hi,
suppose i have firewall with an ethernet interface eth1 for the internal
local zone, but in the local zone i have a router which connected to
some external offices internal lan. the external office has no other net
access just through this line. in orther to be able to define rules and
filter the traffic, the router internal interface should have to be in
different network then the local lan. otherwise asymetric routing
happend, since suppose we use router''s internal interface 192.168.0.253
eg. from 192.168.0.2 to 192.168.1.2 the traceroute is:
192.168.0.2
192.168.0.1
192.168.0.254
192.168.0.253
192.168.1.1
192.168.1.2
from 192.168.1.2 to 192.168.0.2 the traceroute is:
192.168.1.2
192.168.1.1
192.168.0.253
192.168.0.254
192.168.0.2
in this case the firewall is not reached!
therefore we use 192.168.255.1/30 on the firewall and 192.168.255.2/30
on the router.
this is a small picture of the current situation:
+------------+
| firewall |
+------+-----+ 192.168.0.1/24, 192.168.255.1/30
|
|
+------+-----+
| lan switch | 192.168.0.254/24
+------+-----+
|
|
+------+-----+ 192.168.255.2/30
| router |
+------+-----+ 192.168.1.1/24
|
then who can i define zones?
zones:
loc
other
interfaces:
loc eth1 detect
hosts:
other eth1:192.168.1.0/24, 192.168.255.0/30
should I put "other" into interfaces? where should i add
192.168.255.0/30? should i add 192.168.255.0/30 to the loc zone? since
otherwise the router''s internal interface can''t access the
internal
network and on the same switch. eg: from 192.168.255.2 cant ping
192.168.0.2. should i add routeback to loc or other?
anybody know any better solution?
yours.
--
Levente "Si vis pacem para bellum!"