It appears there is no way to make it work using tye typical NAT router that
can only deal with one subnet.
Here's what I wanted because I already have the NAT router:
Server
192.168.0.4 || 192.168.0.5
||
LAN ---------- hub ------- NAT Router --- Internet
Traffic flow:
LAN - hub - Router (LAN Inet traffic bypasses server)
LAN - hub - server (local traffic unsecure, but private to addr 0.4)
Server - hub - Router (secure but using 0.5 address)
The key would be assigning certain ports to certain eths.
I know how to:
Make addr 0.4 invisible to the router.
Make inbound traffic come to addr 0.5.
The LAN PCs will only use addr 0.4 since they only know file sharing.
It is an easy problem to solve if you put the server essentially where the
hub is, but then the server must act as a router for all the LAN-Internet
traffic.
I'm going to look into the "subinterface" idea (which I didn't know about)
Thanks.
Michael
On Sunday 23 June 2002 07:43 am, Matthew Carpenter wrote:
> So you want to share the same WIRE for both the Internet connection and
> the protected network?
>
> This is generally considered less than optimum for security, since a
> hacker need only compromise the router to have complete access to your
> protected network. However, if you ARE going to attempt this, you can do
> this in a couple different ways. The differences are only in whether or
> not you use two interfaces. Using one interface and subinterface(s) -
> which are basically only additional ip addresses for the same NIC. You
> can have two interfaces connected to the same WIRE, but that doesn't mean
> they are on the same subnet. By subnet I mean IP network.
>
> Not wanting to assume that you know this but believing you probably do,
> there are several IP ranges set aside for private use: 10.0.0.0/8,
> 172.16.0.0/12, and 192.168.0.0/16. Microsoft ALSO decided to add their
> own range of 169.something, for Windows boxes which are configured for
> DHCP but there's no DHCP server available. If you need help subnetting
> IP and would like a refresher, feel free to email me offlist and I'll
> explain how best to use these ranges.
>
> If you want to use two NICs (network interface cards, for anyone who does
> know), just set them on different IP subnets. Assign an IP address on
> the registered IP address range (the one assigned you by the ISP), and
> assign a PRIVATE IP address to the other interface. This will become the
> "Default Gateway" for all the hosts on the protected network. If you are
> going to go this route and a separate hub is a problem, I would actually
> use a cross-over cable to connect the firewall directly to the Internet
> router and only connect the protected interface to your hub/switch. This
> is the method which I would recommend, knowing very little about your
> needs.
>
> If you are going to use the same wire (hub/vlan) for both protected and
> Internet address ranges, why waste the extra NIC? Use it in another box.
> You can "create" a subinterface for a NIC in a couple different ways.
> Manually, by typing the following as root:
> ifconfig eth0:0 10.150.14.1 netmask 255.255.255.0 broadcast
> 10.150.14.255 up
> This will create a subinterface which lives on eth0. The rest is
> self-explanatory. Ask if you would like further explanation.
> To have this interface created and controlled like a normal interface,
> most RedHat-like (RH/MDK/COL/etc..) distros will allow you to create a
> file such as /etc/sysconfig/network-scripts/ifcfg-eth0:0 which will look
> very similar to the ifcfg-eth0 in the same location. Some distros allow
> you to create subinterfaces in their GUI tools as well.
> Using subinterfaces will basically do the same as using two interfaces,
> you'll just be limiting the amount of traffic you can send through the
> box.... but who even has a 10mb connection to the Internet, much less a
> 100mb one?
>
> If this is clear as mud, let me know and I can try to clean it up. Sorry
> that the formatting isn't the best for reading.
_______________________________________________
Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users
Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
