Firewall/NAT

Ok, I am over in Iraq and am about to take over an existing two-way satellite service and will be serving 6 people.  I have purchased a WRAP board (3 nic), case, CF card, and power supply (and, obviously, will be running monowall on it).  The satellite ISP provides 10 public IP addresses which are all allocated via DHCP.  The way I see it, I have three options (and hopefully you guys can help me decide based on which options monowall can actually execute).

1. I can grab a single, public IP via DHCP on the WAN interface and NAT everyone on the LAN .

2. I can set up the firewall in bridging mode and allow all the internal hosts to grab their own public IP's via DHCP.

3. I can do 1:1 NAT'ing for all the internal hosts.

Option number 1 is obviously the easiest and is what I did previously with my linksys router on another satellite internet system I had previously.

Option number 2 is what I would most like to do...Are there any issues with configuring the monowall to do this?  It seems feasible.  Allowing the DHCP/BOOTP broadcast requests and the IP allocation replies.  And the WAN interface would grab it's own IP as well (and I could keep track of that IP via the DynDNS client). 

Option number 3 would only be feasible if I could actually grab all those IP's externally via DHCP (as the ISP does not guarantee I will have the same address space...so statically assigning public IP's is not an option).

Thoughts?

Ok, I am over in Iraq

Indeed, coming from US Department of Defense IP space (admins can see that). All the best to you and everyone else over there. Hopefully network work is relatively safe. Glad to be of some assistance to the effort over there.

The satellite ISP provides 10 public IP addresses which are all allocated via DHCP. 

This makes things a bit more difficult, being all DHCP.

1. I can grab a single, public IP via DHCP on the WAN interface and NAT everyone on the LAN .

Yes.

2. I can set up the firewall in bridging mode and allow all the internal hosts to grab their own public IP's via DHCP.

Yes.

3. I can do 1:1 NAT'ing for all the internal hosts.

That won't work. You can only pull one IP from DHCP. I'm not aware of any DHCP client setup on any firewall that can pull multiple IP's from DHCP, which would be required to accomplish this.

Option number 2 is what I would most like to do...Are there any issues with configuring the monowall to do this?  It seems feasible.  Allowing the DHCP/BOOTP broadcast requests and the IP allocation replies.  And the WAN interface would grab it's own IP as well (and I could keep track of that IP via the DynDNS client). 

This is definitely possible. You can follow this document to accomplish this setup.
http://doc.m0n0.ch/handbook/examples-filtered-bridge.html

As to which I would recommend, that depends on your network needs. Does each system need a public IP assigned directly for some reason? Some software requires this. It's typically not required. If it is required, you'll need to do only bridging.

Do the systems need to communicate with each other? i.e. will there need to be a LAN-type setup between these hosts with internally shared resources? Maybe servers, network printers, or things of that nature. If this is desirable, you won't want public IP's directly on the systems. Depending on how the ISP assigns IP's, you may end up with one machine on one public IP subnet and another on a different subnet. Then to communicate between the two hosts, the traffic will have to traverse the satellite link even though the machines are on the same broadcast domain.

What I would probably do is a combination of 1 and 2. Keep most if not all of the machines on the LAN interface and NAT to the WAN IP. I would setup the 3rd interface as being bridged to the WAN, and anything you want to have a public IP on, you could plug into that interface.

I will likely do a combination of option 1 and option 2, as you suggest.  I figured that option 3 wouldn't be doable...but wanted to check and make sure.  I've always thought that would be a great feature on the PIX's (at least before the SOHO 501's were EOL'ed)...to be able to assign a global pool based on a defined number of IP's acquired via DHCP.  But probably only freaks like myself would actually use it. 

Is there any issue with connecting to the firewall's WAN IP (for management) from a computer behind the bridged (OPT) interface?  I can certainly manage from the LAN interface, if need be...but that would be a nice option.

You can connect to your WAN IP from hosts on the bridged OPT interface for management purposes. You'll have to permit the IP of the host on the OPT interface in your WAN firewall rules (by default you can't hit the webGUI on the WAN IP), but since the OPT host will have a dynamic IP, you may need to make a big gaping hole in your WAN rules for your ISP's network blocks since you can't be specific to just one IP. Since it's dynamic on OPT, you're better off security-wise just managing from the LAN if possible.

It's theoretically possible to grab multiple DHCP leases on a single physical interface using FreeBSD's dhclient, by hacking in virtual interfaces with unique MAC addresses to obtain the leases. It's messy, and not in huge demand, but it may be a feature you'll see in the future at some point.

If you had different hardware, you could do this now with pfsense and its multi-WAN functionality. Each IP would have to be its own physical interface though, so you'd need like 12 NIC's. Not really much benefit to doing things that way though, and it's a real mess of a setup. I wouldn't recommend it.

It's theoretically possible to grab multiple DHCP leases on a single physical interface using FreeBSD's dhclient, by hacking in virtual interfaces with unique MAC addresses to obtain the leases. It's messy, and not in huge demand, but it may be a feature you'll see in the future at some point.

Certainly not in high demand...but would be a nice feature to have available.

If you had different hardware, you could do this now with pfsense and its multi-WAN functionality. Each IP would have to be its own physical interface though, so you'd need like 12 NIC's. Not really much benefit to doing things that way though, and it's a real mess of a setup. I wouldn't recommend it.

That would be pretty hilarious. 

Thanks for the quick responses.  I'm a fairly seasoned "firewall guy" but, obviously, new to monowall.