On Tue, 2004-08-31 at 20:14, Alan Dayley wrote:
> The problem is that when I put the firewall in the path, I get now
> Internet access anywhere.  If I set the gateway on DNSServer and
> DHCPServer to 192.168.0.3, I still get nothing.  Assuming the firewall
> iptables are configured right (it is an IPCop install), what is wrong
> here?  Are my IP addresses messed up somehow?  Perhaps I should enable
> DHCP in the DSLRouter and let the firewall get the IP on that interface
> via DHCP?

Alan,
I think you are mixing up layer 2 (switches) and layer 3
(routers/firewalls).  Think of it more like this, where each bar (|) in
the drawing represents a different layer 3 "subnet".

Inet--|--DSL--|--FW--|--DNS/DHCP/Workstations

The first subnet will use publicly routable IP address space provided by
your ISP (like 66.167.x.y or whatever).  The outside interface of the
DSL Router will probably receive a dynamic address in this range from
the ISP.  No worries.

The second subnet is up to you.  It is the subnet between the DSL Router
and the Firewall.  Lets say you statically assign 192.168.0.1 to the
inside interface of the DSL Router and 192.168.0.2 to the outside
interface of the Firewall.  These address must be in the same subnet so
let's keep it simple and use a netmask of 255.255.255.0.  It's a huge
waste of IP address space, but we are shooting for simplicity here. 
DISABLE THE DHCP SERVER IN THE DSL ROUTER.

The third and final subnet is also up to you.  It is the subnet between
the FW and the internal LAN (Workstations, local DNSserver, and local
DHCPserver).  The KEY here is that it MUST be a different subnet than
the others.  So, let's stick with a netmask of 255.255.255.0, but lets
use 192.168.1.x for everything on this subnet.  The inside interface of
the firewall will be 192.168.1.1.  The DHCPserver will be 192.168.1.2. 
The DNSserver will be 192.168.1.3.  I recommend configuring all these as
STATIC addresses.

Finally, configure the Local DHCPserver to hand out addresses in the
192.168.1.x subnet, using some range that doesn't overlap with any of
the addresses you have already used.  For example, hand out
192.168.1.100 - 192.168.1.199 to the workstations.

As a side note, if the "switch" in your drawing is truly a switch, then
it's IP address is only used to remotely manage the switch.  Statically
assign it to the internal subnet (maybe 192.168.1.4).  It should NOT be
the default gateway for anything!  It works at layer 2, not layer 3.

For default gateways, point each device one-hop upstream.  In other
words, the workstations should get a Default gateway (via DHCP) of
192.168.1.1 (the FW's inside interface).  The FW should be statically
assigned a default gateway of 192.168.0.1 (the inside interface of the
DSL Router).  The DSL Router will learn it's default gateway from the
ISP.

Whew.  I hope that helps.

...Kevin

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss