Routing the same subnet.

Posted on 2000-04-09
Last Modified: 2013-12-23
I'm setting up a OpenBSD gateway with the following conditions:

The gateway we have from our ISP is 2xx.xx.22.129.
My Gateway has two NIC's
xl0 2xx.xx.22.130/ (ext, con. to wireless Internet)
xl1 2xx.xx.22.156/ (int, con. to local switch)

The computers and servers inside uses 2xx.xx.22.131 to .158

How should I setup the route tables and arp on the gateway to get the
inside net to get Internet access?

Also, should I run "routed" ?,if so, with witch parameters and do I
need any special parameters in /etc/gateways ?

Also, Bridging is not a option since I cannot have more that one MAC
address out to our wireless equipment.
Question by:fred_nd
  • 4
  • 4

Author Comment

ID: 2697983
Adjusted points from 100 to 200
LVL 40

Expert Comment

ID: 2698185
Basically... You can't. The way routing works the inside and outside networks must be different. Otherwise the routing process can't tell which interface to use for an IP in the 2xx.xx.22.128/32 net. And you can't fool it by fiddling the netmask on the inside network, because you have to make corresponding change on the outside network.

However, you are in luck in that you are running OpenBSD and can use ipfilter, you can read about it at: What I'd do is to change the inside network to be a "private network" and use ipfilter's NAT facility. If you want, you can set up static one-to-one translations so that each inside system has a fixed outside IP. Or you can set up a NAT pool and let the translation be dynamic. Or have some dynamic and some static. Your choice... Oh yeah, you get firewalling for free, so to speak.

Author Comment

ID: 2699349
By "private network" you mean a 192.168.x.x address or alike?

This is a problem because the machines inside the firewall has public addresses 2xx.xx.22.128/ and I cant change that, mostly because this is Web, DNS and mail servers.
LVL 40

Accepted Solution

jlevie earned 200 total points
ID: 2699863
Ahh, but that's what one-to-one static NAT translations gets you. A particular inside machine, say gets assigned an outside IP of 2x.x.22.130. You enable inbound web (port 80 & maybe 443) on the 2x.x.22.130-> NAT conduit, and voila, you've got a web server that for all intents and purposes is "outside the firewall". It always appears to be at 2x.x.xx.130. Since you only enable inbound connections through the firewall on specific ports and to specific inside machines, the rest of the networks services and systems are protected from attack on all other ports. This is a "very good thing".

I do this all the time. Right now I've got six web servers (plain & SSL), an email server, and two DNS boxes inside of a firewall doing NAT (and have had most of them in place for 3-4 years). There are a few things that you can't easily do, like VPN's from an inside system, and some special things you must do, like a careful setup of the DNS for public/private IP's. Some of this gets handled by special boxes connected to the DMZ. And I should explain that term.

The standard configuration for a firewall protected network looks something like:

gateway router to the Internet
       | DMZ network
       | w/"public" IP's
  Firewall w/NAT
Inside "private" network

Frequently you put special systems (like sendmail relays, external DNS servers, VPN hosts) outside of the firewall attached to the DMZ. These typically are specially hardened system that only provide a specific service(s). Everything else lives inside the firewall and static conduit's are provided though the firewall to those inside systems that need to accept inbound connections from the public (insecure) Internet.

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.


Expert Comment

ID: 2702342
you may want to look at the "winGate" product also...

Author Comment

ID: 2703559
When using NAT like this, assigning public IP numbers to private numbers, how will the logs on a WebServer look like?

Will the firewall be the visitor or will the users real IP number show here as it would do without the firewall?

LVL 40

Expert Comment

ID: 2703629
The real (public) source IP will still be shown at either end. With lots of folks installing firewall'a and NAT'ing their internal networks these days (for security and to have more systems than the have public IPs for), you frequently can't tell a whole lot about who is actually accessing a site from the IP. For instance I've got some 700 nodes being dynamically NAT'd through 224 public IP's. Any given inside system can get any of the public IPs.

Author Comment

ID: 2703665
This works, not exactly the answer I where looking for, but this could work for me.

Thanks for the fast help, now I'm going to kick on my ISP, and force them to give me another wireless bridge that can handle more than one MAC address, then I will be able to setup a bridge instead.

But, thanx again for the fast and good help.
LVL 40

Expert Comment

ID: 2704203
Yeah that would work also. If you decide you want to get into using ipfilter to NAT the network, I can be reached at

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
FTP output from Wireshak 6 49
Route summarization 9 43
ESXi VLAN Lab 2 33
OpenVPN Speed limitation to only 10 mbps 7 40
Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now