Hello List:
I'm trying to change my current setup from what I'm doing now:
INET < --- > ROUTER < --- > FIREWALL < --- > LAN
A NAT
| FILTERING
V PROXY
VoIP BOX
To:
INET < --- > ROUTER < --- > HUB < --- > FIREWALL < --- > SWITCHES < --- > LAN
NAT | FILTERING
| PROXY
|
\- > VoIP BOX
This is because the NAT on my new router support H323 perfectly. Plus ISP won't
provide extra IP addresses (Just one for the whole setup).
*******************
I know how to configure iptables to perform what I want to do. I just want some
advice in what would be the best way to subnet my network.
*******************
Right now (to make it work, I didn't have to modify my firewall scripts) the
sub-netting is as follows:
(Router) has the ISP provided valid Internet IP address on the WAN interface.
(Router) has a 172.16.0/24 address on the Ethernet interface.
(Firewall) has a 172.16.0/24 address on the EXTERNAL interface.
(Firewall) has a 192.168.0/24 address on the INTERNAL interface. (Everyone's gateway)
(VoIP box) has a 172.16.0/24 address on the EXTERNAL interface.
Right now the firewall runs proxies for SMTP, WEB and FTP. A VPN (PPTP and IPSEC)
service. And a permanent VPN tunnel with another location (configured as this one).
DNS services and SSH for administration. It filters outgoing and incoming traffic
according to usage and abuse policies (filter everything but legitimate incoming
traffic and valid hosts to use http, ftp, etc).
I'd appreciate any suggestions.
Thanks,
Omar Castaņeda Acosta
Systems Administrator
iDEA S.A. de C.V.
Voice: +52 (614) 414-2808 x 109
Mobile: +52 (614) 406-5241
VoIP: voip.idea.com.mx x 109
omar@idea.com.mx
