Bridge mode and Router mode

I see these terms used in all the blurbs about different modems/routers,
but cannot find a definition of them anywhere.

Would I be right in supposing that

"Bridge Mode" means the IP address you are given passes straight through
to you computer, and that is the address with which you communicate to the
world.

"Router Mode" means that NAT is invoked at some point, so the way the
internet connection appears from within your computer is not the same as
the way it is seen on the internet side.

So what, in that case, is "half bridging"?

The situation I want to set up, using a 4-port router and two computers C1
and C2) is that C1 sees exactly what the internet sees, C2 cannot see the
internet directly at all, but C2 and C1 can interact (e.g. by NFS mounts)
via the router, probably using 192.168.0.* addresses (for C2 at least).
Does that make sense?

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: (E-Mail Removed) Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

On Mon, 5 Jun 2006 16:56:43 GMT, "Charles Lindsey"
<(E-Mail Removed)> wrote:

>I see these terms used in all the blurbs about different modems/routers,
>but cannot find a definition of them anywhere.
>
>Would I be right in supposing that
>
>"Bridge Mode" means the IP address you are given passes straight through
>to you computer, and that is the address with which you communicate to the
>world.
>
>"Router Mode" means that NAT is invoked at some point, so the way the
>internet connection appears from within your computer is not the same as
>the way it is seen on the internet side.
>
>So what, in that case, is "half bridging"?
>
>The situation I want to set up, using a 4-port router and two computers C1
>and C2) is that C1 sees exactly what the internet sees, C2 cannot see the
>internet directly at all, but C2 and C1 can interact (e.g. by NFS mounts)
>via the router, probably using 192.168.0.* addresses (for C2 at least).
>Does that make sense?

You can do what you want to do easily with any of the newer SpeedTouch
routers. They support a feature called "HyperNAT" which allows you to
allocated the public IP address to one device on the LAN and continue
to issue private IP addresses to the other devices on the LAN. You can
still communicate/route between the devices on the LAN in the
different IP address ranges...

http://www.speedtouch.com/pdf%5Cdata...06WL-780WL.pdf

Simple bridging will not work for what you want to do.

Charles Lindsey wrote:
> I see these terms used in all the blurbs about different modems/routers,
> but cannot find a definition of them anywhere.
>
> Would I be right in supposing that
>
> "Bridge Mode" means the IP address you are given passes straight through
> to you computer, and that is the address with which you communicate to the
> world.
>
> "Router Mode" means that NAT is invoked at some point, so the way the
> internet connection appears from within your computer is not the same as
> the way it is seen on the internet side.
>
> So what, in that case, is "half bridging"?
>
> The situation I want to set up, using a 4-port router and two computers C1
> and C2) is that C1 sees exactly what the internet sees, C2 cannot see the
> internet directly at all, but C2 and C1 can interact (e.g. by NFS mounts)
> via the router, probably using 192.168.0.* addresses (for C2 at least).
> Does that make sense?

My solution would be to keep both computers in the same subnet, but set
up a firewall rule to discard any traffic aimed to or from the WAN
involving the IP/MAC address (or interface, which would be more
foolproof) of C2. If you don't want to use NAT, then for that solution
you'd need at least 3/4 usable, publicly routable IP addresses though,
which would be a bit wasteful.

A router supporting VLANs could do the trick - AIUI, you set some
interfaces to be in one subnet, and the rest go into another. So put the
router into NO-NAT mode, give C1 a publicly routable IP address, and put
C2 in a seperate VLAN on (e.g.) 192.168.x.x -- same firewall rule as
before.

Bridging mode is probably not a good idea if you have more than one PC
connected to the (well, bridge if you turned it on ); you can have a
NO-NAT configuration in routed mode. Apart from that, I dont' really
know much about them I'm afraid.

HTH in some way...

xF,

....Nick

In <(E-Mail Removed)> Moonshine <(E-Mail Removed)> writes:

>On Mon, 5 Jun 2006 16:56:43 GMT, "Charles Lindsey"
><(E-Mail Removed)> wrote:

>>The situation I want to set up, using a 4-port router and two computers C1
>>and C2) is that C1 sees exactly what the internet sees, C2 cannot see the
>>internet directly at all, but C2 and C1 can interact (e.g. by NFS mounts)
>>via the router, probably using 192.168.0.* addresses (for C2 at least).
>>Does that make sense?

>You can do what you want to do easily with any of the newer SpeedTouch
>routers. They support a feature called "HyperNAT" which allows you to
>allocated the public IP address to one device on the LAN and continue
>to issue private IP addresses to the other devices on the LAN. You can
>still communicate/route between the devices on the LAN in the
>different IP address ranges...

I looked at the Speedtouch ST546, but it didn't mention that feature. It
seems that "Hyper-NAT" is a speedtouch-only invention. Yes, I shall look
at it, but in the meantime I like to look of the Netgear DG834 (mainly
because the Netgear website is _very_ comprehensive, which is more than
can be said of the Speedtuch one, or most others.

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: (E-Mail Removed) Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

On Wed, 7 Jun 2006 16:15:04 GMT, "Charles Lindsey"
<(E-Mail Removed)> wrote:

>In <(E-Mail Removed)> Moonshine <(E-Mail Removed)> writes:
>
>>On Mon, 5 Jun 2006 16:56:43 GMT, "Charles Lindsey"
>><(E-Mail Removed)> wrote:
>
>>>The situation I want to set up, using a 4-port router and two computers C1
>>>and C2) is that C1 sees exactly what the internet sees, C2 cannot see the
>>>internet directly at all, but C2 and C1 can interact (e.g. by NFS mounts)
>>>via the router, probably using 192.168.0.* addresses (for C2 at least).
>>>Does that make sense?
>
>>You can do what you want to do easily with any of the newer SpeedTouch
>>routers. They support a feature called "HyperNAT" which allows you to
>>allocated the public IP address to one device on the LAN and continue
>>to issue private IP addresses to the other devices on the LAN. You can
>>still communicate/route between the devices on the LAN in the
>>different IP address ranges...
>
>I looked at the Speedtouch ST546, but it didn't mention that feature. It
>seems that "Hyper-NAT" is a speedtouch-only invention. Yes, I shall look
>at it, but in the meantime I like to look of the Netgear DG834 (mainly
>because the Netgear website is _very_ comprehensive, which is more than
>can be said of the Speedtuch one, or most others.

Charles,

Its mentioned briefly in section 4.6.3 of the user guide

http://www.speedtouch.com/documentat..._UserGuide.pdf

HTH

In <(E-Mail Removed)> "Charles Lindsey" <(E-Mail Removed)> writes:

>I looked at the Speedtouch ST546, but it didn't mention that feature. It
>seems that "Hyper-NAT" is a speedtouch-only invention. Yes, I shall look
>at it, but in the meantime I like to look of the Netgear DG834 (mainly
>because the Netgear website is _very_ comprehensive, which is more than
>can be said of the Speedtuch one, or most others.

Yes, having found the right document (impossible to reach it by any
logical progression in the speedtouch website, but Google found it), it
looks quite good. And the ST 546 does have the feature (provided it has
the latest firmware).

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: (E-Mail Removed) Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

In <(E-Mail Removed)> "Charles Lindsey" <(E-Mail Removed)> writes:

>Yes, having found the right document (impossible to reach it by any
>logical progression in the speedtouch website, but Google found it), it
>looks quite good. And the ST 546 does have the feature (provided it has
>the latest firmware).

The document I found was
http://www.speedtouch.com%2Fpdf%255C...06WL-780WL.pdf
and it contains an excellent description of NAT and all its variants, and
of how to set them up.

But nowhere could I find a link to that document from anywhere else on the
speedtouch site.

And Google could not find a link to it either (but then I could not
persuade Google to find links that I _knew_ to exist - has anyone had any
experience of asking Google to find links?).

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: (E-Mail Removed) Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

On Fri, 9 Jun 2006, Charles Lindsey wrote:

> The document I found was
> http://www.speedtouch.com%2Fpdf%255C...06WL-780WL.pdf

*WHAT*? That looks to be like a highly mangled version of the fairly
straightforward URL:

http://www.speedtouch.com/pdf/datasheet706WL-780WL.pdf

except that at some point, one of the "/" had been replaced by "\".

> But nowhere could I find a link to that document from anywhere else
> on the speedtouch site.

Ah, they provided the garble themselves. It's referenced from
http://www.speedtouchdsl.com/prod706.htm , at least, but with their
URL having a backslash where a web user would expect a forward slash.

Ho hum, their web server comes from the place that silently repairs
such differences.[1]

> And Google could not find a link to it either

I can't, at the moment, tell exactly what they've done to avoid
getting into the search engine. But staying out of search engines
seems to be a popular vendor technique to make it hard to find
information on their web site by any means which they haven't
implemented themselves. (Other vendors have the perspicacity to take
advantage of such third-party traffic!)

At first I thought it was because they'd hidden their URLs in
javascript; but elsewhere there are regular links to these PDFs.
However, for *these* specific PDFs they seem to have consistently
misrepresented one "/" in the URL as "\". They have other links to
PDFs where they haven't made that blunder, and then google is quite
happy: try e.g pasting this into a normal google search field:
link:http://www.speedtouchdsl.com/pdf/overview_brochure.pdf

So in this case it may be that they aren't deliberately trying to hide
the information from search engines, but they just can't get their
URLs quite right, and are confusing google.

> has anyone had any experience of asking Google to find links?).

Works well IME, for properly made web pages.

[1] Hmmm, odd: RFC1738 definitely rated "\" as an "unsafe" character,
requiring it to be %-encoded when needed in a URL. But RFC3986, which
"updates" RFC1738, seems to have dropped "\" as anything special,
meaning that I guess it's now permissible for it to appear unencoded
in URLs, see

http://www.gbiv.com/protocols/uri/rf....html#reserved

But see "security considerations",
http://www.gbiv.com/protocols/uri/rf...ty-transcoding

ho hum

In <(E-Mail Removed). ac.uk> "Alan J. Flavell" <(E-Mail Removed)> writes:

>On Fri, 9 Jun 2006, Charles Lindsey wrote:

>> The document I found was
>> http://www.speedtouch.com%2Fpdf%255C...06WL-780WL.pdf

>*WHAT*? That looks to be like a highly mangled version of the fairly
>straightforward URL:

> http://www.speedtouch.com/pdf/datasheet706WL-780WL.pdf

Well actually, it turned out that was not the page I had downloaded before
(small changes in what you Google for can make a difference :-( ).

The one I had actually found was
http://www.speedtouch.nl/docs/Config...e_HyperNAT.pdf
which only seesm to exist on their Dutch site. But something similar
appears on their main site under
http://www.speedtouch.com/interface/...nat&topic=init
which is in HTML, and _much_ harder to read. And that is linked from
http://www.speedtouch.com/appnotesconfguides.htm

And that too in a very interesting page, with pointers to all sorts of
goodies, but again it seems to be an orphan - Google cannopt find any
links to it, and I have found no way there from their Home Page.

Eventually, I found links to it from
http://www.speedtouch.com/support.htm
but only under their products 605/08/10/20, so does it or does it not
apply to the 546 (the text itself make no mention of models - just to
Firmware R5.3.3 (which is indeed provided on the 546).

And on top of all that, www.speedtouch.co.uk will tell you about special
UK firmware (which seems to be available in R5.3 and R5.4 flavours for the
546, but gives totally different pictures of the windows you will see).

Amd to confuse the issue even further, their Home Page can be reached from
either
http://www.speedtouch.com/
or from
http://www.speedtouchdsl.com/

Both are evidently the same site (even though they lead to different IP
addresses).


>I can't, at the moment, tell exactly what they've done to avoid
>getting into the search engine. But staying out of search engines
>seems to be a popular vendor technique to make it hard to find
>information on their web site by any means which they haven't
>implemented themselves. (Other vendors have the perspicacity to take
>advantage of such third-party traffic!)

>At first I thought it was because they'd hidden their URLs in
>javascript; but elsewhere there are regular links to these PDFs.
>However, for *these* specific PDFs they seem to have consistently
>misrepresented one "/" in the URL as "\". They have other links to
>PDFs where they haven't made that blunder, and then google is quite
>happy: try e.g pasting this into a normal google search field:
>link:http://www.speedtouchdsl.com/pdf/overview_brochure.pdf

Yes, that is linked from
http://www.speedtouch.com/prodhome.htm
but how do you get there? Google finds 4 links to it, but all from outside
sites. Their reachable page is called
http://www.speedtouch.com/homeprod_dsl.htm
but that offers no links to the overview_brochure :-(

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: (E-Mail Removed) Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

On Sat, 10 Jun 2006, Alan J. Flavell wrote:

> [1] Hmmm, odd: RFC1738 definitely rated "\" as an "unsafe" character,
> requiring it to be %-encoded when needed in a URL. But RFC3986, which
> "updates" RFC1738, seems to have dropped "\" as anything special,
> meaning that I guess it's now permissible for it to appear unencoded
> in URLs, see
>
> http://www.gbiv.com/protocols/uri/rf....html#reserved
>
> But see "security considerations",
> http://www.gbiv.com/protocols/uri/rf...ty-transcoding

I have to correct myself here. Following discussion elsewhere, it's
clear that the backslash can *not* be included unencoded in a URL. The
same goes for any other characters which rfc3986 does not explicitly
mention -- instead of, as the earlier RFCs did, listing characters
explicitly as unsafe etc., this RFC gives ABNF "productions" for URLs.
Any character which cannot result from those productions would have no
business appearing in a URL (and so would have to be %xx-encoded).

I'm also informed that the security vulnerability which I expected to
find in IIS for failing to reject on this defect was more than merely
hypothetical. See http://www.securityfocus.com/infocus/1755 , which
includes a way of fixing the problem (if it was me, I think I'd
replace the server with Apache...).