Re: splitting a subnet in an odd way
On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote:
> I have a /24 subnet.
> .1 is the gateway and almost all IP from 2 to 254 are occupied.
> I would like to split the host in three groups:
> 12 that can have full access, 12 thought one firewall and the other 205
> throught a second firewall.
> I cannot chanmge the number of some machines, so the only option is
> that the first 12 and the two firewalls are .2 to .14
> the second group is .18 to .29 and the third vould keep is present
> numbers between .36 and .254.
Why not have a single firewall? If you want to have two firewalls make an HA
cluster out of them. If you are interested in physically separating the
subnets then I would just put extra interfaces on the firewall (basically
- assume subnet is 188.8.131.52/24
- all machines behind firewall get 184.108.40.206/24 subnet
- firewall gets 220.127.116.11/24 assigned to it's external interface (side facing
- firewall does proxy arp for all IPs in the subnet on it's external interface
- if you like, firewall does proxy arp for 18.104.22.168 on it's internal interface
and then machines shouldn't even have to change their gateway
- firewall rules are written as you require. Even though the subnet
22.214.171.124/28 doesn't really exist you can write your firewall rules in that
The firewall will probably need an IP on it's internal interface, you might be
able to use the same IP on both inside and outside interfaces. If you're
using 126.96.36.199 as the gateway and proxy arping for it on the internal
interface then I have a suspicion that no IP would be needed.
You can avoid doing any proxy arp if you setup the routing correctly on your
router at 188.8.131.52.
If these computers are Internet hosts (webservers, mailservers, etc.) I prefer
to stick with private IPs on the hosts and to use DNAT to forward traffic to
the machines. On another note, shorewall is an excellent framework for
managing iptables rules, it will even manage proxy arp for you when you need
to use that.
Fraser Campbell <email@example.com> http://www.wehave.net/
Halton Hills, Ontario, Canada Debian GNU/Linux