Whirlpool

I have read Pete's tutorials and understand when bridging an adsl modem/router may be recquired.As I understand it this basically turns the modem/router into a modem and double nat double dhcp are avoided.I presume this puts the device within the wan and the following router becomes the wan/lan interface accepts the public ip,nats and dhcp etc.
I have also read threads talking about a half bridge mode.
What is half bridge and when is it used?

Half Bridge Mode

When the PPP Half Bridge is enabled the modem becomes invisible.The DHCP server will duplicate the WAN IP address from the ISP to the local client PC. Only one PC is able to access the Internet using half bridge mode.

Half bridge mode can only be used when a single IP address has been assigned by the ISP, it is not suitable for services that provide multiple IP addresses. Half bridge mode is used when the use of NAT or NAPT is not desired and there is a single computer attached to the modem.

When to Use Half Bridge Mode
When using a separate firewall that will be protecting the network, half bridge mode will allow the firewall to appear on the internet using the publicly accessible IP address assigned by the ISP. This configuration will allow the dedicated firewall to have full control of the inbound and outbound traffic and is the intended purpose for this mode.

Security Consideration
Remember that when not using NAT/NAPT the computer system is more vulnerable to attack from the internet so extra consideration should be given to security. A firewall and up-to-date anti virus software should be considered a minimum requirement. Also remember to check your operating system and software regularly for security updates and apply them as soon as possible.

Taken from the link below
www.adslnation.com/downl...ridge%20Mode.pdf

esentially half bridge allows only 1 pc access to the internet , where bridge mode acts as a transparent bridge and does not care how many computers are connected behind it , as the router is doing the ppp functions

Half bridge means that the modem handles authentication and encapsulation. Whereas in full bridge it merely acts as a modem. All authentication and encapsulation etc happens on the router or computer that is connected to it.

The reason for using half-bridge,
1. PPPoE is not available. Since you cannot bridge pppoa another method has to be used. This is the key reason.
2. Some routers do not handle pppoe client well or don't have one. Some dual wan routers for instance do not allow 2 pppoe clients to run.

The reasons against half-bridge.
1. Unless you have a static ip from your ISP the router will not update the IP when it is changed until the next dhcp renewal.
Due to this most half-bridge modems use extremely short dhcp lease. It works but isn't recommended.
2. Some modems can now enable half-bridge as a true DMZ whilst still running as a router. Speedtouch 536, 585 etc do this as do new 2wire BP hand out. It was very buggy.
3. Some linux based routers and pc's cannot handle the IP address and gateway in different subnets. You can get around it but not always.

In my experience it is the least preferred method of connection. I have certainly tried it lots of times and it doesn't impress. Use full bridge when possible.

Revs Per Min writes...

2. Some modems can now enable half-bridge as a true DMZ whilst still running as a router.

Is this the 'PPPoE Routed with Pass-through' option in the Billion 740x series. I always wondered how the billion can act as a router (& handle the pppoe login) and allow a pppoe session to be handled via a client pc aswell.

Does it handle the pppoe session for 3 of the lan ports and act as a dumb modem through the 4th (if u get what i mean).

Thanks Pete and Revs for this explanation. It is not something i will be trying out but its a great help when reading threads to understand the technical terms being used.

Revs Per Min writes...

2. Some modems can now enable half-bridge as a true DMZ whilst still running as a router... It was very buggy

I have now found a way to do this in Linux based ADSL routers. Normally the wan interface (usually ppp0) has the external IP and runs "nat masquerade". You can remove the External IP address and replace this with "SNAT --to $WIP" with a command such as

"iptables -t nat -I POSTROUTING -s ! $WIP -o $WIF -j SNAT --to $WIP"

which nat's anything except the upstream device that you give the true WANIP to, and allows the router or any other local IP device to still access the internet. What sort of bugs should I look out for?

Have to agree with 1. No easy way to get around short lease times and delays in passing on WAN dhcp.

There are a number of ways to get around the IP address/ Gateway such as "spoofing the netmask" and /or gateway, or with a firewall script in routers that can have them. Other posts on whirlpool give all the answers! The only method I can't simulate easily is D-Links ZIPB - but it never worked well for me, so no loss!

pete y testing writes...

Only one PC is able to access the Internet using half bridge mode.

No. Only one connected device can get the public IP. If that connected device is a router, it can NAT, and many PC's can connect.

it is not suitable for services that provide multiple IP addresses.

No . Routing of any sized subnet by the public IP is fine, - but you (usually) have to be prepared to insert a static route in the modem's route table for this to work.

here is a single computer attached to the modem.

No. Attaching a router, or a PC, can be done.

"Half bridge" is a misnomer. It is really routing that occurs in the modem which has been configured with an unnumbered WAN interface. Some of the problems relate to the DHCP server activity on the 'LAN' interface of the router, and the interaction with the router (or PC) dhcp client. It is possible, usually, to get around this. But, there are a number of different implementations of half bridge, some better than others. Bottom line, avoid unless you have no alternative - especially with a dynamic public P.

mstombs writes...

No easy way to get around short lease times and delays in passing on WAN dhcp.

Only reliable way is to avoid dynamic IP's, and set the WAN interface of the router up so it has the public IP, with the DHCP client disabled - so the lease issue is not a factor.

EG, with speedtouch modems, set the WAN interface of the modem in unnumbered mode. Add a static route in the speedtouch so that

rtadd <public IP> eth0, where eth0 is the LAN facing interface of the speedtouch.

Then configure the WAN interface of the router as (in linux)

ifconfig eth0 <public IP> netmask 255.255.255.255
route add -host 10.0.0.138 eth0
route add default GW 10.0.0.138

See the GW is off the local lan. No problem provided the host route is in place. What this does, obviously, is to arp for the 10.0.0.138 interface to provide the mac for the internet destined packets.
Also, it means that you can access the modem's config IP from a LAN connected PC (provided the LAN net and the router->speedtouch net do not overlap).

If you have to have a dynamic IP, cannot bridge, and need a public IP on the WAN interface of a router, then you have a few options - get a /30 and use it from speedtouch->router, double routing (and 1:1NATting to a private IP).