RE: [FW1] Multiple IPs to one NIC?

Tue, 01 Aug 2000 10:12:14 -0700 


I think you're mixing up problems -- this guy never asked about
multihoming.

You would be right in the case of NAT (NAT + Multihoming = Sreaming Case
of Heebie Jeebies). But if he was multihoming between a DSL line and a 64K
line, assuming all DNS points to the 64K line and only one direction is
NATed, it could work.I wouldn't do it with CPFW, though -- I'd do this:

a.a.a.0         b.b.b.0
64K             DSL
csu/dsu         bridge
router          router <- do NAT here, hiding behind b.b.b.x
\               /
 ---firewall--- <- direct "certain traffic" to DSL line
        c.c.c.0 (registered space, no NAT req'd)

"certain traffic" needs to be traffic originating from the inside which
doesn't rely on resolvable names (e.g., browsing is okay but sendmail is
not). Ideally the DSL router should block all inbound SYNs since it's got
a DHCP address and therefore won't be approached by anything legitimate.

This could be a good way to offload junk traffic, but it won't help in
providing redundancy for important internals (like mail servers). For that
you need BGP.

-- 
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376


On Tue, 1 Aug 2000, Lee (lunchbox) Hughes wrote:

> hey, correct me if I'm wrong, but if you 'route' over the dsl, won't the
> packets return
> via the original IP address in the source, i.e. the 64k line????, becareful.
> running
> a multihomed site is not as easy as it sounds, unless your running bgb-4
> :-).
> Lee
> 
> -----Original Message-----
> From: Jack Coates [mailto:[EMAIL PROTECTED]]
> Sent: 31 July 2000 21:27
> To: Screaming Badger
> Cc: [EMAIL PROTECTED]
> Subject: Re: [FW1] Multiple IPs to one NIC?
> 
> 
> 
> That could work -- but make sure you realize what you'd have to do. You'll
> need to add a route statement which directs traffic for the fixed IP to
> the dynamic IP. You'd have to change that route every time your DHCP
> address changed. And you'd have to break any existing connections
> every time you changed the route.
> 
> I assume this is DSL? Most if not all DSL providers offer a fixed IP
> option for slightly more money per month -- I would look into that if I
> were you.
> 
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to