Advanced Routing/Firewall Question

smpoole7 · July 21, 2010, 6:01pm

Here’s the situation: our network here in Denver has netmask 255.0.0.0 (/8). We’ve divided everything into fairly logical groups:

10.1.1.xx - studios, admin
10.1.5.xx - audio network
10.1.6 and up - each transmitter site (10.1.6, 10.1.7, and so on).

That’s a short list, but you get the idea.

I want to isolate that Audio network. Here’s the problem: I inherited this topology from a predecessor, and because that various sites are scattered all over Denver, we can’t easily change the IP addresses now. Also, we’ve already got a HUGE masquerade list in SuSEFirewall2 that I am loathe to change.

The audio network runs Window$. Better yet, Windows’ firewall on each audio machine MUST be disabled. Normally, you’d put the whole thing behind a brick firewall, pinhole a couple of ports to get in for remote access, etc., etc. I’m not sure how to do that when everyone is on the same subnet.

My thoughts:

Put a SuSE router machine between the audio network and everything else. (We DO have the audio net isolated on a separate switch, thank the Lord.) Use a special route to send everything on 10.1.5.xx out a separate network card, into the audio switch.

Any ideas? Suggestions?

pjessen · July 21, 2010, 9:29pm

smpoole7 wrote:

>
> Here’s the situation: our network here in Denver has netmask 255.0.0.0
> (/8). We’ve divided everything into fairly logical groups:
>
> 10.1.1.xx - studios, admin
> 10.1.5.xx - audio network
> 10.1.6 and up - each transmitter site (10.1.6, 10.1.7, and so on).
>
> That’s a short list, but you get the idea.
>
> I want to isolate that Audio network.

Define “isolate”.

> Here’s the problem: I inherited this topology from a predecessor, and
> because that various sites are scattered all over Denver, we can’t
> easily change the IP addresses now. Also, we’ve already got a HUGE
> masquerade list in SuSEFirewall2 that I am loathe to change.

What is this list for?

> The audio network runs Window$. Better yet, Windows’ firewall on each
> audio machine MUST be disabled. Normally, you’d put the whole thing
> behind a brick firewall, pinhole a couple of ports to get in for
> remote access, etc., etc. I’m not sure how to do that when everyone
> is on the same subnet.

Presumably they’re not really - or are you bridging everything?

> My thoughts:
>
> Put a SuSE router machine between the audio network and everything
> else. (We DO have the audio net isolated on a separate switch, thank
> the Lord.) Use a special route to send everything on 10.1.5.xx out a
> separate network card, into the audio switch.

Without really knowing what you’re hoping to achieve, yeah, that sounds
feasible.

–
Per Jessen, Zürich (24.1°C)
http://en.opensuse.org/User:Pjessen

ken_yap · July 22, 2010, 1:48am

You could set up the router as a bridge, then you wouldn’t need to change any addresses because the router doesn’t have an address, but you still have the firewall function.

smpoole7 · July 22, 2010, 3:49pm

Ken,

As usual, short, sweet and perfect. I didn’t even think of that.

You da man!