Forward to DMZ addresses

Jonathan Villa jonathan at
Thu Aug 18 23:00:05 CEST 2005

> Disclaimer:  I'm at the office and I can not give a proper reply now so
> more will follow later.

Understand completely and appreciate the time taken.

> Is $ExternalIP the external IP of the firewall or the dmz machine?
> Umm...  I have, possibly incorrectly, been operating under the assumption
> that they were one in the same.  I was believing that you were wanting
> your firewall, with the ExternalIP, to forward any traffic that was not
> related to your LAN's internet traffic over to your DMZ server.  Thus I
> was going that route for a solution.  Let me go reread what you have sent.
> ... (reading) ... Ok, see if you agree with how I'm restating what you
> said earlier.
>      Router WAN interface = xx.yy.yy.241
>      Router LAN connected to DMZ switch = xx.xx.xx.183 (IP Network =
> xx.xx.xx.182)

This may have been a type on my end, LAN is connected to a LAN Switch

>   Firewall eth1 connected to ?????????? = xx.xx.xx.184 (IP Network =
> xx.xx.xx.182)

connected to router

>   Firewall eth2 connected to DMZ switch = xx.xx.xx.185 (IP Network =
> xx.xx.xx.182)
> DMZ server eth0 connected to DMZ switch = xx.xx.xx.186 (IP Network =
> xx.xx.xx.182)
>   Firewall eth0 connected to LAN switch = 10.123.x.x
> As I'm looking (closer) at what you said earlier I have a question.  You
> say that eth1 on your firewall is connected to your router.  Is that
> connection via a cross over cable or via a cable plugged in to the the DMZ
> switch?

  VLAN Switch
  |    |
  |    |

So, it's a cable plugged into the VLAN switch.

>If eth1 is connected to the DMZ switch what is the difference
> between eth1 and eth2 on your firewall?

eth1 is connected to the router and eth2 is connected to the DMZ switch.

>I'm sort of believing that eth1
> is connected to the router via a cross over cable and yet the router and
> the DMZ systems are on the same IP subnet, or at least it appears that way
> from the IPs that each piece of equipment has.

Yes, they are on the same subnect.  Not sure if it's a cross over cable.

> Do you have a subnet of IPs or just a handful of IPs allocated to you by
> your provider that are accessible via the xx.yy.yy.241 IP?  I have a
> feeling that part of your problem is that you are trying to break routing
> by using routing.  If you are wanting to break routing you will need to
> bridge some things together.  However I don't think you do have a block of
> IP addresses unless you have a block of 16 that ends with 191 being the
> broadcast IP (xx.xx.xx.176-191).

I changed my IP's a little :) ...I do have a block of 16.  The actual
broadcast is 207 and the network is 192. or at least that I have for
ifcfg-eth0 - (NETWORK=xx.xx.xx.192)

>Depending on what you have and what you
> want to achieve decides the way that this problem can be solved.  The more
> that I look at it the more it looks like you have a circuit from a
> provider who has provided you with a small group of IPs.  Is this the
> case?  Are the IPs in question in a subnet or just a scattering of them?

my firewall has 3 NIC's.  one connected to the router (well the VLAN
switch) which has an IP of 194.  the router is 193.  the dmz nic (eth2) is
195, the LAN is, well the LAN.  On my DMZ, I plan to provide static
address which are globally routable and from my subnet.

Sorry if I'm not making any sense... haven't had much sleep...

I've been trying a few rules here and there trying to get something to
work... but to no avail.

More information about the netfilter mailing list