You plug the firewall into eth0 on the router.  The router will be giving
out 10.0.0.1 as it's own IP and 10.0.0.2 - 10.0.0.254 as DHCP leases.  

Give the first ether port on the firewall 10.0.0.2 with a /30 subnet mask
- it uses 10.0.0.1 as it's default gw.

Give the 2nd ether on the firewall, say, 10.0.0.128/29 (for instance).
You assign your machines 10.0.0.129, 10.0.0.130, etc.  Then you setup the
port forwarding on the DSL router:

your.machine:25 -> 10.0.0.129:25.  The DSL router sees 10.0.0.0/24 as the
entire subnet, and it forwards the packets to the ethernet port (doing the
NAT form your external IP to 10.0.0.129).  The firewall sees a packet
coming in for 10.0.0.129:25, doesn't do any NAT but just filters, and
sends it on it's way.

So your DSL router thinks it's on a /24 network, the firewall thinks that
eth0 is a /30 (just it and the router), and it's other ether port is on
a different subnet (you have to make sure that what you assign your
machines out of doesn't overlap with what the firewall sees, so it doesn't
get conflicting netmasks.

This should work, but I haven't thought it out yet thoroughly, I'm on my
way out the door.

Adam Maloney
Systems Administrator
Sihope Communications

On Wed, 27 Sep 2000 dopp at acm.cs.umn.edu wrote:

> While we're on the topic of DSL, I have a question.  I've had DSL for about
> 2 years or so - long enough that I've always had a bridged connection.
> Well, I recently moved and will be waiting about another month before USQWest
> an get my DSL up.  My ISP's informed me that they're going to give me a
> routed DSL connection because they're trying to get rid of their bridged
> ones (most likely so they can save on IPs - for security reasons they were
> giving each user his/her own subnet, which makes that 4 IPs per user -
> expensive).  My question is this: Since my IP address will now be assigned
> to my DSL router _instead_ of my firewall/NAT box, how can I still have my
> firewall act as the firewall for my network?  Obviously, I'm going to put
> it on the line between my router and the rest of my network, and I can
> concieve setting it up as an ethernet bridge or something, but it seems
> like it will be difficult to do the port forwarding I'm doing now.
> 
> I suppose I could setup my router to forward to 10.0.0.1:25 (for mail) and
> then have 10.0.0.1:25 forwarded to 10.0.0.2:25 (my mail server).  But it
> seems like a silly extra step. 
> 
> Has anyone run into a similar situation?
> 
> TIA,
> 
> Gabe
> 
> -- 
> --------------------------------------------------------------------------------
> Gabe Turner				       |  	   X-President,
> UNIX Systems Administrator,		       | Assoc. for Computing Machinery
> U of M Supercomputing Institute for	       |    Univerisity of Minnesota
> Digital Simulation and Advanced Computation    |       dopp at acm.cs.umn.edu
> 
> "Pillage Pillage Pillage!  Loot Loot Loot!!" 
> 					     - Stimpson J. Cat in "Out West"
> --------------------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
> For additional commands, e-mail: tclug-list-help at mn-linux.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org