On Friday 12 April 2002 19:06, Michael Garabedian wrote:
Ok, let me re define the situation.
I have two networks going to the same isp through an 8 port hub, two firewalls connecting two separate networks that are exact clones of each other in every way except two domain name and ip
Right, so traffic *does not* (or should not) flow between the two networks? I presume each network has a firewall attached to the hub port, and all network traffic for the ISP goes through it? (even though the hub will repeat all traffic to all ports; the firewalls see that the repeated local traffic isn't valid for that network and discard it)
One network is 10.0.0.0 with a subnet of 255.255.255.0 The other is 10.10.0.0 would the subnets be the same,
It's a private address range comprising some 16 million hosts; you have a considerable degree of leeway in your choice of addresses :) The size of the subnet mask should be large enough to accomodate all the hosts you need to have access. If you've got 12 hosts on one network, then you only need a /28 mask for it, since 4 host bits gives you a maximum of 16-2 hosts. If you need 400, then you need a /23 for one subnet, since 2 to the 8 is only 256. We've all been generally assuming that 254 hosts will do your second network OK; is that true? If you want your first address range to be 10.0.0.0 - 10.0.0.255 and your second address range to be 10.10.0.0 - 10.10.0.255, then fine. You should have absolutely no problems doing that; and you'd use the same netmask for both subnets; 255.255.255.0. As long as your netmask is contiguous and goes 111...1100...00, then everything should work. It's a private range, so you're probably not in any danger of address exhaustion, and the only real reasons for using adjacent subnet numbers is that it makes route summarization possible; thus reducing the size of your routing table. However, the private addresses aren't routable in the wider world, so the whole question is somewhat academic! (It's just a question of good practice and not getting into bad habits just because you're using a private network.)
How about if I wanted them both to connect to one firewall, would I just set up a rule in iptables to masq the addresses from the separated firewall,
Is this a third firewall (between the hub and the Internet), or is it the only firewall? The iptables rule would be something like; iptables -t nat -A POSTROUTING -d ! 10.0.0.0/23 -j MASQUERADE at a rough guess.
how about if I just wanted everything to go through the 10.0.0.0 network to the internet.
Then you need to define both networks to be part of one subnet.
I thought the second 10 in 10.10.0.0 would cause the subnet to change. But if the subnets are the same in two networks does that mean they can communicate without the use of a router.
If you've got two distinct subnets, then they are in *separate* broadcast domains; and thus you need a layer 3 device (L3 switch or router) to make them talk to each other. Hope this helps. Gideon.