Forward to DMZ addresses

Grant Taylor gtaylor at
Tue Aug 23 08:54:32 CEST 2005

> *nod*  Not having to take a machine out of it's rack is always a good thing.  Can you (do you mind) repurposeing cables that are presently connected to your router?  The reason that I ask is that it just struck me (sunk in) that you are using a VLAN switch.  Before I was not thinking about the fact that you could use a trunk interface to the VLAN switch and thus reduce the number of cables that you would need to connect to it.  With this in mind I would recommend that you connect your router in to your switch and put the port that you connect it to on one VLAN.  (If you have not already) Configure another VLAN to be for your DMZ hosts and one for your LAN hosts.  With this done you could bond the two NICs that are in your server as one interface to the switch and then use 802.1Q VLAN tagged packets to communicate with each VLAN.  The nice thing about the bonding is that either of the cables connecting your system to the switch could fail and the router would not go down b/c
> f a lack / loss of connection.  As far as interfacing with the VLANs on the Linux router you will end up with an interface something like eth0.1 for VLAN ID 1, eth0.2 for VLAN ID 2, and eth0.3 for VLAN ID 3.  If you do it over a bonded interface you should end up with something like bond0.1, bond0.2, and bond0.3.  This will cause your router to have a logical interface on all of your networks, even new ones that you might add to the switch down the road.
> If you do go with bonding and 802.1Q tagged VLAN packets you would end up having the following interface / network layout (based on previous discussion).
> Router connected to a port on the switch that is configured to be in VLAN "Router" (VID 11)
> LAN connected to ports on the switch that are configured to be in VLAN "LAN" (VID 10)
> DMZ connected to ports on the switch that are configured to be in VLAN "DMZ" (VID 12)
> (Router xx.xx.xx.193/28)
>  eth0
>  eth1
>  eth2
> bond0
> bond0.10
> bond0.11
> bond0.12
>  bri0	xx.xx.xx.194/28
> (DMZ    xx.xx.xx.195-207/28)
> This would allow you to grow your system (add / remove (logical VLAN) interfaces) as you saw fit down the road with out needing to take the box out of the rack or put it back in when you are done.  You could easily add a 2nd or 3rd DMZ or any other segregated network with out having to worry about the physical connections to your router, just to the VLAN switch.  Supposing that you wanted to add a 2nd DMZ you would just add a bond0.13 interface and add it to the bri0 bridge and then update your EBTables rules to (dis)allow traffic to flow as you liked.  I will have to play with the bonding later on at home to give you exact examples.
> These are just some of the ""fun (complex and enterprise level) things that you can do with Linux if you are willing to grow and combine many not normal ideas.

Another advantage of going this route would be if you added a different internet connection you could very easily just connect it to a port on the VLAN switch that was configured for a specific VLAN and then set up a corresponding interface on your router with out having to take any thing down.  This does really lend it's self to some expandability with virtually no limits.  (Really there are limits, the 802.1Q spec allots for 1024 VLANs.  But this is being overcome as well as people are embedding 802.1Q tagged packets in outer 802.1Q tagged packets thus making a pseudo VWAN for metropolitan are networks.)

Grant. . . .

More information about the netfilter mailing list