Re: Firewall on the same subnet

[Danny Rathjens <dkr () hq mycity com>]

Yes, for scenario one you can assign an ip to the outer NIC
and another in the same subnet to the inner NIC and tell your
internal network boxen to use the inner NIC IP address as their
gateway.  I've been doing this for a while.  You just have to
make sure your routing table on the firewall box gets setup
correctly.  For example let's say outer NIC is eth0
and inner is eth1:
ext-ip         eth0  (the ip you gave to external interface of fw)
ext-gw         eth0  (gateway box at ISP)
int-network    eth1  (your assigned class C goes to internal net)
default ext-gw eth0  (default route is to ISP)

note: if you just turn up eth0 and eth1 with IPs in int-network
then you will have two entries in the routing table for int-network.
So you may have to simply delete the extraneous route to eth0 after
you turn up the interfaces.

Ivo Janssen wrote:
> I have a question about building a firewall that has both interfaces
> in 1 subnet.
>
> I've read a thread on the debian-firewall list (see
> http://lists.debian.org/debian-firewall-0010/msg00028.html ), but I
> think my situation is a little different.
>
> In my case, an incoming ADSL line delivers a UTP cable that outputs
> traffic for our whole assigned C class subnet (let's say 1.1.1.x)
> Normally, I would just plug that into a switch and connect the 256
> machines to it. But I want to put a firewall in between.
>
> So my situation will be: (scenario 1)
>
>   ADSL-ISP ----- DSLAM-port -----  firewall ---- internal network
>
>        <- external networks ->|<- 1.1.1.x network ->
>
> How do I route this in a good way, without resorting to going a level
> beneath IP, and getting into stuff like MAC, bridge, ARP.
>
> People keep telling me this is possible, and they give me the
> following situation: (scenario 2)
>
>   DIALUP-ISP  --- ISDN line --- Ascend router --- internal network
>
>       <- external networks ->|<- 1.1.1.x network ->
>
> This is a situation we actually have at this point, where the Ascend
> router actually acts as a router, with IP adres 1.1.1.1, and the rest
> of the network sets 1.1.1.1 as default gateway.
> Can I, in scenario 1, just set the outer NIC to, say 1.1.1.1 and the
> inner NIC to 1.1.1.2 and put 1.1.1.2 as default gateway on my
> internal net? Or should I just assign 1 IP to the whole fw-box?
> I keep on reading scenario 1 is so different from scenario 2 that
> scenario 2 can use "normal" routing, but scenario 1 needs hacks like
> Proxy ARP.
>
> The one thing I do not want is resort to route IP packets on MAC
> level with Proxy ARP, it just comes to me as a hack.
>
> Please, could someone tell me what the exact difference between
> scenarios 1 and 2 is, and what I should use if I want to make our
> internal network a fully routed part of the internet.
>
> Sincerely,
>
> Ivo
>
> --
> +---------------------------------------------------------------------
> | IVO JANSSEN - ivo at ricardis.tudelft.nl - http://ivo.nu/
> | Delft University of Technology - the Netherlands
> | finger ivo at server.ricardis.tudelft.nl for PGP and more info
> | Part of the world's largest computer: http://www.distributed.net/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

-- 
struct Programmer/Analyst 'Danny Rathjens' {this.place = "MyCity.com";}
"The mind is not a vessel to be filled, but a fire to be kindled."
                                               --Plutarch

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards