Thank you Charles for your concise clarification. This is very helpful to me as I do plan to run IPSec on the firewall.
----- Original Message ----- From: "Charles Steinkuehler" <[EMAIL PROTECTED]> To: "leaf-user" <[EMAIL PROTECTED]> Sent: Wednesday, November 21, 2001 9:10 AM Subject: [Leaf-user] Re: [Leaf-devel] Dachstein-CD General use documentation > A bit of clarification for the archives... > > > Some things which will seem obvious to other folks > > that were not obvious to me, which I used from the > > casano.com EigerStein v1.1 Proxy-Arp DMZ example: > > > > 1) External interface and DMZ interface IP addresses > > need to be the same address for Proxy-Arp DMZ. > > You MAY assign the DMZ and external interface the same IP, but this is not a > requirement. For folks with one of the /29 static xDSL networks (5 usable > IP's), this can be important, saving an extra IP for a server system. > > *WARNING* Assigning two interfaces the same IP confuses the current > FreeS/WAN IPSec code, which was initially developed when such things were > not possible. If you're planning on running IPSec on your firewall, and > don't want to patch the code to ignore one of your two identical interfaces, > you need to give the external and DMZ interface unique IP's. > > > 2) eth0_ROUTES="default.gw.ip" entry needed??? (I put > > this in since casano did.) > > This is mandatory. The firewall has no idea which IP's are connected to the > two identically numbered networks (your external network and the DMZ > network). You use the routing tables to specify which interface to use to > reach various systems. Typically, the 'default' will be to have all IP's on > the DMZ, with just your gateway IP on the external net. If you have some > other systems connected directly to the external network for some reason, > you'll need to add their IP's to eth0_ROUTES as well (assuming eth0 is your > external interface). > > > 3) xxxx_PROXY_ARP=YES in both ext. and DMZ > > interfaces. > > Not much proxy-arping happens without this ;-) > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
