On Thursday 04 July 2002 03:11, Tom Crowe wrote:
We have a block of 16 IP addresses from the block of 256 available, we have x.x.x.49..63 all in its own subnet with an appropriate subnet mask to keep the broadcasts local. The ISP installed some type of dumb gateway on 49 to allow our outgoing traffic reach the router on x.x.x.2 without being in the same subnet as that router, but all incoming traffic avoids the gateway on .49 All taceroutes for any of our 16 IP's route up to and including x.2 router.
I propose to place a firewall with public interface on .50 and split the remaining IP addresses, x.51..63 into a disjoint network which I shall use as a DMZ. The dmz is intended to run http server, pop, smtp, and a special demo server and another server running VNC server. I propose to have the firewall route this traffice if it reaches the external interface for somthing in the DMZ.
From your setup I understand you have a /28 net with 16 IPnumbers, of which 13 are useable by you. You can split that up into two /29 nets containing 8 IPnumbers of which 5 are useable (deducting one IP each for a network-, broadcast- and gateway-). But splitting then would occur at
the 48-55 / 56-63 boundary, not 'everything above 51'. As there is NO netmask that will fit that range 51-63 your ISP can (and will) not route that. Which, IMHO, makes perfect sense for them indeed. However, they _should_ NOT have objections against splitting your range into two /29 s and routing that. Most certainly the packets will not 'automatically' find their way without them routing it differently, so yes, in that aspect they are surely idiots... However, I will repeat here that splitting up like you intended (51-63) is _not_ possible, not through proper routing anyway.
Outgoing traffic will be fine, but it is my understanding that inbound traffic on the leased line needs to know that it must route through x.50 in order to reach the servers located in the DMZ. I will configure the routing in the firewall.
I have requested to the ISP that routing changes be made to x.2 so that all traffic for IP address x.51..63 be routed through my firewall located on x.50.
The ISP says no, its not needed, it will work without it. I say he's an idiot. I went over his head to his manager, who also maintains that the routes are not needed to be added, and that its a waste of time, and I say that he's an idiot too.
Can anyone out there confirm that these two guys are idiots, or is it me?
They're idiots. But maybe they know what must be done but don't want to ? Maybe they are under no obligation to let you subnet ? Who knows...? Good luck with it, Maarten -- This email has been scanned for the presence of computer viruses. Maarten J. H. van den Berg ~~//~~ network administrator VBVB - Amsterdam - The Netherlands - http://vbvb.nl T +31204233288 F +31204233286 G +31651994273