Re: splitting a subnet in an odd way
On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote:
> I have a /24 subnet.
> .1 is the gateway and almost all IP from 2 to 254 are occupied.
> I would like to split the host in three groups:
> 12 that can have full access, 12 thought one firewall and the other 205
> throught a second firewall.
> I cannot chanmge the number of some machines, so the only option is
> that the first 12 and the two firewalls are .2 to .14
> the second group is .18 to .29 and the third vould keep is present
> numbers between .36 and .254.
Why not have a single firewall? If you want to have two firewalls make an HA
cluster out of them. If you are interested in physically separating the
subnets then I would just put extra interfaces on the firewall (basically
multiple DMZs).
- assume subnet is 1.1.1.0/24
- all machines behind firewall get 1.1.1.0/24 subnet
- firewall gets 1.1.1.2/24 assigned to it's external interface (side facing
router)
- firewall does proxy arp for all IPs in the subnet on it's external interface
- if you like, firewall does proxy arp for 1.1.1.1 on it's internal interface
and then machines shouldn't even have to change their gateway
- firewall rules are written as you require. Even though the subnet
1.1.1.0/28 doesn't really exist you can write your firewall rules in that
way
The firewall will probably need an IP on it's internal interface, you might be
able to use the same IP on both inside and outside interfaces. If you're
using 1.1.1.1 as the gateway and proxy arping for it on the internal
interface then I have a suspicion that no IP would be needed.
You can avoid doing any proxy arp if you setup the routing correctly on your
router at 1.1.1.1.
If these computers are Internet hosts (webservers, mailservers, etc.) I prefer
to stick with private IPs on the hosts and to use DNAT to forward traffic to
the machines. On another note, shorewall is an excellent framework for
managing iptables rules, it will even manage proxy arp for you when you need
to use that.
--
Fraser Campbell <fraser@wehave.net> http://www.wehave.net/
Halton Hills, Ontario, Canada Debian GNU/Linux
Reply to: