several DMZ's

_curious_ · #1 (**permalink**) 01-11-2004, 03:04 AM

I have a Astaro 4.0 box set up with 5 nic's. I have one public IP for the wan interface, and a public /27 range for dmz use... now I want 3 different DMZ's with one nic each. Could I use the same subnetmask for all 3 DMZ's? That would save me a couple IP's (if it would work at all), but is there a disadvantage in doing it this way?

Should I have separate ranges for each dmz?
Do I have to?

Any suggestions on how it should be done properly?
Any suggestions on how it could work with what I have today?

SecApp · #2 (**permalink**) 01-11-2004, 05:08 AM

Maybe you mean to say "use the same network number"? The subnet mask merely dictates what portion of the network address is common on a LAN interface; DMZs can have the same subnet mask, but if they have different high order octets in their network number, they will not directly be talking to each other.

Since Astaro is a routing firewall, each interface is required to have a unique network number (actually, you can have duplicate network numbers on more than one interface, but the routing won't magically go across both interfaces since the firewall won't know which to take; well, at least in the current 4X version of Astaro...)

A common configuration is to have each DMZ on a different network number. So DMZ1=192.168.1.0/24, DMZ2=192.168.2.0/24, ..., with /24 being the same thing as subnet mask 255.255.255.0; 255 decimal=11111111 binary=8 one bits -How many high order one bits are in the subnet mask 255.255.255.0? 24)

Using DNAT rules on your external interface, you direct your scarce public Internet addresses to plentiful private ones on various DMZs. Example: blah.2 http will be redirected to 192.168.1.2, blah.3 smtp will be redirected to 192.168.2.2...

bagira · #3 (**permalink**) 01-11-2004, 03:10 PM

_curious_,
I think this link will help you!

Bagira

_curious_ · #4 (**permalink**) 01-12-2004, 03:24 AM

SecApp: I had to read your post 4 times before I could understand what you where saying. Probobly mostly because my native is not english [img]/images/graemlins/crazy.gif[/img]
But at last it made sense to me [img]/images/graemlins/grin.gif[/img]

As you suggested the best way would probably be to use internal IP's for the dmz's and use NAT rules to route in the public IP I have available.

Thanx a lot for explaining so thoroughly [img]/images/graemlins/smile.gif[/img]

And bagira, thanx a lot for that link [img]/images/graemlins/smile.gif[/img] that one came in handy, and I bet I'm going to use it more [img]/images/graemlins/smile.gif[/img]

SecApp · #5 (**permalink**) 01-12-2004, 03:59 AM

I can only imagine what this would be like for me if this was all in German!