Hi guys. I have a large network of people all on 10.x.x.x addresses. I've been running a couple of servers with DST NAT & SRC NAT behind the router, but now need to have a couple of servers running public IPs. I could put them before the router obviously, but would lose the abilty to do any bandwidth limiting and traffic shaping.

I can run 2 or 3 NICs as necessary, but I'm just not sure how to pull this off. I'm guessing a combination of NAT & Bridge, but the exact method is eluding me thus far.

Thanks!

Sir William

There's a couple of ways to setup a DMZ.

1: Third NIC setup bridged to your Internet interface. This is how I'm currently handling an IP telephone. Packet filtering on the bridge means you can firewall pretty well.

2: Third NIC with separate private IP range. Then DST-NAT and SRC-NAT IPs on this to your public addresses.

There is a big security advantage with option 2 as you're not using public IPs on your DMZ network and this is what I would recommend. For security reasons I would not recommend having publicly accessible servers on your main client network at all. Always split them off into their own DMZ.

Regards

Andrew

Andrew, I have already done what you're saying by using a 3rd NIC and setting up a bridge with the WAN/Internet interface. But I'm still unable to ping my ISP gateway from a machine on that bridged network. According to everything I'm seeing, it should work just fine, but something is hosed. Any ideas?

Sorry for the hassle guys. Turns out it was my stupid ISP's problem. I bypassed my router and still couldn't get my extra IPs to route. I should have tried that earlier. I just blew a day thinking my config was wrong. Thanks for the effort and the read. Just remember to never count out stupidity on the part of your ISP.

Sir William