Hi,
I''m seeking advice for the following setup.
Shorewall 2.2.2, debian/sarge on Soekris net4501 boards.
We have two ISP feeds (let''s call them ISP-1 and ISP-2) and get 8
static IPs with each feed. The plan is to have the publicly accessible
servers sitting in the DMZ connected to ISP-1. Our local intranet
(LOC) will be connected to ISP-2. There will be 3 firewall/routers:
fw1 between DMZ and ISP-1, fw2 between LOC and ISP-2 and fw3 between
LOC and DMZ. Since a picture is worth a 1000 words, here''s the picture
(hoping that gmail won''t mangle it):
________ ________
_/ \_ +----------------+ +-------+ /
/ \__ | | | | |
| DMZ ---+ if1 if0 +----+ ISP-1 +-------
\_ _/ | | | | /
\___________/ | Linux Router | +-------+ |
| | | /
| +----------------+ \
+------+-------+ fw1 |
| if1 | /
| | |
| Linux Router |fw3 |
| | \
| if0 | \
+------+-------+ |
| /
| / Internet
_|__ |
_/ \_ fw2 |
_/ \__ +--------------+ +-------+ /
/ \ | | | | |
| Local network -----+ if1 if0 +-----+ ISP-2 +---|
\_ __/ | | | | |
\__ __/ | Linux Router | +-------+ \
\___/ | | |
+--------------+ \
|
\
|
\________
So, the advice I need concerns proxyarp versus one-to-one NAT for the
DMZ. I would like to allow connections from LOC to DMZ but not the
other way. It would seem to me that having LOC be 192.168.8.0 an DMZ
be 192.168.6.0 would make it easier for routing and dns from the LOC
computers accessing the DMZ (all the DMZ systems would have dns
entries in the intranet dns server).
All of the public servers in the DMZ would then be one-to-one NAT''ed
and accessible via the external static IP addresses. The intranet
would be strictly standard NAT to ISP-2 and we don''t care about extra
7 IP addresses right now.
Is this a sane solution? Any one have some thoughts to share as to
possible issues with this setup? Possible improvements? How would this
work with proxyarp (if at all)?
Thanks for your time.
Ted Roth
