View Single Post
  #6   (View Single Post)  
Old 17th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by badguy View Post
What if Firewall A is a router that can forward packets and knows how to reach 10.1.1/24 & 192.168.1/24 subnet? will that change? after-all my gateway know where to send that packet to so why should i bother?
We configure Firewall A with two routes, a default to the Internet, and a route to the inner network:

# route add default <address of ISP's gateway router>
# route add 192.168.1/24 <address of FW B on 10.1.1 net>

And we configure Firewall B with one default route:

# route add default <address of FW A on 10.1.1 net>

Are you asking do we need to do anything with Firewall B if there is a change in the DMZ or in the ISP's addressing? Not so long as Firewall A's IP address doesn't change. For routing tables, the only addresses needed are the addresses of the adjacent router(s).
Quote:
Secondly from the router perspective, if Firewall A has 2 NIC cards, that go to both gateways, will there be a need for static routes?
Firewall A needs two routing table entries, whether static, or whether supplied by a routing service. It needs to know the addresses of both adjacent routers to itself.
Quote:
In my scenario for instance my BSD router knows how to reach re0(em1) and ural0(em2) so there is no need for static routes on the router.
You actually do have one route -- a default route, via your ISP. The router's address may be provided for you to provision manually (static), or, it may be provided by DHCP (dynamic). While DHCP can be used to change router IP addresses, it is not router configuration software.
Quote:
if it had to reach a subnet that was not directly connected to it, it will then need a static route to that subnet. also the hosts on my wired and wireless subnets do not need static routes as long as they can reach their default gateway. did i get this twisted up?
You are pretty close. Think of it this way, the default route is to EVERY address either not on the local subnet or not defined in its own route. So if the address you're trying to reach isn't on the local subnet, and also can't be reached through your default route -- you'll need to add another route.

In the case of Firewall A, it needs two routes because the 192.168.1 subnet can't be reached through the default route, which goes to the ISP.
Reply With Quote