Beginner wrote: > I have a 126 IP addresses on a single subnet all routing through the > same gateway. I have upgraded my router so I now have 2 interfaces. I > want to put an SMTP and HTTP server on the 2nd interface and keep the > internal hosts on the original interface. I think this is basically a > DMZ configuration. > > My current IP address assignment is sporadic, with some static hosts > at one end or the other on the IP block and DHCP given a pool from > the middle. > > I want to assign a /29 block of address from within my range to the > 2nd interface giving me 5 addresses to use. I am a little unsure what > the impact of this change will be on other network services, in > particular DHCP. > > Will I be turning my simple single subnet into 3 different subnets? The number of addresses in A subnet will always be a power of two; you can't make a subnet with e.g. 128 - 8 = 120 addresses. If your network is a /25, and you want to carve out a /29, you would end up with at least 5 subnets: /29 + /29 + /28 + /27 + /26 8 8 16 32 64 That isn't a problem for the router, but configuring the hosts' routing tables is likely to be a nuisance (assuming that the DMZ hosts and non-DMZ host might occasionally want to talk to each other). If you configure the hosts to believe that they're on a /25 subnet, they will assume that they can talk directly to the DMZ hosts, without needing to use a gateway. That will require proxy ARP. OTOH, if you split the /25 into 5 subnets as shown above, either each host will require routes to all of the other subnets, or hosts on different subnets will have to route their traffic through the gateway, which will significantly increase its load. I suspect that you would be better off sticking to a single /25 network, and adding host routes and proxy-ARP entries for the DMZ hosts. On the router, you would add a route for your entire /25 network through the first interface, and host routes for the individual DMZ hosts through the second interface. You would also add proxy-ARP entries for the DMZ hosts to the first interface, so that the non-DMZ hosts can act as if the DMZ hosts are on the same network segment. Or you could just use private (192.168.* etc) addresses for the non-DMZ hosts and have the router perform NAT. -- Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
