Hi folks!
We are going to renew a firewall and are planning whole new design.
We have these public ranges
1 x /30 range
1 x /24 range
We need to be able to use both NAT and direct PublicIP on servers(through DMZ)
we are going to host 'customers'( and need several lan zones I assume)
I was wondering on how we could this second /24 range for this.
My first thoughs were:
-use an interface as wan with proxy-arp for the second range.(untrust-zone)
-create zone 'wan' and use vlan as an interface, assign address .1/24(wan-zone) for use with second range
-create 'customer1' zone and assign it private IP-range
and here it stops for me...
how would we then forward the traffic, f.ex. static nat, source/destination and public ip on servers in different zones?
I was thinking lan-zone nat/policy to wan and then policy to untrust-zone?
or could one do directly lan-zone to untrust(bypassing wan-zone) when souce nat ip is in /24 range attached to wan-zone?(we have proxy-arp..)
maybe one DMZ and one lan per customer but then wouldn't we need to split the /24 range for use with different zones?
is there an easy way to solve this?
then we will most probably terminate vpns on wan-ips from /24-range, how will this work ?
Is there a best-practice for something like this?
any pointers is better then none,
regards. DB.