Two VLANs, One Subnet

Michael Torrie torriem at
Sun Mar 11 12:28:04 MDT 2007

On Sun, 2007-03-11 at 08:45 -0600, Hans Fugal wrote:
> I never said DMZ. A DMZ is an extra complication no matter how you look
> at it. I don't have extra firewall rules. The LAN is still limited to
> the LAN side. The public IPs are still only one set of firewall rules.
> The interaction between public and private is just as simple or
> complicated as it was - whether it's a deny policy (as NAT would be)
> with specific holes punched through, or an allow policy with specific
> ports blocked.

Gotcha.  Note that NAT doesn't imply any firewall policy at all.
There's nothing intrinsically firewalling in nature about NAT.  It's a
simple address translation (two ways).  In other words it is just a way
of subnetting.  The default would be whatever the FORWARD chain is set
to.  The firewalls are applied as normal across this bridge (the FORWARD

> BTW, I didn't end up using any proxy arp at all. It's all routing, and
> it's not at all complicated; it's 4 static routes. The cisco is broken
> for icmp from the lan, but it doesn't make a practical difference.

Yes.  Given that you aren't implementing a DMZ, this is simplest.  Are
you still giving each server two IP addresses?  How is the routing
dealing with that?  Does it require any special configuration of the
servers themselves?


> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list