Subnets do not have to be all the same size; you can (for lack of better term)
"sub-subnet".
Remember that the MOST-specific (most mask bits) routing rule applies first
Remember that each subnet has two reserved IPs: the first (net) and last (broadcast).
Assuming you are using class C 192.168.200.*
Assuming eth0 (10.10.10.10) is the outside
Assuming eth1 (192.168.200.33) is the perimeter
Assuming eth2 (192.168.200.1) is the intranet
Use 30 perimeter hosts (192.168.200.33-62)
Use 222 intranet hosts (192.168.200.1-254 less perimeter subnet)
(I use 33-62 so that there is no confusion about which *subnet* is involved)
on the router
route 192.168.200.32/255.255.255.224 to 192.168.200.33
route 192.168.200.0/255.255.255.0 to 192.168.200.1
route 0.0.0.0/0.0.0.0 to 10.10.10.10
on the intranet
route 192.168.200.32/255.255.255.224 to 192.168.200.1
route 192.168.200.0/255.255.255.0 to NIC
route 0.0.0.0/0.0.0.0 to 192.168.200.1
on the perimeter
route 192.168.200.32/255.255.255.224 to NIC
route 0.0.0.0/0.0.0.0 to 192.168.200.33
>I'm trying to get a plan together to set up a firewall on a network and have some
>issues that I haven't sorted out yet. Perhaps someone can help me.
>
>Currently the network is on a full Class C address space, with a router to the
>internet. The router provides the current security, but it's very limited. There is
>no NAT going on and preferably it should remain that way (just want to filter
>traffic).
>
>My idea is to create a screened subnet using a merged interior/exterior router in
>addition to the existing router. The merged router (firewall) ends up being a
>triple-homed host (FreeBSD box), with a NIC to the internet, a NIC to the perimeter
>network, and a NIC to the internal network. The internet router only talks to the
>FreeBSD box, which permits some communication with servers on the perimeter network
>(FTP, WWW, mail, etc), and keeps a tighter watch on traffic to and from the internal
>network (even if it's from the perimeter network, in case one of those servers
>becomes compromised).
>
>With me so far?
>
>Ok. So to firewall, we need to route, and to route, we need to subnet. Barring any
>faults in my ideas so far, I'm stumped as to how to subnet the current Class C to
>easily permit this and make best use of the address space. So far they've been
>spoiled with their addressing, but no more after this. I've never had to subnet into
>a Class C before, so I did my homework and it would seem that subnets must all be of
>equal size. This is bad, because the perimeter network only needs to support a few
>hosts, while the internal network needs to support a much larger number (I don't need
>a third subnet, figuring I can use a private address space such as 10.0.0.1 <->
>10.0.0.2 for the segment between the internet router and the FreeBSD box, correct?).
>
>Of course, as I'm just diving into subnetting, I'm still a little confused. If I
>were to divide into 2 subnets, would it be 62 or 126 hosts per subnet? 62 would be
>too small, while 126 would be annoying but perhaps liveable (not to mention a waste,
>as the perimeter network doesn't need anywhere near that).
>
>Now, if I could subnet for up to 14 hosts on the perimeter network, and leave...
>what, 182? hosts on the internal network... that would be ideal. But I'm out of my
>league trying to figure out if such a thing is possible. Is it? How?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
