firewall routing setup

Hi all,

Thanks for the input. I have a difficult situation that needs all help.

currently setup is WAN router connect to a switch, then all workstations
connect to switch, router and workstation are using same subnet, like
168.1.X.X

What I want is to setup a firewall server (2 NIC cards) between Router and
swith.

how do I setup this firewall without changing WAN router configuration?
Another word, if this case, two NIC cards will have same IP subnet, but how
is routing going to work?

Thanks.

steeles wrote:
> Hi all,
>
> Thanks for the input. I have a difficult situation that needs all help.
>
> currently setup is WAN router connect to a switch, then all workstations
> connect to switch, router and workstation are using same subnet, like
> 168.1.X.X
>
> What I want is to setup a firewall server (2 NIC cards) between Router and
> swith.
>
> how do I setup this firewall without changing WAN router configuration?
> Another word, if this case, two NIC cards will have same IP subnet, but how
> is routing going to work?
>
> Thanks.
>
>
you need a firewall in bridging mode

On 02/13/2007 09:06 PM, steeles wrote:
> currently setup is WAN router connect to a switch, then all workstations
> connect to switch, router and workstation are using same subnet, like
> 168.1.X.X
>
> What I want is to setup a firewall server (2 NIC cards) between Router and
> swith.
>
> how do I setup this firewall without changing WAN router configuration?
> Another word, if this case, two NIC cards will have same IP subnet, but how
> is routing going to work?

You need to change the layout as follows:

Internet
|
WAN Router
|
Firewall (Your)
|
Switch
|
+----+---+----+---+---+
| | | | | | Workstations
A B C D E F ...

If you don't have control over the router's config, use a router
assigned IP on the WAN side of your firewall and use a different IP and
subnet on the LAN side. Run your own DHCP service on the firewall
itself, your workstations should be using Firewall as a gateway for
them, add some appropriate SNAT/DNAT rules on the firewall.

Hope that helps!
--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu's Linux@HOME Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Distros: Ubuntu, Fedora, Knoppix
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

On Tue, 13 Feb 2007 10:36:22 -0500, steeles wrote:

> Hi all,
>
> Thanks for the input. I have a difficult situation that needs all help.
>
> currently setup is WAN router connect to a switch, then all workstations
> connect to switch, router and workstation are using same subnet, like
> 168.1.X.X
>
> What I want is to setup a firewall server (2 NIC cards) between Router and
> swith.
>
> how do I setup this firewall without changing WAN router configuration?
> Another word, if this case, two NIC cards will have same IP subnet, but how
> is routing going to work?

Simple. Example. Use what ever ip addresses you have free in 168.x.x.x
they don't have to be at either end it could be any.

Setup a linux box as your firewall.
Setup eth0 as 168.x.x.1
Setup eth1 as 168.x.x.2
Turn on forwarding
Connect switch to eth1
Connect router to eth0
Finished


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

I thought about it. since those two IPs are in the same subnet, will it mess
up existing routing?

how to config it in bridging mode? Any more detail?

Thanks.

"Robert" <(E-Mail Removed)> wrote in message
news(E-Mail Removed) e...
> On Tue, 13 Feb 2007 10:36:22 -0500, steeles wrote:
>
>> Hi all,
>>
>> Thanks for the input. I have a difficult situation that needs all help.
>>
>> currently setup is WAN router connect to a switch, then all workstations
>> connect to switch, router and workstation are using same subnet, like
>> 168.1.X.X
>>
>> What I want is to setup a firewall server (2 NIC cards) between Router
>> and
>> swith.
>>
>> how do I setup this firewall without changing WAN router configuration?
>> Another word, if this case, two NIC cards will have same IP subnet, but
>> how
>> is routing going to work?
>
> Simple. Example. Use what ever ip addresses you have free in 168.x.x.x
> they don't have to be at either end it could be any.
>
> Setup a linux box as your firewall.
> Setup eth0 as 168.x.x.1
> Setup eth1 as 168.x.x.2
> Turn on forwarding
> Connect switch to eth1
> Connect router to eth0
> Finished
>
>
> --
>
> Regards
> Robert
>
> Smile... it increases your face value!
>
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----

steeles wrote:
> I thought about it. since those two IPs are in the same subnet, will it mess
> up existing routing?
>
> how to config it in bridging mode? Any more detail?
>

You need the bridge components in your kernel configuration.

Create a bridge (it will probably be br0),
Add both Ethernets to the bridge,
Set an IP address to the bridge interface
(not the component interfaces).

For bridge firewalling, use the ebtables package.

--

Tauno Voipio
tauno voipio (at) iki fi

Thanks.

So if I setup a bridge, in my case, can two same subnet stay together in a
bridge?


"Tauno Voipio" <(E-Mail Removed)> wrote in message
news:1JGAh.208$(E-Mail Removed)...
> steeles wrote:
>> I thought about it. since those two IPs are in the same subnet, will it
>> mess up existing routing?
>>
>> how to config it in bridging mode? Any more detail?
>>
>
> You need the bridge components in your kernel configuration.
>
> Create a bridge (it will probably be br0),
> Add both Ethernets to the bridge,
> Set an IP address to the bridge interface
> (not the component interfaces).
>
> For bridge firewalling, use the ebtables package.
>
> --
>
> Tauno Voipio
> tauno voipio (at) iki fi

> "Tauno Voipio" <(E-Mail Removed)> wrote in message
> news:1JGAh.208$(E-Mail Removed)...
>
>>steeles wrote:
>>
>>>I thought about it. since those two IPs are in the same subnet, will it
>>>mess up existing routing?
>>>
>>>how to config it in bridging mode? Any more detail?
>>>
>>
>>You need the bridge components in your kernel configuration.
>>
>>Create a bridge (it will probably be br0),
>>Add both Ethernets to the bridge,
>>Set an IP address to the bridge interface
>> (not the component interfaces).
>>
>>For bridge firewalling, use the ebtables package.
>>
>>--
>>
>>Tauno Voipio
>>tauno voipio (at) iki fi
>
(-- top-posting corrected, TV --)

>
steeles wrote:
> Thanks.
>
> So if I setup a bridge, in my case, can two same subnet stay
> together in a bridge?

Yes - a bridge connects the link-level network segments,
and they are set up in the same IP-level subnet.

The bridging firewall functions are not as extensive as
the corresponding routing firewall (iptables) fucntions.
I'd still seriously consider using a routing configuration,
and changing the subnets to match.

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio wrote:
> Yes - a bridge connects the link-level network segments,
> and they are set up in the same IP-level subnet.
>
> The bridging firewall functions are not as extensive as
> the corresponding routing firewall (iptables) fucntions.
> I'd still seriously consider using a routing configuration,
> and changing the subnets to match.
>

You could also use iptables on top of bridge

on FORWARD CHAIN

but no nat

netfilter on top bridge is supported by standard kernel since 3 or 4 years

http://www.spenneberg.com/talks/linu...bridgewall.pdf

we use this on devil-linux since January 2003

http://www.devil-linux.org/