Ray - thanks again. Forgive me if I was unclear. I've got 5 Bering firewalls in production but this one is bringing a lot of new concepts my way.
>This doesn't deal with my uncertainty about the old setup. Was the old >router able to handle the address "xxx.xxx.xxx.142" or not? Yes. >That is, did it somehow (either as its own interface with port forwarding, or via proxy arp) make that address visible on the external interface, and could it route traffic going from the server using that address successfully? Apparently so. If it didn't, then I'm missing a piece of the puzzle, which is possible. I've not been on site where this firewall is installed, and I apologize to you for the boneheads on site if this is the case. >Were the "LAN" servers we're talking about also plugged into this same >switch? I suppose they must have been. Yes they were. >With that physical setup, and knowing as little about the configuration of >the prior router as we seem to, I would not assume it was routing traffic >to and from the other public addresses; the ISP may have been reaching them >directly, without firewalling. It may only have been NAT'ing whatever >private-address IPs were used by workstations ... the physical setup you >(sort of) describe could do this, while not offering any firewalling or >routing whatsoever to the public-address servers. I never considered this, but this is probably exactly how it was working for the 27-30 public IPs (see below.) >Even if you can't check the old router, can you check the old >configurations of the servers? What did their routing tables look like? (If >you feel you must conceal the actual addresses, please don't turn them into >jabberwocky ... use some convention that lets us easily distinguish >different hosts, gateway addresses, and netmasks.) Did they have the old >router's internal IP address as their default gateway or the ISP gateway >appropriate to each distinct "network"? ISP gateway appropriate to each distinct network, with the exception of the FTP server. It is configured as follows: Public address 2A9.2B8.2C3.1D2 mask 255.255.255.252 gw 2A9.2B8.2C3.1D1 internal 192.168.1.7 There is only one NIC in this box, and so apparently the old router did something (SNAT?) for this address. The other address range (the 26-30 addresses) are configured exactly as the external interface on the firewall, and are working in a proxy arp'ed DMZ. In fact, 26 is the firewall address. >In the meantime, please figure out a way to conceal them that does not >leave out information we need to know. Hopefully the above is better. I can say that all these addresses are public and routable - no upstream NAT. I'm still trying to get access to the old router. Thanks again for your help. - Bob Coffman ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
