Date: Mon, 30 Apr 2001 10:05:51 -0700 (PDT) From: John Wilson <john_wilson100@excite.com> To: Nick Rogness <nick@rogness.net> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw routing/netmask problem Message-ID: <17607983.988650352302.JavaMail.imail@almond.excite.com>
next in thread | raw e-mail | index | archive | help
Dear Nick,
Thanks for your prompt reply.
> On Mon, 30 Apr 2001, John Wilson wrote:
>
> > I have 30 IP addresses assigned to me by my ISP, for the sake of this
> > example let's say I've got 90.91.92.0/27. The FreeBSD box has 2
> > interface cards, fxp0 and fxp1, fxp0 connected to the router, fxp1 to
> > the ethernet switch.
>
> OK.
>
> >
> > The router is 90.91.92.1, fxp0 is 90.91.92.2, netmask 255.255.255.252
> > (broadcast 90.91.92.3)
> >
>
> Is the netmask on the router set as a /30 as well?
No, the router routes everything from 90.91.92.0/27 to the machine's exposed
interface (90.91.92.2).
> > fxp1 is bound to several IPs, 192.168.1.254 and 192.168.2.254 for two
> > different types of NAT clients, and 90.91.92.4 for the DMZ.
>
> Define "2 different types of NAT clients". Your DMZ is not on a
> seperate network of your private network? By doing that you are
> getting rid of the whole concept of having a DMZ.
Two different companies sharing the line. It's easier to use two different
unregistered subnets for NAT clients (bandwidth accounting, etc.), although
both are aliased to appear from the exposed interface (90.91.92.2)
I don't see a problem with DMZ being on the same network with everyone else,
other than that people can steal routable IPs, but then the firewall is
configured to block all incoming traffic to 62.90.91.2 (except for
established connections), and has specific rules for each allowed DMZ server
(allow incoming 25 for mail, 80 for http, etc.), so even if someone steals
an extra IP, the firewall will reject them.
> ALso, run private address space on the DMZ OR Set the address of
> the DMZ to be 90.91.92.17/28...see below for more details.
>
> >
> > The intention is that NAT clients use 192.168.1.254 (or 192.168.2.254)
> > as their default gateway, and DMZ clients use 90.91.92.4.
> >
> > The question is how to choose a netmask for fxp1 that would exclude
> > the default gateway (90.91.92.1), so the machine would route via fxp0.
> >
> > Is there a way to save IPs (I need at least 12 DMZ IPs), while
> > achieving the same goal?
>
>
> You have 2 options here.
>
> 1) Setup proxy arp on your outside interface. Binding the whole
> /27 address range (with exception of the router's IP) to your BSD
> machine. Make natd translations accordingly.
Which option is better? How do I set up proxy arp?
> 2) Setup your DMZ using 90.91.92.16/28 IP range which gives you
> enough IP's to play with, and leaves the 90.91.92.4/30 and
> 90.91.92.8/29 subnet's to play with. Add the routes in the router
> to route the subnets to your BSD machine's IP. Make natd
> translations accordingly if you decide to run private address
> space for your DMZ, if not no additional work needs to be done.
This seems like a good solution. Please help me figure out the
subnets/routes I need to use. So far, I have this:
/---------------------\
| router 90.91.92.1 |
\---------------------/
|
|
/---------------------\ /---------------------\
| fxp0 90.91.92.2/30 |---| fxp1 90.91.92.?/? |
\---------------------/ \---------------------/
-| | |-----------
| | |
/-------\ /-------\ /-------\
| NAT 1 | | NAT 2 | | DMZ |
\-------/ \-------/ \-------/
All I gotta do is fill in the missing blanks :)
Thanks a lot for your help
John Wilson
>
>
> Nick Rogness <nick@rogness.net>
> - Keep on Routing in a Free World...
> "FreeBSD: The Power to Serve!"
>
>
>
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17607983.988650352302.JavaMail.imail>