Dual subnetsThis setup is the price we pay for saving
one static IP on the private interface of the firewall.
All services which are restricted to specific subnets
and interfaces must be updates (/etc/hosts.allow, nfs, samba, sendmail, etc).Firewall: private interface (eth0) is 192.168.1.254, add static routes to all static IPs on the internal net ( output of route -n). LAN PC on private subnet: use private IP, 192.168.1.3/255.255.255.0, and set gateway 192.168.1.254 LAN PC on public subnet: use static IP, 1.2.3.5/0.0.0.0, and gateway device (eth0) This is a strange setup, and ARP may get confused: some protocols have trouble connecting on the first attempt but succeed on the second or third (ssh is one example).Set up IP aliases on private subnet, 192.168.1.5, for all static IPs ( output of ifconfig , output of route -n). IP alias does not show up on route output and is hard to add routes to, may need to use /sbin/ifup-local . If running local DNS, it's tempting to give both static IP and alias the same name, but it's somewhat easier to have separate names. |
||
| back |
Advanced
Firewalls and Routing using Linux |
next |