Re: Routing same subnet problem

From: Andrius Adomaitis (charta@gaumina.lt)
Date: Sun Apr 29 2001 - 08:35:49 EST


On Saturday 28 April 2001 19:07, Glynn Clements wrote:
> Thomas Kotzian wrote:
> > what do i have to do to have a DMZ without bridging? - how do i
> > have to configure routing. - please help!

As far as I know there are following solutions:
- transparent bridging (bad solution)
- some sort of NAT (bad solution);
- use different net's on both fw sides (probably the best).

I believe you can't forward in normal way packets from the same network
to the same network. You need use different networks on both
firewallinterfaces. So, the scheme should look like this:

p2p1=[A]----[B]=p2p2=[C]---[D]=Firewall=[E]---- DMZ

where:

p2p1 - is Point to Point iface on ISP side, having some IP "A"/30;
p2p2 - is P2P iface on YOUR side, probably on some cisco router, having
IP "B"/31 on the same subnet as "A".

"C" is interface on the same cisco, having some private IP address, for
example 192.168.0.1/31;
"D" is iface on YOUR firewall linux box, having IP 192.168.0.2/30;

"E" is second interface on your firewall having some subnet of routable
internet addresses, provided by your ISP, say 100.100.100.244/27

DMZ - is LAN with boxes, having these routable IPs - e.g.
100.100.100.245/27, and so on...

Firewall has static default gw 192.168.0.1, and cisco has route to
100.100.100.224/27 network nexthop 192.168.0.2.

You should ask your ISP to setup cisco router in that way.
Good things is that this is done without any advanced techniques, just
using proper static routes.
Bad things is that actually your firewall is sitting on private IP, and
you cannot ping from it to internet :) But there is simple workaround
about this with iptables + SNAT.

> Unless you are using proxy-ARP, you need to:
>
> a) configure the routing tables on the DMZ hosts to use the firewall
> as the gateway to the Internet (and the external router, if you need
> to talk to it), and
>
> b) configure the routing table on the external router to use the
> firewall as the gateway to the DMZ hosts.

> You may wish to use "sysctl -w net.ipv4.conf.all.proxy_arp=1" to
> enable "automatic" proxy-ARP on both interfaces.

This is not necessary. I run without it.

Good luck,

-- 
// Andrius Adomaitis    Sistemu Administratorius
// charta@gaumina.lt    UAB Gaumina dizainas
// tel.+370-85-54454    http://www.gaumina.lt
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org



This archive was generated by hypermail 2b29 : Mon Apr 30 2001 - 21:00:29 EST