Sunday 3 January 2010

DSL Firewalls and PPP Half Bridges

A PPP Half Bridge lets you extend the public IP address of your network into the LAN. This is useful if you have a firewall that doesn't have it's own DSL modem and want to do VPNs.

It's also known as DHCP spoofing.


Half bridging is a hack where your DSL modem makes the PPPoA connection to your ISP and is issued a public address, then advertises that same IP back on the LAN with a very short DHCP lease time. It then goes into bridging mode and forwards all traffic to the LAN host. The LAN host is effectively directly connected to the internet.

This is useful if you want to avoid NAT for any reason, e.g. to terminate VPNs.

The topology is shown below:



There's a big cost benefit to connect a firewall device to the DSL connection without requiring a built-in DSL modem.

Cisco's firewall line is the ASA which has no DSL module available so the only option is to use an external ADSL router. The low-end box is the 5505 which can be picked up from around £250 depending what software license you want.
They also have the 857W (~£300) and 877W for around £400 which include both wireless, VPN capability and DSL ports. However these are routers, not firewalls. They may be able to run the IOS firewall software but the performance of that is not likely to be great.

Juniper used to make a 5GT-ADSL with wireless that did the job nicely, but has now been replaced by the SSG 5 at around £650 with wireless but no DSL modem available. The only all-in-one option is to buy an SSG 20 (~£800) and an ADSL expansion card (~£500). The 5GT are still available from ebay for around £2-300 if you don't mind no support.

The home-brew solutions such as pfsense, Smoothwall and IPCop will also benefit from using the half-bridge option. Run it on something like a PC Engines mini system which cost under £100 and you'd have a very powerful little box.


Compatible Modems
Not all ADSL routers support half bridging, it's probably fair to assume that most don't. I use an old Origo 8400 which aren't available any more, I think that company is now called Safecom and they do pop up on ebuyer as the value range from time to time.

The Zyxel P-660R-D1 supports half bridging and is available from around £25 online.

According to certain forums the Linksys AM200 supports it as does the Netgear DG834G (but not GT). Some Draytek models also support it.
Posted by Matt Bennett at 01:35
Labels: ,