From owner-freebsd-questions Wed May 15 12:02:24 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA13919 for questions-outgoing; Wed, 15 May 1996 12:02:24 -0700 (PDT) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA13913; Wed, 15 May 1996 12:02:23 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199605151902.MAA13913@freefall.freebsd.org> Subject: Re: Networking / Routing question To: nate@sri.MT.net (Nate Williams) Date: Wed, 15 May 1996 12:02:22 -0700 (PDT) Cc: wollman@lcs.mit.edu, kristyn@gnu.ai.mit.edu, questions@FreeBSD.ORG In-Reply-To: <199605151555.JAA19142@rocky.sri.MT.net> from "Nate Williams" at May 15, 96 09:55:09 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Nate Williams wrote: > Background: > > I will have a 32 host IP subnet, where I am using about 23 IP addresses > right now. I'd like to add a firewall box on one end of the link > connected to router. So, I have 2 machines on one-subnet, and the rest > of my network on the other subnet. > ethernet ethernet > [ Internet ] <--> Router <--------> Firewall <--------> My machines > > Since I only have 32 IP addresses available I don't want to waste any IP > addresses if I can help it, especially considering I expect to use a few > more addresses beyond the 23 I have now. > > Since I have two ethernet segments, I must have two different subnets, > but I don't see any easy solution to the problem. It would be nice if I > could use the ethernet segment as a point-point connection in this case > (for latency & BW ethernet is the cheapest way to go). > > What would you suggest? use rfc-1918 addresses on the segment between the router and the firewall. keep all your 32 ip addresses for your hosts. default route on the inside points to the firewall. default route on firewall points to the router. specific route for you 32 hosts points thru the internal interface of the firewall. default route on the router points to the net. router has specific route for your 32 hosts (hopefully consequetive on 5 bit boundary) pointing to the firewall. as an aside this makes the internal interface for the router and the external interface of the firewall unaddressable from the internet. that's a good thing! if you must telnet to the firewall for configuation,( better to use the console or a serial line form your host) configure the firewall to accept telnet only from the OUTSIDE ethernet AND have the router block rfc-1918 addresses both inbound and outbound ;) jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/