static Posted June 4, 2003 Report Share Posted June 4, 2003 This is sort of a networking question, but seeing as it has to do with my firewall, I put it here (mods (OF WHICH I AM NOT :( ) feel free to move this if need be) [*]SMC-Ultra ISA pnp 10Mbit (eth2 {DHCP client} - Internet) [*]Intel EPro 100 (eth0 {192.168.1.1} - LAN) [*] " " (eth1 {192.168.1.10}- DMZ) Do I give eth1 an internal IP (192.168.1.0) or an IP on the same segment as the IP eth2 will receive via DHCP from the ISP? Note I won't know what segment it'll be! How will the servers know where to go? They'll need IP's that are static and internet like, no? I have never run a server outside a secure, internal network!! (RCMP network specialist :roll: ) Or is the DMZ eth1 interface transparent to the servers and the traffic just gets routed through my firewall (and out eth2)? On a side note (I'd like to know the above anyway) - should I use (do you recommend) NAT and port forwarding instead of giving the servers real IP's? Thanks again for helping me clear this up! Frustrated in Ottawa Quote Link to comment Share on other sites More sharing options...
paul Posted June 4, 2003 Report Share Posted June 4, 2003 yes give eth1 a static ip on a private subnet 192.168.1.1 is what I use eth0 is a public IP 202.27.218.97 eth2 is on a private subnet 10.0.0.1 if you are using dhcp on your dmz (eth2) be sure not make eth1 on the same subnet ... if you start up eth2, then ifconfig eth2 will give you the assigned IP, hopefully not in 192.168.1.0/24 subnet NAT is far more secure than using public IP's on your network, not to mention cheaper. and if any body visits (like many people do in my house) you can easily add them into your network ... give them a 192.168.1.0/24 address, and make the gateway 192.168.1.1 .... 8) Quote Link to comment Share on other sites More sharing options...
static Posted June 5, 2003 Author Report Share Posted June 5, 2003 But I thought you can't use dhcp for the DMZ 'cause it'll make it hard for clients to find it... Quote Link to comment Share on other sites More sharing options...
paul Posted June 5, 2003 Report Share Posted June 5, 2003 yes you ... but you have to make sure the the DMZ has been assigned an IP before you start IPtables if you use shorewall to configure iptables (I do) you set up dmz eth2 detect,noping,routestopped #or whatever other params you want but if your IP hasn't been assigned yet .. it won't work Quote Link to comment Share on other sites More sharing options...
static Posted June 5, 2003 Author Report Share Posted June 5, 2003 Not sure what you mean... the DMZ is eth1. The world won't have trouble connecting if the IP's different? Who updates the internet's dns servers? I don't really want to use dhcp for the DMZ, I'd rather use static IPs. But do those static IPs have to be local private ones or public usable internet ones? Am I correct in assuming that I could give the eth1 DMZ interface a private IP like 10.10.10.1, the server an IP on the same subnet (private) 10.10.10.2 and use port forwarding eg. 64.12.123.7 (eth2, by dhcp - internet) sees a request on port 23 for ftp sends it to 10.10.10.2 port 23 And you say don't put the server in the same subnet, eh? OK, so my LAN will use the default gateway 192.168.1.1 to find the 10.10.10.0 segment, correct? Thanks, this is getting clearer if I'm right. Quote Link to comment Share on other sites More sharing options...
paul Posted June 5, 2003 Report Share Posted June 5, 2003 ok so here are some options for you eth0 = lan (192.168.1.1) eth1 = dmz (10.0.0.1) eth2 = wan (202.0.0.202) all ip's are static (he he ... funny :-P ) you put a computer on your dmz, and give it an ip 10.0.0.2 with subnet 255.255.255.0 and gateway 10.0.0.1 ... cool? now when you want to forward packets to a server (webserver say) you would do something like this DNAT 202.0.0.202 10.0.0.2 80 - and it will work sweet as !!! or you put a computer on your dmz, and give it an ip 202.0.0.203 with subnet 255.255.255.192 and gateway 10.0.0.1 ... cool? now when you want a to forward packets to a server you would do something like this step 1 .. proxyarp 202.0.0.203 eth1 eth0 no-haveroute step 2 .. firewall config ACCEPT 202.0.0.203 - 80 - now with eth0 (the lan) turn on masq'ing and put computers on your lan with ip address 192.168.1.2-254 with subnet 255.255.255.0 and gateway 192.168.1.1 I have all of these options setup at home ... and they work sweet as !!!! here's a few interesting notes tho' 1. IP address (and hardware address) are populated throughout the world using arp cache .. (ARP = Address resolution protocol .. incase you didn't know) ... it works like this my firewall caches all IP info for my network. My ISP caches all IP info for its network (including me) the auckland gateway that my ISP uses caches all IP info for its network (including all my ISP, which includes me) the NZ gateway caches all IP info for its network (including all Auckland gateway, all my ISP, all me ) ...... and so on ... and so on ... etc etc cool? if you have to replace the NIC on a machine that uses a public IP address, it can take some time for the arp cache to update (normally a few hours ) so if make changes (as I'm sure you are while building this network) make the changes slowly, and allow time for arp cache to filter. Quote Link to comment Share on other sites More sharing options...
static Posted June 6, 2003 Author Report Share Posted June 6, 2003 all ip's are static (he he ... funny)Yeah, I picked my name based on the fact that I don't change ;) Thanks, btw. And yeah I know ARP, and RARP, and GRE, OSPF, RIP, IP, RPC, IPX, IPSec, etc etc etc my only issue was not understanding how a server could have a dhcp address... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.