Two VLANs, One Subnet

Hans Fugal hans at fugal.net
Sun Mar 11 08:45:02 MDT 2007


On Sat, 10 Mar 2007 at 19:40 -0700, Michael Torrie wrote:
> On Sat, 2007-03-10 at 19:29 -0700, Michael Torrie wrote:
> > Having said that, you are right about using real IP addresses.  In fact,
> > NATting a subnet in the way I have suggested is almost exactly the same
> > as using real IP addresses.  The only difference here is that the DMZ
> > hosts wish to appear on two different subnets at one time.  That adds
> > routing complexities and a greater chance of allowing a host to do
> > something it shouldn't do.  In effect you have to have twice as many
> > firewall rules.
> 
> Sorry about the parse errors.  What that paragraph means to say is that
> not using NAT, but doing the proxy arp tricker that Hans is using, can
> result in a situation where, since the host has two actual IP addresses
> without NAT, you need twice as many firewall rules to make the DMZ.  One
> set to govern the public ip address access and another to govern the
> traffic to and from the rest of the private hosts.  Further, if your
> private hosts are on the same private subnet as the dmz hosts, then you
> don't have a DMZ at all anymore, and you've now exposed your entire
> network through that server should it get compromised.

I never said DMZ. A DMZ is an extra complication no matter how you look
at it. I don't have extra firewall rules. The LAN is still limited to
the LAN side. The public IPs are still only one set of firewall rules.
The interaction between public and private is just as simple or
complicated as it was - whether it's a deny policy (as NAT would be)
with specific holes punched through, or an allow policy with specific
ports blocked.

BTW, I didn't end up using any proxy arp at all. It's all routing, and
it's not at all complicated; it's 4 static routes. The cisco is broken
for icmp from the lan, but it doesn't make a practical difference.

-- 
Hans Fugal ; http://hans.fugal.net
 
There's nothing remarkable about it. All one has to do is hit the 
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20070311/2bfe51b2/attachment.bin 


More information about the PLUG mailing list