On 2008-03-05, Almir Karic <[EMAIL PROTECTED]> wrote: > On Wed, Mar 5, 2008 at 11:04 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote: >> On 2008-03-05, Almir Karic <[EMAIL PROTECTED]> wrote: >> > this is the deal, i am designing the network and i have some >> > questions, regarding route (OBSD 4.2) setup. the relevant interfaces >> > are $dmz_if (uplink for the servers in DMZ) and $ext_if the router >> > uplink. >> > >> > the idea is to save one external IP by NOT assigning an external IP to >> > the $dmz_if, is it possible? >> >> You say you're *designing* the network, so you're not trying to hack an >> extra address out of an existing too-small setup. The correct approach is >> to ask your ISP or LIR for a block of addresses the right size to fit >> the machines you need. This is perfectly justified. > > the situation is the following, right now we have a linux router with > which has an 3 IF's uplink, dmz and lan, we don't like the way it does > nat for both lan (which is OK) and DMZ, which has proven not to be too > good, i am trying to replace that old linux router with OBSD router, > and would like to take the oportinity to get rid of nat, while still > not wasting the additional external ip.
Well, you need an IP address that the DMZ hosts can use as their gateway, and it needs to get in their ARP table somehow... There are ways, but they're hacks, and harder to get right than NAT or asking for another address. (And if you're already using NAT, you'll be renumbering the end hosts anyway, so moving block shouldn't be all that painful). If you're as clever as you (or people on a mailing list) can be when configuring things, fixing any breakages can be a bit of a problem.
