In article <1040204536.12811.100.camel@parker> [EMAIL PROTECTED] writes: >create a second DMZ, but that would cost me the lost of three ip's, so >I'm trying to figure out ways to isolate him without putting it in >another subnet.
There's no need to use extra IPs just to set up another subnet. Just use the same IP on multiple interfaces of your firewall, and with proxy arp routing nothing but your firewall needs to know the details. The only thing I've found with broken assuptions about how IP works is DHCPD, so your firewall will need a real IP for each segment it acts as a DHCP server for. The ip command is your freind, it allows much finer-grained control than the commands it replaces. I've got a /24 split haphazardly into six subnets. The routing table on the firewall is something like 50 entries just for that /24, but none of the other systmes known the details -- they just arp and send. (Even if I renumbered this beast, the routing table wouldn't be tiny, there are over 200 hosts unevenly split between the segments.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html "Text is a way we cheat time." -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]