Kevin wrote: > On Tue, 2004-08-31 at 20:14, Alan Dayley wrote: > >>The problem is that when I put the firewall in the path, I get now >>Internet access anywhere. If I set the gateway on DNSServer and >>DHCPServer to 192.168.0.3, I still get nothing. Assuming the firewall >>iptables are configured right (it is an IPCop install), what is wrong >>here? Are my IP addresses messed up somehow? Perhaps I should enable >>DHCP in the DSLRouter and let the firewall get the IP on that interface >>via DHCP? > > > Alan, > I think you are mixing up layer 2 (switches) and layer 3 > (routers/firewalls). Think of it more like this, where each bar (|) in > the drawing represents a different layer 3 "subnet". > > Inet--|--DSL--|--FW--|--DNS/DHCP/Workstations > > The first subnet will use publicly routable IP address space provided by > your ISP (like 66.167.x.y or whatever). The outside interface of the > DSL Router will probably receive a dynamic address in this range from > the ISP. No worries. > > The second subnet is up to you. It is the subnet between the DSL Router > and the Firewall. Lets say you statically assign 192.168.0.1 to the > inside interface of the DSL Router and 192.168.0.2 to the outside > interface of the Firewall. These address must be in the same subnet so > let's keep it simple and use a netmask of 255.255.255.0. It's a huge > waste of IP address space, but we are shooting for simplicity here. > DISABLE THE DHCP SERVER IN THE DSL ROUTER. > > The third and final subnet is also up to you. It is the subnet between > the FW and the internal LAN (Workstations, local DNSserver, and local > DHCPserver). The KEY here is that it MUST be a different subnet than > the others. So, let's stick with a netmask of 255.255.255.0, but lets > use 192.168.1.x for everything on this subnet. The inside interface of > the firewall will be 192.168.1.1. The DHCPserver will be 192.168.1.2. > The DNSserver will be 192.168.1.3. I recommend configuring all these as > STATIC addresses. > > Finally, configure the Local DHCPserver to hand out addresses in the > 192.168.1.x subnet, using some range that doesn't overlap with any of > the addresses you have already used. For example, hand out > 192.168.1.100 - 192.168.1.199 to the workstations. > > As a side note, if the "switch" in your drawing is truly a switch, then > it's IP address is only used to remotely manage the switch. Statically > assign it to the internal subnet (maybe 192.168.1.4). It should NOT be > the default gateway for anything! It works at layer 2, not layer 3. > > For default gateways, point each device one-hop upstream. In other > words, the workstations should get a Default gateway (via DHCP) of > 192.168.1.1 (the FW's inside interface). The FW should be statically > assigned a default gateway of 192.168.0.1 (the inside interface of the > DSL Router). The DSL Router will learn it's default gateway from the > ISP. > > Whew. I hope that helps. > > ...Kevin > Good simple explaination, Kevin. I have a setup that's pretty much the same, except the FW and servers are all the same box and I subnetted with 255.255.255.128. Nice to see I wasn't far off! -- -Eric 'shubes' "There is no such thing as the People; it is a collectivist myth. There are only individual citizens with individual wills and individual purposes." -William E. Simon (1927-2000), Secretary of the Treasury (1974-1977) "A Time For Truth" (1978), pg. 237 **************************************************** This message has been scanned using Contraxx Technology Group mail server v2.3 and is virus free. **************************************************** --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss