Re: splitting a subnet in an odd way

To: Fraser Campbell <fraser@wehave.net>, debian-isp@lists.debian.org
Subject: Re: splitting a subnet in an odd way
From: "Leonardo Boselli" <leo@dicea.unifi.it>
Date: Sat, 27 Sep 2003 09:43:05 +0200
Message-id: <[🔎] 3F755BA9.5666.2E9FDA@localhost>
In-reply-to: <[🔎] 200309260925.32153.fraser@wehave.net>
References: <[🔎] 3F71CAB8.5859.4D141D@localhost>

You forget one thing: there are 10 other machines (addresses 3 to 13) 
that need not to be firewalled, and must be accessible from ANY pother 
ost either internally and externally, without passing the FW.
The second group really is not a problem, since are just virtual 
addresses for a machine in the first group, that self-firewall !
However user in the third, internal group should access these machines 
direclty.
About proxy-arping 230 machines: what commands would you suggest 
for dcoing that , the way i used for a small group did havoc on some 
network monitoring tools !

Il 26 Sep 2003 alle 9:25 Fraser Campbell immise in rete

> On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote:
> 
> > I have a /24 subnet.
> > .1 is the gateway and almost all IP from 2 to 254 are occupied.
> > I would like to split the host in three groups:
> > 12 that can have full access, 12 thought one firewall and the other 205
> > throught a second firewall.
> > I cannot chanmge the number of some machines, so the only option is
> > that the first 12 and the two firewalls are .2 to .14
> > the second group is .18 to .29 and the third vould keep is present
> > numbers between .36 and .254.
> 
> Why not have a single firewall?  If you want to have two firewalls make an HA 
> cluster out of them.  If you are interested in physically separating the 
> subnets then I would just put extra interfaces on the firewall (basically 
> multiple DMZs).
> 
> - assume subnet is 1.1.1.0/24
> - all machines behind firewall get 1.1.1.0/24 subnet 
> - firewall gets 1.1.1.2/24 assigned to it's external interface (side facing
>   router)
> - firewall does proxy arp for all IPs in the subnet on it's external interface
> - if you like, firewall does proxy arp for 1.1.1.1 on it's internal interface
>   and then machines shouldn't even have to change their gateway
> - firewall rules are written as you require.  Even though the subnet
>   1.1.1.0/28 doesn't really exist you can write your firewall rules in that
>   way
--
Leonardo Boselli
Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile
Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze
tel +39 0554796431 cell +39 3488605348 fax +39 055495333
http://www.dicea.unifi.it/~leo

Reply to:

Follow-Ups:
- Re: splitting a subnet in an odd way
  - From: Peter Billson <pete@elbnet.com>

References:
- splitting a subnet in an odd way
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>
- Re: splitting a subnet in an odd way
  - From: Fraser Campbell <fraser@wehave.net>

Prev by Date: Re: splitting a subnet in an odd way
Next by Date: Re: splitting a subnet in an odd way
Previous by thread: Re: splitting a subnet in an odd way
Next by thread: Re: splitting a subnet in an odd way
Index(es):
- Date
- Thread