Firewall Wizards mailing list archives

Re: Firewall routing thought...

From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Thu, 08 Jul 2004 16:48:06 -0400

Aaahhhh, if they are on the same subnet, why is the gateway involved at
all?  Last time I checked, 10.1.1.1 (assume mask 255.255.255.0) talked
directly to 10.1.1.2, no gateway in the middle.  There is an automagic
'static route' that says 10.1.1.x is local to the segment.


On  Tue, 6 Jul 2004 13:50:18 -0400 (EDT) Gwendolynn ferch Elydyr penned:

On Fri, 2 Jul 2004, Eric Appelboom wrote:

If one has firewall A with external ip on the same subnet as firewall B.
How common is the practice of adding static routes on firewall A for The
networks protected by firewall B and the other way round.

Would this technique not lower the latency or overheads of not having the
packets en route from firewall A to firewall B being sent to its default
gateway to then be processed by the router and sent to firewall B. Thus the
traffic would be direct A<-->B


I think you're a bit confused about how routing/routers work, and what
the relative "costs" are.

Your network layout isn't really clear from your email, but as soon as
you make a change in broadcast domains, the router is going to be involved.

Besides being a tad messy would it be considered and at what traffic rate?


Well - I generally wouldn't consider it at any traffic rate.

First of all, it's not likely to improve your latency or overhead. The
packets are still going to be seen by the router.

Secondly, you've now added complexity to your network in the form of a
bunch of static routes in different places, all of which need to be
maintained - and almost certainly won't be, until some changes breaks
things.

"a tad messy" is almost always a signal to run away screaming.  That's
code for "unmaintainable" and "all-nighters".

Ranting briefly, a good design should be clear and easy to understand
and explain.  If you find yourself handwaving, or muttering quickly to
get past some point in your design [or adding in "here be dragons"],
you should stop and figure out why.


-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Firewall routing thought... Eric Appelboom (Jul 06)
- Re: Firewall routing thought... Gwendolynn ferch Elydyr (Jul 08)
  - RE: Firewall routing thought... Ben Nagy (Jul 08)
    - Re: Firewall routing thought... Ng Pheng Siong (Jul 09)
  - Re: Firewall routing thought... Ng Pheng Siong (Jul 08)
  - Re: Firewall routing thought... Devdas Bhagat (Jul 08)
    - Re: Firewall routing thought... Ng Pheng Siong (Jul 13)
  - Multiple separate Ethernet switches in a single chassis? Brent Chapman (Jul 08)
- <Possible follow-ups>
- Re: Firewall routing thought... Dana Nowell (Jul 08)
  - Re: Firewall routing thought... Gwendolynn ferch Elydyr (Jul 08)
    - Re: Firewall routing thought... Mark (Jul 09)