[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: splitting a subnet in an odd way

On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote:

> I have a /24 subnet.
> .1 is the gateway and almost all IP from 2 to 254 are occupied.
> I would like to split the host in three groups:
> 12 that can have full access, 12 thought one firewall and the other 205
> throught a second firewall.
> I cannot chanmge the number of some machines, so the only option is
> that the first 12 and the two firewalls are .2 to .14
> the second group is .18 to .29 and the third vould keep is present
> numbers between .36 and .254.

Why not have a single firewall?  If you want to have two firewalls make an HA 
cluster out of them.  If you are interested in physically separating the 
subnets then I would just put extra interfaces on the firewall (basically 
multiple DMZs).

- assume subnet is
- all machines behind firewall get subnet 
- firewall gets assigned to it's external interface (side facing
- firewall does proxy arp for all IPs in the subnet on it's external interface
- if you like, firewall does proxy arp for on it's internal interface
  and then machines shouldn't even have to change their gateway
- firewall rules are written as you require.  Even though the subnet doesn't really exist you can write your firewall rules in that

The firewall will probably need an IP on it's internal interface, you might be 
able to use the same IP on both inside and outside interfaces.  If you're 
using as the gateway and proxy arping for it on the internal 
interface then I have a suspicion that no IP would be needed.

You can avoid doing any proxy arp if you setup the routing correctly on your 
router at

If these computers are Internet hosts (webservers, mailservers, etc.) I prefer 
to stick with private IPs on the hosts and to use DNAT to forward traffic to 
the machines.  On another note, shorewall is an excellent framework for 
managing iptables rules, it will even manage proxy arp for you when you need 
to use that.

Fraser Campbell <fraser@wehave.net>                 http://www.wehave.net/
Halton Hills, Ontario, Canada                       Debian GNU/Linux

Reply to: