Firewall Wizards mailing list archives
Firewall on the same subnet
From: Ivo Janssen <ivo () ivo nu>
Date: Thu, 2 Nov 2000 14:36:38 +0100 (CET)
I have a question about building a firewall that has both interfaces in 1 subnet. I've read a thread on the debian-firewall list (see http://lists.debian.org/debian-firewall-0010/msg00028.html ), but I think my situation is a little different. In my case, an incoming ADSL line delivers a UTP cable that outputs traffic for our whole assigned C class subnet (let's say 1.1.1.x) Normally, I would just plug that into a switch and connect the 256 machines to it. But I want to put a firewall in between. So my situation will be: (scenario 1) ADSL-ISP ----- DSLAM-port ----- firewall ---- internal network <- external networks ->|<- 1.1.1.x network -> How do I route this in a good way, without resorting to going a level beneath IP, and getting into stuff like MAC, bridge, ARP. People keep telling me this is possible, and they give me the following situation: (scenario 2) DIALUP-ISP --- ISDN line --- Ascend router --- internal network <- external networks ->|<- 1.1.1.x network -> This is a situation we actually have at this point, where the Ascend router actually acts as a router, with IP adres 1.1.1.1, and the rest of the network sets 1.1.1.1 as default gateway. Can I, in scenario 1, just set the outer NIC to, say 1.1.1.1 and the inner NIC to 1.1.1.2 and put 1.1.1.2 as default gateway on my internal net? Or should I just assign 1 IP to the whole fw-box? I keep on reading scenario 1 is so different from scenario 2 that scenario 2 can use "normal" routing, but scenario 1 needs hacks like Proxy ARP. The one thing I do not want is resort to route IP packets on MAC level with Proxy ARP, it just comes to me as a hack. Please, could someone tell me what the exact difference between scenarios 1 and 2 is, and what I should use if I want to make our internal network a fully routed part of the internet. Sincerely, Ivo -- +--------------------------------------------------------------------- | IVO JANSSEN - ivo at ricardis.tudelft.nl - http://ivo.nu/ | Delft University of Technology - the Netherlands | finger ivo at server.ricardis.tudelft.nl for PGP and more info | Part of the world's largest computer: http://www.distributed.net/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall on the same subnet Ivo Janssen (Nov 05)
- Re: Firewall on the same subnet Danny Rathjens (Nov 06)
- Re: Firewall on the same subnet Luca Berra (Nov 08)
- <Possible follow-ups>
- RE: Firewall on the same subnet Kehoe, Anthony (Nov 06)