Firewall Wizards mailing list archives

Firewall on the same subnet

From: Ivo Janssen <ivo () ivo nu>
Date: Thu, 2 Nov 2000 14:36:38 +0100 (CET)

I have a question about building a firewall that has both interfaces
in 1 subnet. 

I've read a thread on the debian-firewall list (see
http://lists.debian.org/debian-firewall-0010/msg00028.html ), but I
think my situation is a little different.

In my case, an incoming ADSL line delivers a UTP cable that outputs
traffic for our whole assigned C class subnet (let's say 1.1.1.x)
Normally, I would just plug that into a switch and connect the 256
machines to it. But I want to put a firewall in between.

So my situation will be: (scenario 1)

  ADSL-ISP ----- DSLAM-port -----  firewall ---- internal network
                             
       <- external networks ->|<- 1.1.1.x network ->
                  
How do I route this in a good way, without resorting to going a level
beneath IP, and getting into stuff like MAC, bridge, ARP.

People keep telling me this is possible, and they give me the
following situation: (scenario 2)

  DIALUP-ISP  --- ISDN line --- Ascend router --- internal network

      <- external networks ->|<- 1.1.1.x network ->

This is a situation we actually have at this point, where the Ascend
router actually acts as a router, with IP adres 1.1.1.1, and the rest
of the network sets 1.1.1.1 as default gateway.
Can I, in scenario 1, just set the outer NIC to, say 1.1.1.1 and the
inner NIC to 1.1.1.2 and put 1.1.1.2 as default gateway on my
internal net? Or should I just assign 1 IP to the whole fw-box?
I keep on reading scenario 1 is so different from scenario 2 that
scenario 2 can use "normal" routing, but scenario 1 needs hacks like
Proxy ARP.

The one thing I do not want is resort to route IP packets on MAC
level with Proxy ARP, it just comes to me as a hack.

Please, could someone tell me what the exact difference between
scenarios 1 and 2 is, and what I should use if I want to make our
internal network a fully routed part of the internet.

Sincerely,

Ivo

--
+---------------------------------------------------------------------
| IVO JANSSEN - ivo at ricardis.tudelft.nl - http://ivo.nu/
| Delft University of Technology - the Netherlands
| finger ivo at server.ricardis.tudelft.nl for PGP and more info
| Part of the world's largest computer: http://www.distributed.net/




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Firewall on the same subnet Ivo Janssen (Nov 05)
- Re: Firewall on the same subnet Danny Rathjens (Nov 06)
- Re: Firewall on the same subnet Luca Berra (Nov 08)
- <Possible follow-ups>
- RE: Firewall on the same subnet Kehoe, Anthony (Nov 06)