Maple Thorpe wrote: >Net---(8 IpAddresses)>Firewall/Router(2 IPAddresses and 3 NICs) >Firewall/Router-->(NIC 1 External IP) >Firewall/Router-->(NIC 2 (Loc) Private IP (10.10.10.1))-->Loc HUB >Firewall/Router-->(NIC 3 (DMZ) Private IP (10.10.11.1))-->DMZ HUB
Not clear from that whether you have a separate IP you can use for the outside interface - I'm assuming not. My preference is to avoid NAT completely if you can. On option is to run your firewall as a bridge - that way, you can use your public IPs on the public facing servers without any need for NAT or Proxy ARP. It's really the simplest way as there are then no complications at all to worry about. The downside is that the bridge code in the Linux networking imposes some limitations. You could, assuming you have the skills, run a firewall as a virtual machine under Xen (or any other mechanism you are familiar with), and then host your VPN endpoints on a separate real or virtual machine. That will remove some of the complexity, though it will add a little of it's own - while you can run everything on one box, you can certainly simplify things if you divide and conquer ! If you had a separate public IP to use as a link address, then I'd say it's a no-brainer, just use routed mode like this : --link-- <link IP><firewall><public subnet> --- DMZ -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
