[ previous ] [ next ] [ threads ]
 From:  davidg at yowl dot org
 To:  Jim Toro <jimtoro at LIWebTech dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Setup for new firewall
 Date:  Mon, 30 Oct 2006 12:10:12 +0800 (WST)
Hey Jim,

> I'm new to firewalls so please dont kill me.I am fiddling around
> with m0n0wall and need to do this:
> PC's  --- SWITCH --- FIREWALL --- Router --- Internet
> All the PC's are going to the switch and the firewall will sit
> inbetween the switch and the router. We have two Class C networks
> All public addresses, no private stuff:
>  Lets say:   1.2.3.xxx  and 1.2.4.xxx
> and our router is configured to accept both on the same interface. So
> if any one on either network wants to go "out" they pick their
> network's gateway IP and put it in their settings.
> is one gateway
> is another gateway
> What I am not sure about is what m0n0 needs in order to deal with both
> on the LAN and WAN side.  Since each interface gets an IP and the networks
> will have IP's on the pc/switch and router side of the firewall for both
> networks (pc's on the lan side and the router on the wan side) I am not
> sure what exactly to do.
> Would it be better to add a third NIC and split
> the network to two switches that take only their network IP's to the
> individual NICs on the firewall or is there a simpler way that I am
> not sure about.

Question:- Do your Class C's form a contiguous address range or are they 
seperate? If the address ranges are adjacent they you could perhaps look 
at configuring the LAN side of things as a single /23 network.

eg 192.168.100.x & 192.168.101.x could be configured as 
which would give you a single logical subnet for which you could configure 
a single gateway etc. This would require all of the hosts on that subnet 
to have the same view of the world, possibly not a particularly trivial 
undertaking, but in networking terms it's probably the most elegant.


Splitting the network and installing an additional NIC in the m0n0wall 
would be an OK solution, but then you would be routing LAN-LAN traffic 
through your firewall, probably better to avoid this if you can help it. 
If your switch supports VLAN tagging then this would be a similar 
alternative (with the same downside).

Or, would it be an option to put the firewall outside the router, let 
the router handle all the LAN traffic for you and just hand off external 
traffic to the m0n0 for routing to the Internet?

Hope this helps some.