[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: subnets, not routing etc.

To: Josef Dyma <josef.dyma@email.cz>
Subject: Re: subnets, not routing etc.
From: Hakan Olsson <ho@crt.se>
Date: Thu, 16 Nov 2000 18:23:15 +0100 (MET)
Cc: misc@openbsd.org

On Thu, 16 Nov 2000, Josef Dyma wrote:
...
> ok, in that case... is there a way for dividing the 32 IPs (actually 30) in
>  a smarter way... so that I have just for example 2 IPs in the uprotected
>  area and the rest protected... I guess not... so I'll be forced to use NAT...
>  (1-1?)
> 
> Any suggestions?

How about:

   [ISP router]
       |.33
       |      .32/29
       |.34
    [ FW ] --------- network .40/29 (8 addr)
    .49|   .41
       |
       |
  network .48/28 (16 addr)

(This is actually a "design" I've implemented for a couple of clients.)
Here the ISPs router should have interface netmask /29, and route .32/27
via .34.

This solution is probably better anyway, since you can put the machines
that should be visible from Internet on the smaller segment (mail, DNS,
WWW, ...) and keep the larger segment for normal hosts. You probably want
to have different filtering rules for access to the different internal
networks.

An alternative solution (which I'm fairly sure the ISP won't like much
anyway) would be to use RPC-1918 addresses (an other network range,
simply) between the ISP router and your firewall, then you could have the
entire .32/27 on the inside.

//Håkan

[tech@ removed from Cc list]

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Follow-Ups:
- Re: subnets, not routing etc.
  - From: josef.dyma@email.cz

References:
- Re: subnets, not routing etc.
  - From: Josef Dyma <josef.dyma@email.cz>

Prev by Date: raidctl partition size
Next by Date: Re: Couldn't not figure out printer
Prev by thread: Re: subnets, not routing etc.
Next by thread: Re: subnets, not routing etc.
Index(es):
- Date
- Thread