Two VLANs, One Subnet

Michael Torrie torriem at chem.byu.edu
Sat Mar 10 19:40:29 MST 2007


On Sat, 2007-03-10 at 19:29 -0700, Michael Torrie wrote:
> Having said that, you are right about using real IP addresses.  In fact,
> NATting a subnet in the way I have suggested is almost exactly the same
> as using real IP addresses.  The only difference here is that the DMZ
> hosts wish to appear on two different subnets at one time.  That adds
> routing complexities and a greater chance of allowing a host to do
> something it shouldn't do.  In effect you have to have twice as many
> firewall rules.

Sorry about the parse errors.  What that paragraph means to say is that
not using NAT, but doing the proxy arp tricker that Hans is using, can
result in a situation where, since the host has two actual IP addresses
without NAT, you need twice as many firewall rules to make the DMZ.  One
set to govern the public ip address access and another to govern the
traffic to and from the rest of the private hosts.  Further, if your
private hosts are on the same private subnet as the dmz hosts, then you
don't have a DMZ at all anymore, and you've now exposed your entire
network through that server should it get compromised.

Michael





More information about the PLUG mailing list