On 28 Feb 2002, at 17:30, Gustavo Ritondale wrote: > I have CDN access with 16 ip addresses. (subnet mask 255.255.255.240) > I need a DMZ for servers and NAT for private LAN. > I'll use ipchains firewall with 3 NICs. > > Router = xxx.xxx.xxx.209 > > My question is: Should i divide ( split ) my 16 public addresses into 2 subnets ( >with subnet mask=255.255.255.248) > like xxx.xxx.xxx.208 - xxx.xxx.xxx.215 > xxx.xxx.xxx.216 - xxx.xxx.xxx.223 > or i can leave subnet mask unchanged and install the firewall on xxx.xxx.xxx.210 ?? > > Thanks, GLR
You don't want to split your /28 block into two /29s, because that will lose you two more of those valuable public IPs. What I would do is put the firewall on .209, and use static NAT between .210-.222 and addresses on a private block range used in your DMZ. So all traffic for these addresses coming in via your internet router will be passed to the firewall, filtered by its policies, and then NATted over to the real servers. So the only devices that are actually configured for the xxx.xxx.xxx.208/28 network are the untrusted interface of the firewall, and the local interface of the internet router. Dave Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
