Re: Ouside and inside firewall network adaptor on the same net?

["Saravana Ram" <Ram () POP Jaring My>]

> I have a fibre network connection to my provider. The router
> lives on 137.225.44.254 and I have a netmask of 255.255.255.0.
> Now I have a linuxbox sitting at 137.225.44.29 (eth0) directly
> connected to the router and with 137.225.44.252 connected to a internal
> network. the computers in the internal network use addresses
> from 137.224.44.2 to 137.224.44.200.
> Now the question: Can I use this setup with the linuxbox as a
> firewall/router, without masquerading?
> and what routings / ip-chains do I have to set?

The answer, essentialy Axel, is no.

> From what I gather, your net looks like this:

||| Internet
||| ---(?)[Router](137.244.44.254)---(137.244.44.29)[Linuxbox](137.244.44.252)
---{{InternelNet}}

The IP addresses from your internal network and your border internet
connections are from the same Class C block of addresses. This will result in
an inability to route packets unless your Linux box acts as a bridge, which
does not confer the security [I think] you want.

You have two options at this point
1) Break the 137.244.44.0 block into two subnets.
2) Change the IP addresses of the internet network machines to another classC
block.

With option (1) you're stuck with 128 addresses for each subnet. This is
insufficiant as your internet network has ~188 nodes. You could however,
create one subnet with 128 addresses and create multiple other subnets with 64
addrs then 32 then 16 then 8 and one last block with 8. Keep the last block of
eight addresses for your external (border) network interfaces, and use the
other 5 subnets for your internal network. I will NOT RECOMEND you adopting
the strategy as routing 5 subnets is unnecessary hell considering you are
catering for less than 200 nodes.

With option (2), you can either try getting another block of 256 adresses from
your provider and change all your internal hosts to that IP address block, or
use a reserved IP address block. If you use reserved addressses though you
will need to use masquerading/proxy'ing and can not use routing as you would
if you were to used a block of addresses which are globaly unique. You will
get better security (please don't let his spark debate) by using a
masquarading/proxy'ing solution, so you may want to not bother trying to get
more IP addresses anyway. Furthurmore, by using reserved addresses, you can
easily use a Class B address block if you belive that the number of hosts will
expand soon.

With both options, you will need to do a lot of reconfiguring of hosts in the
internal network. The IP address migration will be more painful with the
second option, but is more rewarding in the long term.

I say go for option 2. And do subscribe to this list.