Re: [zones-discuss] routing issues

Wed, 19 Aug 2009 11:04:30 -0700 

On 08/18/09 16:42, Robert Hartzell wrote:

 > Steffen Weiberle wrote:
How many ways do you have to get to the internet? I hope two, since 10.0.0.0/24 will need one. 

I am not able to picture your setup, however, take a look at


Maybe a better explanation of what I'm trying to accomplish would help.

This is my current setup which works well. The firewall does NAT so my 
public IP is translated to 10.0.0.2


   cable modem
    |
    |
   firewall(10.0.0.1)
    |
    |
      nic1 (10.0.0.2)
---bastion host----------
      nic2(192.168.0.100)
    |
    |
     switch
    |
    |
host1 host2 host3 host(n)
(all on 192.168.0.0/24)


That helps. So you are trying to do the following?:

   cable modem
    |
    |
   firewall(10.0.0.1)
    |
    |
      nic1 (10.0.0.2), vnic1 (10.0.0.3), vnic2 (10.0.0.4),
    |                  vnic3 (10.0.0.5)
---bastion host----------
      nic2(192.168.0.100)
    |
    |
     switch
    |
    |
host1 host2 host3 host(n)
(all on 192.168.0.0/24)

where dns, mail, and webserver would be using vnic[123]?

If so, I take it their default router is 10.0.0.1.


Getting to/from them from 192.168.0.0/24 may be tricky, as they are 
really only outbound facing, and I doubt your firewall knows to send 
things back to 10.0.0.2 if the destination is 192.168.0.0.



I gotta think about this is this is what you are really doing--not sure 
that using zones vs. discrete systems on the 10.0.0.0 subnet would 
really behave differently (the nice thing about exclusive IP instances 
is that it really is very close to separate hardware at that level).



Shared IP Instances might introduce other routing issues, but they may 
not apply here.


Steffen




Three public services run on the bastion host (dns, mail, webserver) and 
 I thought I would introduce another level of security by moving these 
into zones but it has proven to be more difficult then I had anticipated 
because of the two subnets. All of my testing was done on a workstation 
with only network involved. All though I have limited experience with 
zones this seems like something that shouldn't be too difficult to set up.


--
 Robert W Hartzell
bear at rwhartzell.net
  RwHartzell.Net
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org


_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org






















					Reply via email to