On Sun, 11 Mar 2007 at 12:28 -0600, Michael Torrie wrote: > > BTW, I didn't end up using any proxy arp at all. It's all routing, and > > it's not at all complicated; it's 4 static routes. The cisco is broken > > for icmp from the lan, but it doesn't make a practical difference. > > Yes. Given that you aren't implementing a DMZ, this is simplest. Are > you still giving each server two IP addresses? How is the routing > dealing with that? Does it require any special configuration of the > servers themselves?
No, except for one. The routing is nothing special; the easiest way to
deal with the private subnet is to give the router a private address
also, then the clients need no special configuration. The server with
both public and private addresses just needs to be told the private
address (and gateway/mask) statically (it's a statically configured box
anyway).
I have my router responding to two addresses, a public and a private.
The public address is on vlan1 (wan), and the private address is on br0
(lan). I had to set /proc/sys/net/ipv4/conf/*/arp_{ignore,announce} to
0, so that the public interface would respond to arp on the lan
interface. This seemed easier and safer than giving both interfaces the
same public IP. Another way would have been to give the public lan boxes
a static route to the private ip of the router on the lan and setting
that as the gateway; again deemed too complicated.
--
Hans Fugal ; http://hans.fugal.net
There's nothing remarkable about it. All one has to do is hit the
right keys at the right time and the instrument plays itself.
-- Johann Sebastian Bach
signature.asc
Description: Digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
