From owner-freebsd-questions Wed Mar 6 13:55:41 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp04.wxs.nl (smtp04.wxs.nl [195.121.6.59]) by hub.freebsd.org (Postfix) with ESMTP id 85E2B37B400 for ; Wed, 6 Mar 2002 13:55:34 -0800 (PST) Received: from Alex ([213.10.151.186]) by smtp04.wxs.nl (Netscape Messaging Server 4.15) with ESMTP id GSKNKK01.39S; Wed, 6 Mar 2002 22:55:32 +0100 Date: Wed, 6 Mar 2002 22:55:29 +0100 From: Alex X-Mailer: The Bat! (v1.53d) Reply-To: Alex X-Priority: 3 (Normal) Message-ID: <8719577841.20020306225529@dds.nl> To: Mark Cc: "A.Rakukin" , questions@freebsd.org Subject: Re[2]: with and without firewall In-Reply-To: <3C8685CD.83F7F2F9@netchat.co.za> References: <200203050644.g256irn40909@www5.mailru.com> <8113939634.20020306212130@cybertron.tmfweb.nl> <3C8685CD.83F7F2F9@netchat.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Mark, Wednesday, March 06, 2002, 10:10:37 PM, you wrote: >> AR> I would like to have my network (say, 128.1.1.0 with >> AR> router 128.1.1.1) connected to the Internet via the >> AR> firewall most of the time, but also provide the >> AR> possibility for this network to be switched to direct >> AR> Internet connection at any time, without any changes in >> AR> routing. >> >> AR> I guess I can set it up in the following way: >> AR> - create an additional network (128.2.2.0), >> AR> - add this network as secondary to the router, >> AR> assigning an additional address 128.2.2.1 to the router >> AR> itself, >> AR> - set up a firewall with external address 128.2.2.2 >> AR> and internal addresses 128.1.1.1 >> AR> - make the firewall pick all packets intended for >> AR> 128.1.1.0 which come to its external interface, filter >> AR> them and send into the internal network. >> AR> Then, routing should work either if firewall is present >> AR> or it is physically removed and router connected to the >> AR> network directly. >> >> AR> Is that possible? Which software can accomplish the >> AR> last task? As far as I understand, NAT address >> AR> redirection does not do it. Maybe, there are easier >> AR> ways to solve this problem, without setting up an >> AR> additional network? >> >> AR> Thanks a lot, >> AR> Alex >> >> The simplest option is to add the ip of the firewall (2) to the >> router if you take the firewall offline. Just keep all the clients >> believing the firewall is still up. >> >> DHCP has a option to set the gateway and DNS ip of clients on a >> central place. It would mean there's another thing that can go wrong. >> What if the DHCP is not available? >> >> -- >> Best regards, >> Alex K M> I guess if you are using 128.1.1.0 as a range you have real IP M> addresses, and this being the case, would it not be better to configure M> the FreeBSD server as a bridge between the router and your network. You M> can still toggle your firewall rules if required and there would be no M> additional routing required. I missed the second network range. Don't pick any public ip ranges if you choice to work with natd. (10.x.x.x/8 and 192.168.x.x/16 are private ranges you may use freely) My suggestion to add the ip of the firewall to the router will not work if you have natd running on it. Or the router must also have this option. Another thing you can do is having two identical firewall. The second one simply takes over when the first one is down. This can be done with software if you want. It done by giving tree ip address to the two machines. The third one is hold by the one running. The other two can be on a, for the clients, non visible network (say 10.0.0.1 and 10.0.0.2) But you properly don't wanna do this if you only have 50 machines on a network that can hold 256. -- Best regards, Alex K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message