[ previous ] [ next ] [ threads ]
 
 From:  Jim Toro <jimtoro at LIWebTech dot com>
 To:  davidg at yowl dot org
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Setup for new firewall
 Date:  Sun, 29 Oct 2006 23:46:11 -0500 (Eastern Standard Time)
Yes it is a contiguous address range ( eg 192.168.100.x to 192.168.101.x 
but of course they are real, valid public IP's not private). We have all
512(?) addresses and they go into the same switch and then to the same 
router (Cisco) and out to the net.

I was wondering if I should set the m0n0 to bridged and then set the
WAN side to 192.168.100.0 but I thought you couldnt assign a ".0" address.

You say set the LAN side to that address so I guess all the PC's would
then need to think THEIR gateways would be 192.168.100.0 ?
Would all of the LAN side boxes now need to be set for /23 as they are
now /24 as is the router.

As to putting the firewall outside the router my upstream will not permit
that, their router must be the first thing off the smartjack/fiber-box.

I wish we could just use one /24 but these things are all over the place
and we cant do a whole renumbering project right now.


On Mon, 30 Oct 2006, davidg at yowl dot org wrote:

> Hey Jim,
>
> Question:- Do your Class C's form a contiguous address range or are they 
> seperate? If the address ranges are adjacent they you could perhaps look at 
> configuring the LAN side of things as a single /23 network.
>
> eg 192.168.100.x & 192.168.101.x could be configured as 192.168.100.0/23 
> which would give you a single logical subnet for which you could configure a 
> single gateway etc. This would require all of the hosts on that subnet to 
> have the same view of the world, possibly not a particularly trivial 
> undertaking, but in networking terms it's probably the most elegant.
>
> Otherwise...
>
> Splitting the network and installing an additional NIC in the m0n0wall would 
> be an OK solution, but then you would be routing LAN-LAN traffic through your 
> firewall, probably better to avoid this if you can help it. If your switch 
> supports VLAN tagging then this would be a similar alternative (with the same 
> downside).
>
> Or, would it be an option to put the firewall outside the router, let the 
> router handle all the LAN traffic for you and just hand off external traffic 
> to the m0n0 for routing to the Internet?
>
> Hope this helps some.
>
> Cheers,
> David.
>
>
>
>