Firewall Wizards mailing list archives
Re: Firewall on the same subnet
From: Danny Rathjens <dkr () hq mycity com>
Date: Sat, 04 Nov 2000 18:09:03 -0500
Yes, for scenario one you can assign an ip to the outer NIC and another in the same subnet to the inner NIC and tell your internal network boxen to use the inner NIC IP address as their gateway. I've been doing this for a while. You just have to make sure your routing table on the firewall box gets setup correctly. For example let's say outer NIC is eth0 and inner is eth1: ext-ip eth0 (the ip you gave to external interface of fw) ext-gw eth0 (gateway box at ISP) int-network eth1 (your assigned class C goes to internal net) default ext-gw eth0 (default route is to ISP) note: if you just turn up eth0 and eth1 with IPs in int-network then you will have two entries in the routing table for int-network. So you may have to simply delete the extraneous route to eth0 after you turn up the interfaces. Ivo Janssen wrote:
I have a question about building a firewall that has both interfaces in 1 subnet. I've read a thread on the debian-firewall list (see http://lists.debian.org/debian-firewall-0010/msg00028.html ), but I think my situation is a little different. In my case, an incoming ADSL line delivers a UTP cable that outputs traffic for our whole assigned C class subnet (let's say 1.1.1.x) Normally, I would just plug that into a switch and connect the 256 machines to it. But I want to put a firewall in between. So my situation will be: (scenario 1) ADSL-ISP ----- DSLAM-port ----- firewall ---- internal network <- external networks ->|<- 1.1.1.x network -> How do I route this in a good way, without resorting to going a level beneath IP, and getting into stuff like MAC, bridge, ARP. People keep telling me this is possible, and they give me the following situation: (scenario 2) DIALUP-ISP --- ISDN line --- Ascend router --- internal network <- external networks ->|<- 1.1.1.x network -> This is a situation we actually have at this point, where the Ascend router actually acts as a router, with IP adres 1.1.1.1, and the rest of the network sets 1.1.1.1 as default gateway. Can I, in scenario 1, just set the outer NIC to, say 1.1.1.1 and the inner NIC to 1.1.1.2 and put 1.1.1.2 as default gateway on my internal net? Or should I just assign 1 IP to the whole fw-box? I keep on reading scenario 1 is so different from scenario 2 that scenario 2 can use "normal" routing, but scenario 1 needs hacks like Proxy ARP. The one thing I do not want is resort to route IP packets on MAC level with Proxy ARP, it just comes to me as a hack. Please, could someone tell me what the exact difference between scenarios 1 and 2 is, and what I should use if I want to make our internal network a fully routed part of the internet. Sincerely, Ivo -- +--------------------------------------------------------------------- | IVO JANSSEN - ivo at ricardis.tudelft.nl - http://ivo.nu/ | Delft University of Technology - the Netherlands | finger ivo at server.ricardis.tudelft.nl for PGP and more info | Part of the world's largest computer: http://www.distributed.net/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- struct Programmer/Analyst 'Danny Rathjens' {this.place = "MyCity.com";} "The mind is not a vessel to be filled, but a fire to be kindled." --Plutarch _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall on the same subnet Ivo Janssen (Nov 05)
- Re: Firewall on the same subnet Danny Rathjens (Nov 06)
- Re: Firewall on the same subnet Luca Berra (Nov 08)
- <Possible follow-ups>
- RE: Firewall on the same subnet Kehoe, Anthony (Nov 06)