transparent bridge for them.

Is this possible?  My understanding of IPX is limited, but it is very 
good at just finding other machines on the network automatically via 
broadcast, without needing any configuration whatsoever.  This makes it 
useful for multiplayer games, and was heavily used back in the days of 
DOS, before TCP/IP became mainstream.

I already have a TCP/IP bridge running between eth0 and eth1.  Would it 
also be possible to run an IPX bridge between eth1 and eth2, without 
disrupting the first bridge?  Is is possible for bridges to coexist like 
this, using the protocol to separate them, so that they don't overlap 
with each other?  What I want to very much avoid having to do is to have 
all 3 NIC's bound together in one huge bridge.  This would lead to many 
routing problems, it would seem.

Advice is appreciated :)

More information about the Bridge mailing list