Routing with public IPs

crontab · 02-09-2009, 07:43 AM

Hello, all.

I have a /24 block of IPs with a few servers currently running on it. What I'd like to do is setup a firewall and put these servers behind it.

Here's where I got yesterday:

1) eth0 is connected to the switch, given the IP .2 and default gateway of .1 (.1 being my /24's gateway)
2) eth1 is connected to a laptop (eventually a server) with the IP .3
3) laptop given a random IP, but the gateway is .3 instead of .1

(subnet gw .1) <--- | [eth0/.2] <---> [eth1/.3] | ---> [laptop/gw .3]

Is this possible, or is there something obvious that I'm overlooking? I tried this out yesterday and couldn't get it working... packets from the servers were being sent out to the internet through eth0 on the firewall, but upon returning, the firewall was not forwarding them back to their originating IP through eth1. Can there even be two gateways on a subnet in a manner similar to this? Can this be done entirely with route, or is iptables necessary?

The only two routes on the firewall were the /24 itself, and the default gw. (Edit: just for clarification, even though I'm calling it a firewall, it's not actually filtering anything at the moment.)

Right now I'm only concerned with the routing aspect and trying to figure out what I did wrong, or even if what I want is possible without having to do further subnetting. The actual firewall implementation comes later.

Thanks, any advice is greatly appreciated.

baldy3105 · 02-09-2009, 01:15 PM

The Firewall is also a router. You can't have the same subnet on either side of a router. You can either split the subnet by giving everything a /25 mask. That would give you one network of .0 with hosts .1 to .126, and a second network .128 with hosts .129 to .254. One goes betwen your servers and your firewall and the other goes between your firewall and your router.

What would normally happen is that your servers would have private addressing and the dirty side of your firewall would keep the public /24. You would then NAT on your firewall.

Another alternative is to put a private "transit" network between your router and your firewall, say 10.0.0.0/24. The servers retain use of the public range. The only downside to this is that you won't be able to source any traffic from the transit network out to the internet, but then that doesn't really matter because your traffic is all comming from the public range.

crontab · 02-09-2009, 03:26 PM

Thanks for the response. I had a feeling that was the problem, but never having attempted this on a real subnet of public IPs without NAT involved, I wasn't exactly sure. It should be feasible, then, to get a /30 and put eth0 on that subnet's only usable IP, and assign eth1 .1 on my /24?

baldy3105 · 02-10-2009, 06:11 AM

Yep you can do that so you would end up with -

Code:

[LAPTOP]----(public-ip/24)-------[Firewall]-------(transit-ip/30)-------[internet router]-----{internet}
       .2                      .1         .1                          .2

You only have to bear in mind that attempts to communicate to the internet sourced from the firewalls transit interface will fail. It snot a problem in normal operation but can cause confusion in diagnostics.

EDIT: Plus you need a route on the internet router for the public ip's via the firewall, if thats not stating the obvious.