Re: Firewall/Router on same Subnet?
Hi Jeremy,
Jeremy wrote:
>
> Here's what you should know:
> =============================
> iptables
> debian 2.4.19
> Firewall Ethernet connection is as follows: eth0 is connected to WAN and
> eth1 is connected to a switch, which is my DMZ. All my other servers are
> connected to that switch)
>
> My firewall acts as a router, using ROUTE and ARP to pass the packets from
> the firewall to all the other computers on the same subnet. what I realized
> (correct me if I'm wrong) is that routers cannot forward packets across the
> same subnet ( hence why you use ARP ).
>
> THE PROBLEM
> ==============
> INPUT is FINE
> OUTPUT is FINE
> FORWARD is FOOBAR
>
> My firewall doesn't like to FORWARD packets back out. everything goes into
> the DMZ but nothing goes out. I cannot whois, lynx etc. subnetting is out of
> the question.
>
> here is why I think this is so:
> ================================
> you ARP an IP it will send it as MAC address ( layer 2 ) and the router
> can't handle it because it is a layer 3 device.
>
> WHAT CAN I DO TO FIX THIS PROBLEM? I don't want to change the current
> configuration i.e. NATing or subnetting.
No idea how to solve this using the same subnet on both devices.
If you don't want to cut that network in parts, you may be able to
use a small transit network using private ip addresses between
your firewall and the router it is connected to.
If eth0 is connected to a subnet with a couple of devices as well,
I have no idea to solve your problem. The routing decision of
your firewall is based on network address and netmask. If they are
the same for both devices, the decision is not properly defined.
Regards,
Peter
Reply to: