From owner-freebsd-hackers Mon Apr 30 10: 5:58 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from ewey.excite.com (ewey-rwcmta.excite.com [198.3.99.191]) by hub.freebsd.org (Postfix) with ESMTP id 52F2537B422 for ; Mon, 30 Apr 2001 10:05:53 -0700 (PDT) (envelope-from john_wilson100@excite.com) Received: from almond.excite.com ([199.172.148.82]) by ewey.excite.com (InterMail vM.4.01.02.39 201-229-119-122) with ESMTP id <20010430170552.ZSXT20552.ewey.excite.com@almond.excite.com>; Mon, 30 Apr 2001 10:05:52 -0700 Message-ID: <17607983.988650352302.JavaMail.imail@almond.excite.com> Date: Mon, 30 Apr 2001 10:05:51 -0700 (PDT) From: John Wilson To: Nick Rogness Subject: Re: ipfw routing/netmask problem Cc: freebsd-hackers@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Excite Inbox X-Sender-Ip: 192.116.157.233 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear Nick, Thanks for your prompt reply. > On Mon, 30 Apr 2001, John Wilson wrote: > > > I have 30 IP addresses assigned to me by my ISP, for the sake of this > > example let's say I've got 90.91.92.0/27. The FreeBSD box has 2 > > interface cards, fxp0 and fxp1, fxp0 connected to the router, fxp1 to > > the ethernet switch. > > OK. > > > > > The router is 90.91.92.1, fxp0 is 90.91.92.2, netmask 255.255.255.252 > > (broadcast 90.91.92.3) > > > > Is the netmask on the router set as a /30 as well? No, the router routes everything from 90.91.92.0/27 to the machine's exposed interface (90.91.92.2). > > fxp1 is bound to several IPs, 192.168.1.254 and 192.168.2.254 for two > > different types of NAT clients, and 90.91.92.4 for the DMZ. > > Define "2 different types of NAT clients". Your DMZ is not on a > seperate network of your private network? By doing that you are > getting rid of the whole concept of having a DMZ. Two different companies sharing the line. It's easier to use two different unregistered subnets for NAT clients (bandwidth accounting, etc.), although both are aliased to appear from the exposed interface (90.91.92.2) I don't see a problem with DMZ being on the same network with everyone else, other than that people can steal routable IPs, but then the firewall is configured to block all incoming traffic to 62.90.91.2 (except for established connections), and has specific rules for each allowed DMZ server (allow incoming 25 for mail, 80 for http, etc.), so even if someone steals an extra IP, the firewall will reject them. > ALso, run private address space on the DMZ OR Set the address of > the DMZ to be 90.91.92.17/28...see below for more details. > > > > > The intention is that NAT clients use 192.168.1.254 (or 192.168.2.254) > > as their default gateway, and DMZ clients use 90.91.92.4. > > > > The question is how to choose a netmask for fxp1 that would exclude > > the default gateway (90.91.92.1), so the machine would route via fxp0. > > > > Is there a way to save IPs (I need at least 12 DMZ IPs), while > > achieving the same goal? > > > You have 2 options here. > > 1) Setup proxy arp on your outside interface. Binding the whole > /27 address range (with exception of the router's IP) to your BSD > machine. Make natd translations accordingly. Which option is better? How do I set up proxy arp? > 2) Setup your DMZ using 90.91.92.16/28 IP range which gives you > enough IP's to play with, and leaves the 90.91.92.4/30 and > 90.91.92.8/29 subnet's to play with. Add the routes in the router > to route the subnets to your BSD machine's IP. Make natd > translations accordingly if you decide to run private address > space for your DMZ, if not no additional work needs to be done. This seems like a good solution. Please help me figure out the subnets/routes I need to use. So far, I have this: /---------------------\ | router 90.91.92.1 | \---------------------/ | | /---------------------\ /---------------------\ | fxp0 90.91.92.2/30 |---| fxp1 90.91.92.?/? | \---------------------/ \---------------------/ -| | |----------- | | | /-------\ /-------\ /-------\ | NAT 1 | | NAT 2 | | DMZ | \-------/ \-------/ \-------/ All I gotta do is fill in the missing blanks :) Thanks a lot for your help John Wilson > > > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > > _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message