[plug] Separate networks on switch
Craig Ringer
craig at postnewspapers.com.au
Mon Jun 6 22:01:29 WST 2005
On Mon, 2005-06-06 at 21:51 +0800, J Michael Gilks wrote:
> >
> > A switch or hub won't work because they're on different subnets, you'll
> > need a router to tell the packets where to go.
> >
> Thought so. The subnets are a home network and a DMZ so I guess a crossover
> cable from the firewall to the webserver it will have to be.
> Just don't have one right here, right now.
If this is the setup you're considering:
[firewall]
.200.1 .201.1
| |
[hub/switch]
| |
[webserver] [client(s)]
.200.2 .201.2 etc
then that'll work fine (and it's fine to have an aliased interface
instead of two real interfaces for the two IPs on the firewall, too).
You just need to tell the firewall to route between 192.168.200.0/24 and
192.168.201.0/24 (probably with some iptables filtering rules to stop
the DMZ initiating connections to the hosts on the internal LAN). It's
unimportant that the DMZ and client LAN are on the same physical
segment, except that it makes it easier to attack clients if a DMZ
machine is compromised.
This approach is *way* simpler than gruesomeness with static routes,
too, and it has the advantage that once you get that crossover cable you
can just switch to:
[firewall]
.200.1 .201.1
| |
x [hub/switch]
| |
[webserver] [client(s)]
.200.2 .201.2 etc
with no fuss.
--
Craig Ringer
More information about the plug
mailing list