Many ISP’s allocate a /29 or /30 subnet without allocating a dedicated wan IP, this can be a bit of an annoyance if you are using a dedicated firewall other device requiring a public IP as well as a router.
For example, if you get a business connection from BT, you generally get an additional WAN IP – for example 1.1.1.1/32, and then your /29 subnet for example 2.2.2.0/29 gets routed to the 1.1.1.1 address.
This makes things much easier when you want to configure a router in front of a firewall – the router gets the WAN IP, you use classical routing and assign the router lan interface an IP from your assigned subnet, and can configure your firewall to use any other IP on the 2.2.2.0/29 subnet.
Unfortunately many ISP’s allocate only a subnet with no additional WAN IP, in this case (to avoid double-natting) you generally need to use some form of bridging.
Some routers (such as Draytek) will do a fairly automatic half-bridge, if you turn off NAT, it will automatically route through any other IP’s on the subnet to the routers LAN interface. Some other cheap routers have this function, mostly in various degrees of broken-ness. An alternate is to do full bridging and use a DSL modem and use PPPoE on the firewall – though it’s not always an ideal solution.
If you don’t want to be replacing broken/overheated cheap modems every few months, something like a Cisco is usually the best bet. Even if it is a bit over-qualified for such a job, Cisco kit generally pays its premium over the years by not breaking down. The following config configures a Cisco 857 dsl for half-bridging, with the router itself doing the authentication, and passing through the remainder of the subnet.
In this example, the subnet we are assigned is x.x.x.168/29
The DSL WAN interface will be assigned x.x.x.169 from the isp
We will use x.x.x.170 for the bridged interface
The firewall behind will use x.x.x.171 and gateway to x.x.x.169. Any traffic for IP’s in the range excluding x.x.x.170 or 169 will be routed back to the firewall.
Default/irrelevant config lines removed.
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
bridge-group 1
!
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
ip address negotiated
no ip redirects
encapsulation ppp
no ip mroute-cache
dialer pool 1
no cdp enable
ppp chap hostname myusername@myisp.net
ppp chap password 0 mypassword
!
interface BVI1
ip address x.x.x.170 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!