I was under the impression that this was supposed to be a firewall box. My apologies. You probably want to do that using subinterfaces, although I'm not quite sure what it's gaining you. I assume that the NAT router is an appliance, like a LinkSys DSL router or somesuch, correct? You don't have the NAT Router allowing externally originated traffic to the server, do you? (This would require a static NAT or PAT of some sort on the NAT Router).
On Sun, 23 Jun 2002 15:05:46 -0500 "Michael Hipp" <[EMAIL PROTECTED]> wrote: > It appears there is no way to make it work using tye typical NAT router > that can only deal with one subnet. > > Here's what I wanted because I already have the NAT router: > > Server > 192.168.0.4 || 192.168.0.5 > || > LAN ---------- hub ------- NAT Router --- Internet > > Traffic flow: > LAN - hub - Router (LAN Inet traffic bypasses server) > LAN - hub - server (local traffic unsecure, but private to addr 0.4) > Server - hub - Router (secure but using 0.5 address) > The key would be assigning certain ports to certain eths. > > I know how to: > Make addr 0.4 invisible to the router. > Make inbound traffic come to addr 0.5. > The LAN PCs will only use addr 0.4 since they only know file sharing. > > It is an easy problem to solve if you put the server essentially where > the hub is, but then the server must act as a router for all the > LAN-Internet traffic. > > I'm going to look into the "subinterface" idea (which I didn't know > about) Thanks. > > Michael > > On Sunday 23 June 2002 07:43 am, Matthew Carpenter wrote: > > So you want to share the same WIRE for both the Internet connection > > and the protected network? > > > > This is generally considered less than optimum for security, since a > > hacker need only compromise the router to have complete access to your > > protected network. However, if you ARE going to attempt this, you can > > do this in a couple different ways. The differences are only in > > whether or not you use two interfaces. Using one interface and > > subinterface(s) - which are basically only additional ip addresses for > > the same NIC. You can have two interfaces connected to the same WIRE, > > but that doesn't mean they are on the same subnet. By subnet I mean > > IP network. > > > > Not wanting to assume that you know this but believing you probably > > do, there are several IP ranges set aside for private use: > > 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Microsoft ALSO decided > > to add their own range of 169.something, for Windows boxes which are > > configured for DHCP but there's no DHCP server available. If you need > > help subnetting IP and would like a refresher, feel free to email me > > offlist and I'll explain how best to use these ranges. > > > > If you want to use two NICs (network interface cards, for anyone who > > does know), just set them on different IP subnets. Assign an IP > > address on the registered IP address range (the one assigned you by > > the ISP), and assign a PRIVATE IP address to the other interface. > > This will become the"Default Gateway" for all the hosts on the > > protected network. If you are going to go this route and a separate > > hub is a problem, I would actually use a cross-over cable to connect > > the firewall directly to the Internet router and only connect the > > protected interface to your hub/switch. This is the method which I > > would recommend, knowing very little about your needs. > > > > If you are going to use the same wire (hub/vlan) for both protected > > and Internet address ranges, why waste the extra NIC? Use it in > > another box. You can "create" a subinterface for a NIC in a couple > > different ways. Manually, by typing the following as root: > > ifconfig eth0:0 10.150.14.1 netmask 255.255.255.0 broadcast > > 10.150.14.255 up > > This will create a subinterface which lives on eth0. The rest is > > self-explanatory. Ask if you would like further explanation. > > To have this interface created and controlled like a normal interface, > > most RedHat-like (RH/MDK/COL/etc..) distros will allow you to create a > > file such as /etc/sysconfig/network-scripts/ifcfg-eth0:0 which will > > look very similar to the ifcfg-eth0 in the same location. Some > > distros allow you to create subinterfaces in their GUI tools as well. > > Using subinterfaces will basically do the same as using two > > interfaces, you'll just be limiting the amount of traffic you can send > > through the box.... but who even has a 10mb connection to the > > Internet, much less a 100mb one? > > > > If this is clear as mud, let me know and I can try to clean it up. > > Sorry that the formatting isn't the best for reading. > > > _______________________________________________ > Linux-users mailing list - > http://linux-sxs.org/mailman/listinfo/linux-users > Subscribe/Unsubscribe info, Archives,and Digests are located at the > above URL. _______________________________________________ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
