5861 in Bridge mode

I've got a 5861 with the latest software, v5.3.80 and am trying to get
it working in bridge mode so I can use a proper firewall behind it.

It connects OK, but then gives up with Peer not negotiating `BNCP' right
now. I've raised a call with the ISP but am still waiting for a
response. All the information I can find indicates that it should just
work, but looking at this error it indicates the ISP does not support
the bridge architecture.

10/07/2003-19:12:51MT: Line Opening...
10/07/2003-19:13:07MT: Line Open: Downstream: 576 Kb/s Upstream: 288
Kb/s
10/07/2003-19:13:07OD: connecting to <internet> using 0*38 over
ATM-VC/2
10/07/2003-19:13:10:PPP: remote <internet> will authenticate
10/07/2003-19:13:10:PPP: remote <internet> will authenticate
10/07/2003-19:13:20OD: link to internet over ATM-VC/2 is now up
10/07/2003-19:13:20:PPP: Peer not negotiating `BNCP' right now


--
Steve

PPP: Peer not negotiating <IP | BNCP | IPX | CCP> right now
Explanation: One end of the network is not negotiating the same protocol
as the other end.

I'd say look at UK-bug as there is a section on setting bridge
mode....but it's not up at the moment

Steve

Steve Cargill wrote:
> I've got a 5861 with the latest software, v5.3.80 and am trying to get
> it working in bridge mode so I can use a proper firewall behind it.
>
> It connects OK, but then gives up with Peer not negotiating `BNCP' right
> now. I've raised a call with the ISP but am still waiting for a
> response. All the information I can find indicates that it should just
> work, but looking at this error it indicates the ISP does not support
> the bridge architecture.
>
> 10/07/2003-19:12:51MT: Line Opening...
> 10/07/2003-19:13:07MT: Line Open: Downstream: 576 Kb/s Upstream: 288
> Kb/s
> 10/07/2003-19:13:07OD: connecting to <internet> using 0*38 over ATM-VC/2
> 10/07/2003-19:13:10:PPP: remote <internet> will authenticate
> 10/07/2003-19:13:10:PPP: remote <internet> will authenticate
> 10/07/2003-19:13:20OD: link to internet over ATM-VC/2 is now up
> 10/07/2003-19:13:20:PPP: Peer not negotiating `BNCP' right now
>
>

In article <d0MrSeCFsak$(E-Mail Removed)>
Steve Cargill <(E-Mail Removed)> wrote:

>I've got a 5861 with the latest software, v5.3.80 and am trying to get
>it working in bridge mode so I can use a proper firewall behind it.

That's not going to work. "Bridge mode" in this case refers to MAC
Encapsulated Routing (RFC 1483), and is not supported on BT's DSL
network.

Use PPPoA (or PPPoE if you have a need for it and it works for you) to
obtain a routed connection. Then place a filtering bridge between the
5861 and the rest of the network.

You can construct a filtering bridge with a spare machine, two network
cards, and either OpenBSD (pf) or FreeBSD (ipfw2). You can also have
bandwidth management with them: ALTQ and 'Dummynet' respectively. You
can either manage it out-of-band (in which case it will not require an
IP address), or through one of the interfaces, should you allocate it an
address.

--
James MacDonald

In message <SwqRcS0ISck$(E-Mail Removed)>, James MacDonald
<(E-Mail Removed)> writes
>In article <d0MrSeCFsak$(E-Mail Removed)>
>Steve Cargill <(E-Mail Removed)> wrote:
>
>>I've got a 5861 with the latest software, v5.3.80 and am trying to get
>>it working in bridge mode so I can use a proper firewall behind it.
>
>That's not going to work. "Bridge mode" in this case refers to MAC
>Encapsulated Routing (RFC 1483), and is not supported on BT's DSL
>network.
>
>Use PPPoA (or PPPoE if you have a need for it and it works for you) to
>obtain a routed connection. Then place a filtering bridge between the
>5861 and the rest of the network.
>
>You can construct a filtering bridge with a spare machine, two network
>cards, and either OpenBSD (pf) or FreeBSD (ipfw2). You can also have
>bandwidth management with them: ALTQ and 'Dummynet' respectively. You
>can either manage it out-of-band (in which case it will not require an
>IP address), or through one of the interfaces, should you allocate it
>an address.
>

That's is not what I wanted to hear James :-(

I've already got one site with a cable modem and PIX behind that working
well and I wanted to set the other site up, on ADSL, the same. I want
the PIX to be the outer boundary and handle NAT etc and not the ADSL
modem.

Looks like my options are limited then.

--
Steve

On Sun, 19 Oct 2003 07:31:36 +0100, Steve Cargill <(E-Mail Removed)>
wrote:

>
>
>Looks like my options are limited then.

They shouldnt be, routers such as a the speedtouch 510 support PPP half
bridge mode on UK DSL (its discussed in the reviews @ www.adslguide.org.uk)

and I would assume the 5861 should provide similar functionality.


I assume you only have a /30 to play with, hence the need.


greg


--
$ReplyAddress =~ s#\@.*$##; # Delete everything after the '@'
The Following is a true story.....
Only the names have been changed to protect the guilty.

Hi,

The D-Link 300G+ is an Ethernet Adsl "modem" which will acheive what I
understand you are trying to do.

I currently have the above device connected to a Cisco 1710 router, the
"external ethernet" address on the router I have set to my ISP's allocated
address and the D-Link box appears completely transparent. It took me a
little while to figure out that the D-Link box on powering up picks the MAC
address of the first device it comes across and won't talk to another device
until a power cycle. This is important as the device is configured via a web
interface for ISP details etc. In the end I simply added a manual route on
the Cisco router to direct any traffic 192.168.0.1 (the default shipping
address of the D-link) to the external ethernet port on the cisco. This then
meant configuration of the D-link could be done from any PC on the network.

Hope this helps.

Roly.


"Steve Cargill" <(E-Mail Removed)> wrote in message
news:mc$lo+AI$ik$(E-Mail Removed)...
> In message <SwqRcS0ISck$(E-Mail Removed)>, James MacDonald
> <(E-Mail Removed)> writes
> >In article <d0MrSeCFsak$(E-Mail Removed)>
> >Steve Cargill <(E-Mail Removed)> wrote:
> >
> >>I've got a 5861 with the latest software, v5.3.80 and am trying to get
> >>it working in bridge mode so I can use a proper firewall behind it.
> >
> >That's not going to work. "Bridge mode" in this case refers to MAC
> >Encapsulated Routing (RFC 1483), and is not supported on BT's DSL
> >network.
> >
> >Use PPPoA (or PPPoE if you have a need for it and it works for you) to
> >obtain a routed connection. Then place a filtering bridge between the
> >5861 and the rest of the network.
> >
> >You can construct a filtering bridge with a spare machine, two network
> >cards, and either OpenBSD (pf) or FreeBSD (ipfw2). You can also have
> >bandwidth management with them: ALTQ and 'Dummynet' respectively. You
> >can either manage it out-of-band (in which case it will not require an
> >IP address), or through one of the interfaces, should you allocate it
> >an address.
> >
>
> That's is not what I wanted to hear James :-(
>
> I've already got one site with a cable modem and PIX behind that working
> well and I wanted to set the other site up, on ADSL, the same. I want
> the PIX to be the outer boundary and handle NAT etc and not the ADSL
> modem.
>
> Looks like my options are limited then.
>
> --
> Steve

In article <mc$lo+AI$ik$(E-Mail Removed)>
Steve Cargill <(E-Mail Removed)> wrote:

>In message <SwqRcS0ISck$(E-Mail Removed)>, James MacDonald
><(E-Mail Removed)> writes

>>In article <d0MrSeCFsak$(E-Mail Removed)>
>>Steve Cargill <(E-Mail Removed)> wrote:

>>>I've got a 5861 with the latest software, v5.3.80 and am trying to
>>>get it working in bridge mode so I can use a proper firewall behind it.

>>That's not going to work. "Bridge mode" in this case refers to MAC
>>Encapsulated Routing (RFC 1483), and is not supported on BT's DSL
>>network.

[snip]

>That's is not what I wanted to hear James :-(

>I've already got one site with a cable modem and PIX behind that
>working well and I wanted to set the other site up, on ADSL, the same.

You can do that. But you'll need a /30 (two addresses), or preferably a
/29 (five). Eclipse will let you have a /29 without too much hassle, but
since it seems you've already chosen your ISP, you might want to ask if
they can allocate you some more addresses.

>I want the PIX to be the outer boundary and handle NAT etc and not the
>ADSL modem.

That's easy with more than one static address allocated to the DSL line:
your router will have address x, and the PIX x+1. Because the PIX has a
static address you can perform NAT on it, and have it appear to be the
source of all your traffic.

It doesn't matter that the DSL router is really the "outer boundary": if
it passes everything in both directions, and is only connected to your
firewall, it's no problem.

>Looks like my options are limited then.

You can look at a SpeedTouch 510 as Greg suggests. The "DHCP Spoofing"
mode works reasonably well, but you can no longer manage your router, as
it effectively becomes a bridge. But your PIX will have an effectively
static address if you do this.

Bottom line: yes, it's possible, but you really need more addresses.

--
James MacDonald

In message <3f91c1a9$0$107$(E-Mail Removed)>, eusty
<steve@I_DONT_LIKE_SPAM.co.uk> writes
>PPP: Peer not negotiating <IP | BNCP | IPX | CCP> right now
>Explanation: One end of the network is not negotiating the same
>protocol as the other end.
>
>I'd say look at UK-bug as there is a section on setting bridge
>mode....but it's not up at the moment
>
>Steve
>
[SNIP]

....And it is still down. Temporary hitch or has it gone?

--
Steve