Kevin wrote:
> On Tue, 2004-08-31 at 20:14, Alan Dayley wrote:
>
>>The problem is that when I put the firewall in the path, I get now
>>Internet access anywhere. If I set the gateway on DNSServer and
>>DHCPServer to 192.168.0.3, I still get nothing. Assuming the firewall
>>iptables are configured right (it is an IPCop install), what is wrong
>>here? Are my IP addresses messed up somehow? Perhaps I should enable
>>DHCP in the DSLRouter and let the firewall get the IP on that interface
>>via DHCP?
>
>
> Alan,
> I think you are mixing up layer 2 (switches) and layer 3
> (routers/firewalls). Think of it more like this, where each bar (|) in
> the drawing represents a different layer 3 "subnet".
>
> Inet--|--DSL--|--FW--|--DNS/DHCP/Workstations
>
> The first subnet will use publicly routable IP address space provided by
> your ISP (like 66.167.x.y or whatever). The outside interface of the
> DSL Router will probably receive a dynamic address in this range from
> the ISP. No worries.
>
> The second subnet is up to you. It is the subnet between the DSL Router
> and the Firewall. Lets say you statically assign 192.168.0.1 to the
> inside interface of the DSL Router and 192.168.0.2 to the outside
> interface of the Firewall. These address must be in the same subnet so
> let's keep it simple and use a netmask of 255.255.255.0. It's a huge
> waste of IP address space, but we are shooting for simplicity here.
> DISABLE THE DHCP SERVER IN THE DSL ROUTER.
>
> The third and final subnet is also up to you. It is the subnet between
> the FW and the internal LAN (Workstations, local DNSserver, and local
> DHCPserver). The KEY here is that it MUST be a different subnet than
> the others. So, let's stick with a netmask of 255.255.255.0, but lets
> use 192.168.1.x for everything on this subnet. The inside interface of
> the firewall will be 192.168.1.1. The DHCPserver will be 192.168.1.2.
> The DNSserver will be 192.168.1.3. I recommend configuring all these as
> STATIC addresses.
>
> Finally, configure the Local DHCPserver to hand out addresses in the
> 192.168.1.x subnet, using some range that doesn't overlap with any of
> the addresses you have already used. For example, hand out
> 192.168.1.100 - 192.168.1.199 to the workstations.
>
> As a side note, if the "switch" in your drawing is truly a switch, then
> it's IP address is only used to remotely manage the switch. Statically
> assign it to the internal subnet (maybe 192.168.1.4). It should NOT be
> the default gateway for anything! It works at layer 2, not layer 3.
>
> For default gateways, point each device one-hop upstream. In other
> words, the workstations should get a Default gateway (via DHCP) of
> 192.168.1.1 (the FW's inside interface). The FW should be statically
> assigned a default gateway of 192.168.0.1 (the inside interface of the
> DSL Router). The DSL Router will learn it's default gateway from the
> ISP.
>
> Whew. I hope that helps.
>
> ...Kevin
>
Good simple explaination, Kevin. I have a setup that's pretty much the
same, except the FW and servers are all the same box and I subnetted
with 255.255.255.128. Nice to see I wasn't far off!
--
-Eric 'shubes'
"There is no such thing as the People;
it is a collectivist myth.
There are only individual citizens
with individual wills
and individual purposes."
-William E. Simon (1927-2000),
Secretary of the Treasury (1974-1977)
"A Time For Truth" (1978), pg. 237
****************************************************
This message has been scanned using Contraxx
Technology Group mail server v2.3 and is virus free.
****************************************************
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)