If i set one of the NICs to a 255.255.255.255 netmask (i know it's a "cheat"), say the one that connects to the 192.168.1.0 LAN, won't it be able to connect to the LAN that way?
Also, what if i add an alias to the second NIC the the box and do something like: 192.168.1.120 (Router) | 192.168.1.121 (1st NIC on the firewall) | 192.168.0.1 (2nd NIC on the firewall) | 192.168.1.122 (Alias to 2nd NIC on the firewall) | 192.168.1.0 Internal Network On the firewall, 192.168.1.121 and 192.168.0.1 would exchange packets, and 192.168.0.1 and 192.168.1.122 would also exchange packets. All that is needed is a way for the 3 interfaces in the firewall (2 real, 1 alias) to pass packets between themselves. Wouldn't it work this way? -------------------------- Elaconta.com webmaster -------------------------- Em 7/27/2006, "Stuart Henderson" <[EMAIL PROTECTED]> escreveu: >On 2006/07/26 23:37, elaconta.com Webmaster wrote: >> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >> <-> (192.168.1.0/24) LAN > >> >From what i've googled, this shouldn't even be possible, everything is >> on the same subnet. Regardless, it works great, and if i went and got an >> OpenBSD rig to replace the old Linux rig, it would have to retain this >> networking scheme, we can't afford to reconfigure the entire network >> just for switching our firewall. > >Ah, it sounds like you're not running DHCP then... If you do get >the opportunity sometime, it's probably worth doing (even if you use >it to hand out static addresses). > >> I known we could use a network bridge, but we need the caching >> nameserver functionality. > >Bridging doesn't prevent this. The main problem area I've seen is >with ftp-proxy (some old posts suggested it can work but I've never >been able to get it running. ftpsesame isn't as clean but is great >in this situation). Running standard services on a box that's also >a bridge works ok. > >You can probably bridge and on one of the interfaces, set one address >as /24, one as /32 alias. If the default route of LAN machines is .122 >rather than .120, also turn on inet.ip.forwarding. In that case, >packets LAN->router will be routed via 122, packets router->LAN will >be bridged. If it doesn't work out, tcpdump (from various points on >the network) is your friend. > >I guess that the Linux box may be proxy-arp'ing. With Linux >proxy-arp can be bound to a certain interface; that's not the >case here so it doesn't really work in this situation (you'd >be answering ARP requests on the same network the real host >is on).
