On 2006/07/26 23:37, elaconta.com Webmaster wrote: > Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) > <-> (192.168.1.0/24) LAN
> >From what i've googled, this shouldn't even be possible, everything is > on the same subnet. Regardless, it works great, and if i went and got an > OpenBSD rig to replace the old Linux rig, it would have to retain this > networking scheme, we can't afford to reconfigure the entire network > just for switching our firewall. Ah, it sounds like you're not running DHCP then... If you do get the opportunity sometime, it's probably worth doing (even if you use it to hand out static addresses). > I known we could use a network bridge, but we need the caching > nameserver functionality. Bridging doesn't prevent this. The main problem area I've seen is with ftp-proxy (some old posts suggested it can work but I've never been able to get it running. ftpsesame isn't as clean but is great in this situation). Running standard services on a box that's also a bridge works ok. You can probably bridge and on one of the interfaces, set one address as /24, one as /32 alias. If the default route of LAN machines is .122 rather than .120, also turn on inet.ip.forwarding. In that case, packets LAN->router will be routed via 122, packets router->LAN will be bridged. If it doesn't work out, tcpdump (from various points on the network) is your friend. I guess that the Linux box may be proxy-arp'ing. With Linux proxy-arp can be bound to a certain interface; that's not the case here so it doesn't really work in this situation (you'd be answering ARP requests on the same network the real host is on).
