Two VLANs, One Subnet

Michael Torrie torriem at chem.byu.edu
Sun Mar 11 12:28:04 MDT 2007


On Sun, 2007-03-11 at 08:45 -0600, Hans Fugal wrote:
> I never said DMZ. A DMZ is an extra complication no matter how you look
> at it. I don't have extra firewall rules. The LAN is still limited to
> the LAN side. The public IPs are still only one set of firewall rules.
> The interaction between public and private is just as simple or
> complicated as it was - whether it's a deny policy (as NAT would be)
> with specific holes punched through, or an allow policy with specific
> ports blocked.

Gotcha.  Note that NAT doesn't imply any firewall policy at all.
There's nothing intrinsically firewalling in nature about NAT.  It's a
simple address translation (two ways).  In other words it is just a way
of subnetting.  The default would be whatever the FORWARD chain is set
to.  The firewalls are applied as normal across this bridge (the FORWARD
chain).

> 
> BTW, I didn't end up using any proxy arp at all. It's all routing, and
> it's not at all complicated; it's 4 static routes. The cisco is broken
> for icmp from the lan, but it doesn't make a practical difference.

Yes.  Given that you aren't implementing a DMZ, this is simplest.  Are
you still giving each server two IP addresses?  How is the routing
dealing with that?  Does it require any special configuration of the
servers themselves?

Michael


> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */




More information about the PLUG mailing list