Re: Two NICS with same IP and same client IP

[Tom Eastep <teastep@shorewall.net>]

Hudson Delbert J Contr 61 CS/SCBN wrote:
> tom,
> 
> why ?
> 
> to what end, this topology ?
> 
> please enlightenment as to the value added ?
> 

See http://shorewall.net/myfiles.htm for a description of my
firewall/router's environment. In general, I prefer to use Proxy ARP for
a DMZ rather than NAT because it allows DMZ servers to have the same IP
address whether accessed from local or external clients.

The DMZ interface (eth0 in my case) needs an IP address -- what address
to give it? There seem to be two choices:

	a) Select an RFC 1918 address in some currently unused network.
	b) Use the firewall's external IP address.

By using b), the existing PTR record can serve both interfaces so that
traffic from the firewall to the server appears to come from the correct
host (gateway.shorewall.net).

In general, consider this:

   <upstream router -- address A.B.C.x>
                  |
                  |
    <gateway router -- address A.B.C.y>
                  |
     ---------------------------
     |   |   |    |    |   |   |

         Network A.B.C.0/24

Assume that the upstream router routes A.B.C.0/24 via the gateway router
A.B.C.y.

The gateway router can be configured as follows:

	External interface A.B.C.y/32
	Host route to A.B.C.x on external interface (no gateway)
	Default route via A.B.C.x
	Internal interface   A.B.C.y/24
	Net router to A.B.C.254/24 on Internal interface (no gateway)

So the gateway router only requires one IP address rather than two yet
it is addressable from both sides.

-Tom	
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key