Subnetting

Dustin Decker dustind at moon-lite.com
Wed Nov 20 18:55:18 CST 2002 

On Wed, 20 Nov 2002, Lucas Peet wrote:

> Well, basically, I'm working on a triple-homed firewall.  The block of
> 'real' IP's will be for the DMZ, I'll use 10.0.0.x for the internal
> network, but I still need 2 IP's (one for the external interface, and
> one for the router) that are on a different network, so I can route
> properly between the external interface, and the DMZ.

What type of firewall?  I expect what they refer to as a DMZ is likely 
just a screened subnet.

> Maybe I'm confused here - I guess I'm just trying to apply what I
> learned from my own dual homed firewall to a triple homed with a DMZ.

Indeed - the catch here is that in general you are dealing with three
distinct networks.  It would probably be a better idea to continue using
your ISP supplied address on the interface that is on the Internet, a
private 192.168.0.0/24 range on your DMZ interface, and your current
10.1.1.0/24 address range on your internal interface.

> Maybe I just don't know enough about routing yet?  I guess I don't
> understand how I would route from eth0 to eth2 properly, when they're on
> the same network block.

Without being rude, yes - you nailed it here on this one.

> Should I just ask the ISP for 2 other IP's on a different network block?
> (I *know* they have subnets that are only 2 (useful) IP's long (total of
> 4) ).

This won't work - and they probably won't give you one anyway.  Use the 
two private ranges as I indicated further up in this post - I expect when 
you look at it this was it will make more sense.  (Pardon my ASCI art, I'm 
lame.)

/-----------| Internet  |
-----------/
	|
	|
	|
/--------------------------------          
|				 |  <------ (this is the firewall)
| [Live IP Address]  eth0    	 |   
|			     	 |
| [DMZ NIC 192.168.0.1]	eth1	 |---------------- DMZ (WWW, FTP, etc)
|				 |
| [LAN NIC 10.1.1.1/24] eth2	 |
|				 |
--------------------------------/
		|
		|
		|
	       LAN

I hope this helps out.
Dustin
	
--
*-----------------------------------*
| Dustin Decker                     |
| dustind at moon-lite.com       *-----------------------------------------*
| http://www.dustindecker.com | "It is by the fortune of God that, in   |
| Moon-Lite Computing         | his country, we have three benefits:    |
| 913.579.7117                | freedom of speech, freedom of thought,  |
*-----------------------------| and the wisdom never to use either."    |
                              |                                         |
                              |		-- Mark Twain                   |
                              |                                         |
                              *-----------------------------------------*

More information about the Kclug mailing list