I had a similar problem, what I did is asking My ISP to split the class and to provide a route to the innerr addresses through my firewall (it's not too hard to obtain if you manage to talk directly to a technician on the ISP side). As for the splitting, using a four address block on the external is a bit dangerous, even if you don't want to NAT anything now in that way you won't have any free address for static NAT if you change your mind and the 4 address block in the inside won't be so useful (you'll only have 1 free address on tha subnet. If I were you, I would just split the class in 2 8 address bloks. Hope it helps Michele "Clayton Nash" <[EMAIL PROTECTED]> on 29/03/2001 12.39.36 To: [EMAIL PROTECTED] cc: (bcc: MICHELE RIVIERI/BOLOGNA/THERA) Subject: [FW1] IP Design for transparent firewall Hi, I'm hosting some servers remotely and have been allocated a block of 16 IP addresses by the hosting entity. I'm planning to place a FW1 box in front of everything and would like to be able to use the IP addresses in the most efficient way. The platform will be Intel Linux. I don't want to NAT the boxes behind the firewall for a variety of reasons. As far as I can see my options are - break the address block into 2 4 address blocks and 1 eight address block -- use on four block on the public side of the firewall and the rest on the other side In this case, I assume I have to do proxy arp on the public firewall interface? This strikes me a hopelessly inefficient and I'd really hoped there was another way to organise this -- is there? Clayton
|
Hi,
I'm hosting some servers remotely and have been
allocated a block of 16 IP addresses by the hosting entity. I'm planning to
place a FW1 box in front of everything and would like to be able to use the IP
addresses in the most efficient way. The platform will be Intel
Linux.
I don't want to NAT the boxes behind the firewall
for a variety of reasons. As far as I can see my options are
- break the address block into 2 4 address blocks
and 1 eight address block -- use on four block on the public side of the
firewall and the rest on the other side
In this case, I assume I have to do proxy arp on
the public firewall interface?
This strikes me a hopelessly inefficient and I'd
really hoped there was another way to organise this -- is there?
Clayton
|
