Date: Sun, 13 Feb 2000 23:50:13 -0500 From: "Matthew Jonkman" <jonkman@bussert.com> To: <cjclark@home.com> Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.org> Subject: Re: Routed and public IPs Message-ID: <003401bf76a6$fe198fc0$030a0a0a@jonkmangarage.com> References: <045f01bf75e3$32b03d20$030a0a0a@jonkmangarage.com> <Pine.BSF.4.05.10002130844170.28527-100000@buffnet11.buffnet.net> <20000213163442.F31722@cc942873-a.ewndsr1.nj.home.com> <053e01bf766e$9a8a53a0$030a0a0a@jonkmangarage.com> <20000213232001.B38809@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I like the idea of having the firewall act as a bridge and a nat device. I had tried to implement this by aliasing the internal nic with a private and a valid public IP. I made the internal public IP'd machines use that public internal IP as their gateway but no luck. I believe the theory is correct from what you mentioned, just my implementation on the firewall must be lacking. Its running nat, routed, and is an OPEN firewall. Still no luck. The unregistered IP'd machines run as expected but I can't make the public IP'd machines visible outside. Can you help? Am I an idiot or something? This seems simple. Don;t answer that last question. I know the answer. Thanks. BTW, the geeks shall inherit the earth. ----- Original Message ----- From: Crist J. Clark <cjc@cc942873-a.ewndsr1.nj.home.com> To: Matthew Jonkman <jonkman@bussert.com> Cc: <cjclark@home.com> Sent: Sunday, February 13, 2000 11:20 PM Subject: Re: Routed and public IPs > On Sun, Feb 13, 2000 at 05:06:38PM -0500, Matthew Jonkman wrote: > > Thats what I thought too. > > > > Thanks. Let me give you more info. > > > > The feed comes from a router, the subnet in question has a block of public > > IP's. Theey currently use a public IP on all their windows and novell > > machines. They were recently hacked so they want a firewall. (some people > > don;t take advice till its too late:) ) > > > > The novell machine handles mail and such and the users use windows remote > > access software to access their individual stations from home. > > > > I set up the firewall with 1 windows machine using a public interface behind > > it. I haven't gotten it to be accessible. I've also tried the same thing > > with my own net for a test and no luck.I have plenty of regular nat > > firewalls under my belt, but the routing thing is new to me. > > If you could give some details, we might be able to help debug. This > kind of routing should not be tough. > > > I guess my question boils down to this: What exactly is the setup to make > > the firewall act as a router with public and private addresses behind it, > > and the public addresses must be visible from the outside. > > > > Thanks again for any help. > > OK, let me see if I get this. You used to have, > > _______ } Your LAN of > |_______ } WinBoxes > } |_______ } & > Internet }------[ Router ]---|_______ } Novell > } . . with > . . registered > |_______ } IPs > > And you want, > > _______ } Your LAN of > |_______ } WinBoxes > } |_______ } & > Internet }------[ Router ]--[Firewall]--|_______ } Novell > } |_______ } with > |_______ } registered > . . _and_ > . .unregistered > |_______ } IPs > > There are, as is usually the case, several ways to do > this. Possibility you have already somewhat discounted is to make your > whole LAN unregistered IPs. The fact people log in remotely can be > done by doing 'redirect_address' options in natd(8). However, that > would be a lot of work, so maybe ignoring it for now is OK. > > At the moment (and I happen to be a bit foggy right now), I see three > good options: > > 1) Run the firewall as a bridge. This way we get around the problem > of routing the registered numbers by working at layer 2 rather > than layer 3, but we can still do NAT for the unregistered > addresses. > > 2) Make a subnet on the router-firewall LAN. This probably the most > straightforward approach. If you have, say, a class C space to > play with, you can put a.b.c.0/29 on the router-firewall LAN and > use the rest behind the firewall. The only real downside to this > is you end up with fewer usable addresses. NAT is trivial to > implement for this. > > 3) Split the firewall and NAT duty between two machines. The LAN > between the router and firewall can be an unregistered > space. However, you need a registered number for NAT. This > machine can live behind the firewall. I'd make a diagram of this, > since it is not as intuitive, but I'm not sure it helps. ;) > Believe me that it would work. > > > On a side note, if I could make the comment that this is the most helpful > > and good natured community of people I've ever had the pleasure to be a part > > of. Every other group of fellow geeks I've been in has had so much 'hate' > > and intolerance for questions, and everyone had to one-up eachother. Freebsd > > has none of that, and plenty of help. I've found my home for a long > > time. > > Who you callin' a geek, bub? > > > (Just in case: ;P ) > -- > Crist J. Clark cjclark@home.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003401bf76a6$fe198fc0$030a0a0a>