> I'm new to firewalls so please dont kill me.I am fiddling around
> with m0n0wall and need to do this:
> PC's --- SWITCH --- FIREWALL --- Router --- Internet
> All the PC's are going to the switch and the firewall will sit
> inbetween the switch and the router. We have two Class C networks
> All public addresses, no private stuff:
> Lets say: 1.2.3.xxx and 1.2.4.xxx
> and our router is configured to accept both on the same interface. So
> if any one on either network wants to go "out" they pick their
> network's gateway IP and put it in their settings.
> 220.127.116.11 is one gateway
> 18.104.22.168 is another gateway
> What I am not sure about is what m0n0 needs in order to deal with both
> on the LAN and WAN side. Since each interface gets an IP and the networks
> will have IP's on the pc/switch and router side of the firewall for both
> networks (pc's on the lan side and the router on the wan side) I am not
> sure what exactly to do.
> Would it be better to add a third NIC and split
> the network to two switches that take only their network IP's to the
> individual NICs on the firewall or is there a simpler way that I am
> not sure about.
Question:- Do your Class C's form a contiguous address range or are they
seperate? If the address ranges are adjacent they you could perhaps look
at configuring the LAN side of things as a single /23 network.
eg 192.168.100.x & 192.168.101.x could be configured as 192.168.100.0/23
which would give you a single logical subnet for which you could configure
a single gateway etc. This would require all of the hosts on that subnet
to have the same view of the world, possibly not a particularly trivial
undertaking, but in networking terms it's probably the most elegant.
Splitting the network and installing an additional NIC in the m0n0wall
would be an OK solution, but then you would be routing LAN-LAN traffic
through your firewall, probably better to avoid this if you can help it.
If your switch supports VLAN tagging then this would be a similar
alternative (with the same downside).
Or, would it be an option to put the firewall outside the router, let
the router handle all the LAN traffic for you and just hand off external
traffic to the m0n0 for routing to the Internet?
Hope this helps some.