Re: splitting a subnet in an odd way

To: debian-isp@lists.debian.org
Subject: Re: splitting a subnet in an odd way
From: Fraser Campbell <fraser@wehave.net>
Date: Fri, 26 Sep 2003 09:25:32 -0400
Message-id: <[🔎] 200309260925.32153.fraser@wehave.net>
In-reply-to: <[🔎] 3F71CAB8.5859.4D141D@localhost>
References: <[🔎] 3F71CAB8.5859.4D141D@localhost>

On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote:

> I have a /24 subnet.
> .1 is the gateway and almost all IP from 2 to 254 are occupied.
> I would like to split the host in three groups:
> 12 that can have full access, 12 thought one firewall and the other 205
> throught a second firewall.
> I cannot chanmge the number of some machines, so the only option is
> that the first 12 and the two firewalls are .2 to .14
> the second group is .18 to .29 and the third vould keep is present
> numbers between .36 and .254.

Why not have a single firewall?  If you want to have two firewalls make an HA 
cluster out of them.  If you are interested in physically separating the 
subnets then I would just put extra interfaces on the firewall (basically 
multiple DMZs).

- assume subnet is 1.1.1.0/24
- all machines behind firewall get 1.1.1.0/24 subnet 
- firewall gets 1.1.1.2/24 assigned to it's external interface (side facing
  router)
- firewall does proxy arp for all IPs in the subnet on it's external interface
- if you like, firewall does proxy arp for 1.1.1.1 on it's internal interface
  and then machines shouldn't even have to change their gateway
- firewall rules are written as you require.  Even though the subnet
  1.1.1.0/28 doesn't really exist you can write your firewall rules in that
  way

The firewall will probably need an IP on it's internal interface, you might be 
able to use the same IP on both inside and outside interfaces.  If you're 
using 1.1.1.1 as the gateway and proxy arping for it on the internal 
interface then I have a suspicion that no IP would be needed.

You can avoid doing any proxy arp if you setup the routing correctly on your 
router at 1.1.1.1.

If these computers are Internet hosts (webservers, mailservers, etc.) I prefer 
to stick with private IPs on the hosts and to use DNAT to forward traffic to 
the machines.  On another note, shorewall is an excellent framework for 
managing iptables rules, it will even manage proxy arp for you when you need 
to use that.

-- 
Fraser Campbell <fraser@wehave.net>                 http://www.wehave.net/
Halton Hills, Ontario, Canada                       Debian GNU/Linux

Reply to:

Follow-Ups:
- Re: splitting a subnet in an odd way
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>

References:
- splitting a subnet in an odd way
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>

Prev by Date: Re: Postfix: Multiple recipients alias?
Next by Date: Re: splitting a subnet in an odd way
Previous by thread: Re: splitting a subnet in an odd way
Next by thread: Re: splitting a subnet in an odd way
Index(es):
- Date
- Thread