Re: [TCLUG:18127] Firewalled subnet configuration?

["Thomas T. Veldhouse" <veldy@veldy.net>]

On Wed, 24 May 2000, Troy Johnson wrote:

> Tom,
> 
> This is a little confusing because the IP addresses should be attached
> to interfaces, not hosts (though with the usual one interface per host,
> it is easy to make this mistake). So the firewall machine would have
> 200.0.0.5 on eth1, and some other IP Address on eth0, or vice versa.
> Perhaps a private /30 address network could be used for the link between
> the router and the firewall (I don't do this all day, so if that
> shouldn't be done, please let us know).
>
I do have them attached to interfaces.  I have eth0 on the top of the
firewall diagram and eth1 on the bottom.  I only displayed the 200.0.0.5
IP address for the firewall, because that is the only one that is fixed - 
the other can be any address to make the scenario work (depending upon 
the choice of subnet for the net on eth1).  I didn't bother writing eth0
on the two workstations because it can be inferred. 

> Also, the subnetting doesn't line up quite right:
> 
> Subnet 200.0.0.0/28 = 200.0.0.0/255.255.255.240
> 200.0.0.0 - 200.0.0.15 IP Addresses
> 200.0.0.1 - 200.0.0.14 = 14 Usable IP Addresses

Correct - but in my hypothetical case - I only want to use the ones I
listed.  I have a reason, but I didn't want to complicate the discussion.

My problem (or dilemna) is that I can not figure out how to get 200.0.0.5
and 200.0.0.6 on separate interfaces - and I don't see how because of the
network and broadcast address overlapping - or in this case - they simply
fall in the same network no matter how you split.

I haven't figured out if there is a way to do it with NAT on the router
and then NAT on the firewall.

Any ideas?  I don't believe that it is actually possible.  If I discard
the firewall - then it becomes an easy thing to do.  The firewall is my
catch.

Tom Veldhouse
veldy@veldy.net