Two VLANs, One Subnet
Michael Torrie
torriem at chem.byu.edu
Sun Mar 11 12:28:04 MDT 2007
On Sun, 2007-03-11 at 08:45 -0600, Hans Fugal wrote:
> I never said DMZ. A DMZ is an extra complication no matter how you look
> at it. I don't have extra firewall rules. The LAN is still limited to
> the LAN side. The public IPs are still only one set of firewall rules.
> The interaction between public and private is just as simple or
> complicated as it was - whether it's a deny policy (as NAT would be)
> with specific holes punched through, or an allow policy with specific
> ports blocked.
Gotcha. Note that NAT doesn't imply any firewall policy at all.
There's nothing intrinsically firewalling in nature about NAT. It's a
simple address translation (two ways). In other words it is just a way
of subnetting. The default would be whatever the FORWARD chain is set
to. The firewalls are applied as normal across this bridge (the FORWARD
chain).
>
> BTW, I didn't end up using any proxy arp at all. It's all routing, and
> it's not at all complicated; it's 4 static routes. The cisco is broken
> for icmp from the lan, but it doesn't make a practical difference.
Yes. Given that you aren't implementing a DMZ, this is simplest. Are
you still giving each server two IP addresses? How is the routing
dealing with that? Does it require any special configuration of the
servers themselves?
Michael
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
More information about the PLUG
mailing list