On 14 Jul 2008 at 11:55, Glynn Clements wrote: > Beginner wrote: > > The number of addresses in A subnet will always be a power of two; > you > can't make a subnet with e.g. 128 - 8 = 120 addresses. If your > network > is a /25, and you want to carve out a /29, you would end up with > at > least 5 subnets: > > /29 + /29 + /28 + /27 + /26 > 8 8 16 32 64 > > That isn't a problem for the router, but configuring the hosts' > routing tables is likely to be a nuisance (assuming that the DMZ > hosts > and non-DMZ host might occasionally want to talk to each other). > > If you configure the hosts to believe that they're on a /25 > subnet, > they will assume that they can talk directly to the DMZ hosts, > without > needing to use a gateway. That will require proxy ARP. > > OTOH, if you split the /25 into 5 subnets as shown above, either > each > host will require routes to all of the other subnets, or hosts on > different subnets will have to route their traffic through the > gateway, which will significantly increase its load. > > I suspect that you would be better off sticking to a single /25 > network, and adding host routes and proxy-ARP entries for the DMZ > hosts. > > On the router, you would add a route for your entire /25 network > through the first interface, and host routes for the individual > DMZ > hosts through the second interface. You would also add proxy-ARP > entries for the DMZ hosts to the first interface, so that the > non-DMZ > hosts can act as if the DMZ hosts are on the same network segment. > > Or you could just use private (192.168.* etc) addresses for the > non-DMZ hosts and have the router perform NAT. There's quite a lot to take in here. The router is managed by our ISP. They suggested 3 options including one to break it into smaller networks as you suggest. I want the maintenance and schema of the network to be as simple as possible. I have more addresses than I need so it seems daft to buy a few more to put on that interface. I think I favour your idea to assign the lot to the first interface and use proxy-ARP and host routes. Thanx for the explanation. Dp. -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html