At 12:30 25.10.1999 +0200, you wrote:

Hi Christoph,

I'm afraid you cannot build asymetric subnets. This is because subnets are generated by applying a bitmask to the former host part, which is just a mathematic operation like subnets=(2^former-host-bits/2^netmask-bits)-2. This means all subnets are of the same size.

Hi, you can build asymmetric subnets using "variable length subnet mask" or CIDR (classless inter domain routing). You might want to give your DMZ 64 IP addresses (thats a /26) and use just 4 IP addresses for the subnet between the router and the firewall (/30). It's important that the machines in the DMZ know only about their /26 subnet and use a default route to the firewall. The router needs only know how to reach the firewall, so you configure its ethernet interface to be in the 4 IP subnet as the external interface of the firewall and apply a static route for the rest of the addresses to this firewall address. If your router doesn't allow overlapping routes, you have to stack several non-overlapping static routes that cover the entire address space. Example: your address space: 196.168.0.0-192.168.0.127 (= 192.168.0.0/25) Router-FW-Subnet: 192.168.0.0/30 (192.168.0.1=router, 192.168.0.2=FW) non-overlapping static routes: 192.168.0.4/30 => 192.168.0.2 192.168.0.8/29 => 192.168.0.2 192.168.0.16/28 => 192.168.0.2 192.168.0.32/27 => 192.168.0.2 192.168.0.64/26 => 192.168.0.2 or overlapping: 192.168.0.0/25 => 192.168.0.2 Regards Matthias Ferdinand