Thanks for response. I'll give the brouter configuration a whirl.
On Tue, 2010-10-12 at 17:31 +0100, Simon Hobson wrote: > Maple Thorpe wrote: > > >Net---(8 IpAddresses)>Firewall/Router(2 IPAddresses and 3 NICs) > >Firewall/Router-->(NIC 1 External IP) > >Firewall/Router-->(NIC 2 (Loc) Private IP (10.10.10.1))-->Loc HUB > >Firewall/Router-->(NIC 3 (DMZ) Private IP (10.10.11.1))-->DMZ HUB > > Not clear from that whether you have a separate IP you can use for > the outside interface - I'm assuming not. > > My preference is to avoid NAT completely if you can. On option is to > run your firewall as a bridge - that way, you can use your public IPs > on the public facing servers without any need for NAT or Proxy ARP. > It's really the simplest way as there are then no complications at > all to worry about. The downside is that the bridge code in the Linux > networking imposes some limitations. > > You could, assuming you have the skills, run a firewall as a virtual > machine under Xen (or any other mechanism you are familiar with), and > then host your VPN endpoints on a separate real or virtual machine. > That will remove some of the complexity, though it will add a little > of it's own - while you can run everything on one box, you can > certainly simplify things if you divide and conquer ! > > > If you had a separate public IP to use as a link address, then I'd > say it's a no-brainer, just use routed mode like this : > > --link-- <link IP><firewall><public subnet> --- DMZ ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
