I have used overlapped subnets as you describe and it works
when using proxy arp which is a very simple setup.
HTH
OLAS
"Reckhard, Tobias" wrote:
> > - Use NAT and burn up CPU & memory on the firewall
> > - Divide the IP address space in two or more subnets and lose some IP
> > addresses as network & broadcast addresses
> >
> I generally advise against NAT where it can be avoided, since it potentially
> introduces problems. NATs and stateful filters in general violate some of
> the principles of TCP/IP (there are no UDP 'sessions', for instance) and
> therefore aren't always a drop-in solution. They can and do work well in
> many 'standard' architectures, but my reasoning goes something like, "why
> use it when you don't need it?"
>
> I'd just ask your ISP for another subnet between their router and your's. It
> can even be RFC1918, if your ISP uses those, since their router will be the
> only one capable of routing to you. That may confuse some people using
> traceroute towards your network, but I don't think you should care about
> that. :-)
>
> > I know this setup has overlapping subnets, but I was hoping that, once the
> > Linux box received a packet on eth2 to route from Subnet 2 to Subnet 1 (or
> > to the internet), it would route it to/over Subnet 1.
> >
> > Unfortionatly it never did. I may have made an error, so I will recheck
> > things later on, but I wanted to get you guys' opinion about this.
> >
> The Linux box probably did route correctly, but the machines in the larger
> subnet didn't know to pass packets for the smaller subnet to the Linux box.
> You need to create a routing table entry pointing at the Linux box for the
> smaller subnet. Your ISP's router will also need to know that you've split
> up your network asymmetrically.. unless you perform NAT (and proxy-arp, too,
> I think, or your Linux box won't advertise itself as the destination for the
> machines in the DMZ).
>
> Cheers,
> Tobias
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
