I''ve got a serious mess of NAT on our firewall/router systems at the corporate office which seems to do nothing other than confuse the heck out of people. What I''d like to do is gradually migrate the hosts on the various DMZ networks away from private IP addresses and NAT over to public IP addresses and proxyarp. What I''m wondering, before I start this, is how do I configure the DMZ systems when I move them to a proxyarp configuration? I set them up with the public IP addresses, but what do I use as the default gateway, the DMZ-connected interface of the firewall? Also, then, how do I configure the firewall? Is my guess of one public IP address on the external interface and a second public IP address on the DMZ interface correct? Using private IP addresses and full NAT worked for a long while when we only had a few hosts on a single DMZ, but the network''s grown in complexity by a frightening amount, and I simply have to find a better solution... Thanks in advance, Gregory -- Gregory K. Ruiz-Ade <gkade@bigbrother.net> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
Gregory K.Ruiz-Ade wrote:> > What I''m wondering, before I start this, is how do I configure the DMZ > systems when I move them to a proxyarp configuration? I set them up > with the public IP addresses, but what do I use as the default gateway, > the DMZ-connected interface of the firewall? > > Also, then, how do I configure the firewall? Is my guess of one public > IP address on the external interface and a second public IP address on > the DMZ interface correct? >No. Gregory, the Proxy ARP documentation is very clear on both of these points (http://shorewall.net/ProxyARP.htm). Please read it carefully. Quoting from that article (eth0 is the external IF and eth1 the internal): "The lower systems (130.252.100.18 and 130.252.100.19) should have their subnet mask and default gateway configured exactly the same way that the Firewall system''s eth0 is configured. In other words, they should be configured just like they would be if they were parallel to the firewall rather than behind it." and "I''ve used an RFC1918 IP address for eth1 - that IP address is largely irrelevant (see below)." The (see below) goes on to describe how you can use your external IP address on the internal interface as well (which is what I do -- http://shorewall.net/myfiles.htm). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 11 February 2005 07:30 am, Tom Eastep wrote:> Gregory, the Proxy ARP documentation is very clear on both of these > points (http://shorewall.net/ProxyARP.htm). Please read it carefully.Ugh, I hate it when I post a question that''s answerable with "RTFM." :) Thanks for the pointers, I''ll check it all out. Gregory -- Gregory K. Ruiz-Ade <gkade@bigbrother.net> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
Tom, Okay, I''ve read through the documentation, and it''s making a lot of sense, and I''m super glad you wrote it. :) There is, however, one thing I am still confused about. So, I have an ISP-provided address space of 192.0.2.0/24. The default gateway to use is 192.0.2.1. My firewall''s external interface is configured as 192.0.2.2/24 (eth1), internal as 192.168.1.2/24 (eth0), and DMZ as 192.0.2.2/32 (eth2). My DMZ box is 192.0.2.15/24, with 192.0.2.1 as the default gateway. Proxyarp is configured with HAVEROUTE as yes for the DMZ box. Now, external (Internet) IP''s can connect to the DMZ box, the DMZ box can connect to the Internet, and internal boxes can connect to both the Internet and the DMZ box. How/where do I configure the routing such that the DMZ box can connect inward to the internal networks? Do I need to specify static routes on the DMZ box, or will the firewall just take care of this routing? This is the next important issue, as I really do not want to configure static routes on 15 servers, some of which are (sadly) Windows 2000/2003. I also really do need the ability to have DMZ boxen selectively connect inward, so we can place our mail gateways out in the DMZ and eventually have final delivery on the internal network servers.. Once I understand how I can get my DMZ boxes to talk to internal boxes (through the firewall, of course), I think everything will click and I can set about redesigning the firewall away from the NAT mess it is now. Thanks again for your time and patience, Gregory -- Gregory K. Ruiz-Ade <gkade@bigbrother.net> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
Gregory K. Ruiz-Ade wrote:> > Now, external (Internet) IP''s can connect to the DMZ box, the DMZ box can > connect to the Internet, and internal boxes can connect to both the > Internet and the DMZ box. How/where do I configure the routing such that > the DMZ box can connect inward to the internal networks? Do I need to > specify static routes on the DMZ box, or will the firewall just take care > of this routing?The firewall takes care of that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key