On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote: > I have a /24 subnet. > .1 is the gateway and almost all IP from 2 to 254 are occupied. > I would like to split the host in three groups: > 12 that can have full access, 12 thought one firewall and the other 205 > throught a second firewall. > I cannot chanmge the number of some machines, so the only option is > that the first 12 and the two firewalls are .2 to .14 > the second group is .18 to .29 and the third vould keep is present > numbers between .36 and .254.
Why not have a single firewall? If you want to have two firewalls make an HA cluster out of them. If you are interested in physically separating the subnets then I would just put extra interfaces on the firewall (basically multiple DMZs). - assume subnet is 1.1.1.0/24 - all machines behind firewall get 1.1.1.0/24 subnet - firewall gets 1.1.1.2/24 assigned to it's external interface (side facing router) - firewall does proxy arp for all IPs in the subnet on it's external interface - if you like, firewall does proxy arp for 1.1.1.1 on it's internal interface and then machines shouldn't even have to change their gateway - firewall rules are written as you require. Even though the subnet 1.1.1.0/28 doesn't really exist you can write your firewall rules in that way The firewall will probably need an IP on it's internal interface, you might be able to use the same IP on both inside and outside interfaces. If you're using 1.1.1.1 as the gateway and proxy arping for it on the internal interface then I have a suspicion that no IP would be needed. You can avoid doing any proxy arp if you setup the routing correctly on your router at 1.1.1.1. If these computers are Internet hosts (webservers, mailservers, etc.) I prefer to stick with private IPs on the hosts and to use DNAT to forward traffic to the machines. On another note, shorewall is an excellent framework for managing iptables rules, it will even manage proxy arp for you when you need to use that. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
