防火墙只有一个端口。如何在第三层交换机上正确地NAT到ISP?
防火墙只有一个端口。如何在第三层交换机上正确地NAT到ISP?
提问于 2018-01-31 15:06:15
我的防火墙,iptables Linux盒只有一个以太网端口。
我的网络拓扑非常简单,看起来如下所示:
ISP (Port Gi 1/1) -> Switch <-Firewall on Port Gi 1/2
^
|
Other devices Gi 1/3 - Gi 1/48在我的防火墙上,eth0接口可以在同一个eth0接口(作为网关/ DHCP服务器)上同时具有一个dhcp地址(来自ISP)和一个私有192.168.x.x地址。
NATing从我的专用网络到我的ISP工作,所有连接的设备都可以接入互联网。然而,我想把这两个网络分开,因为现在没有什么能阻止我的其他设备试图从我的ISP那里请求IP,而他们不应该这样做。
我怎么能把我的防火墙NAT和我的Dell 3048开关分开,让我的防火墙NAT在两个网络之间?
我知道为我的防火墙购买一张额外的网卡可能更简单,但我不想这么做。谢谢您在这方面的帮助。
我的开关有一个基本的配置,但这里无论如何:
Current Configuration ...
! Version 9.13(0.0)
! Last configuration change at Tue Jan 16 03:00:13 2018 by default
!
boot system stack-unit 1 default system: A:
!
hostname DellEMC
!
protocol lldp
!
redundancy auto-synchronize full
!
stack-unit 1 provision S3048-ON
!
interface GigabitEthernet 1/1
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/2
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/3
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/4
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/5
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/6
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/7
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/8
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/9
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/10
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/11
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/12
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/13
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/14
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/15
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/16
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/17
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/18
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/19
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/20
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/21
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/22
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/23
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/24
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/25
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/26
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/27
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/28
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/29
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/30
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/31
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/32
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/33
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/34
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/35
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/36
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/37
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/38
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/39
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/40
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/41
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/42
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/43
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/44
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/45
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/46
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/47
no ip address
switchport
no shutdown
!
interface GigabitEthernet 1/48
no ip address
switchport
no shutdown
!
interface TenGigabitEthernet 1/49
no ip address
shutdown
!
interface TenGigabitEthernet 1/50
no ip address
shutdown
!
interface TenGigabitEthernet 1/51
no ip address
shutdown
!
interface TenGigabitEthernet 1/52
no ip address
shutdown
!
interface ManagementEthernet 1/1
no ip address
no shutdown
!
interface ManagementEthernet 2/1
no shutdown
!
interface ManagementEthernet 3/1
no shutdown
!
interface ManagementEthernet 4/1
no shutdown
!
interface ManagementEthernet 5/1
no shutdown
!
interface ManagementEthernet 6/1
no shutdown
!
interface Vlan 1
!untagged GigabitEthernet 1/1-1/48
!
line console 0
line vty 0
line vty 1
line vty 2
line vty 3
line vty 4
line vty 5
line vty 6
line vty 7
line vty 8
line vty 9
!
reload-type
boot-type normal-reload
config-scr-download enable
!
end回答 2
Network Engineering用户
回答已采纳
发布于 2018-01-31 19:25:51
把你的局域网和广域网连接起来是个糟糕的主意.
防火墙上不需要第二个物理接口,但需要第二个逻辑接口。
- 在交换机上,在端口Gi1/1无标记和端口Gi1/2标记(作为VLAN主干)上配置一个新的WAN。
- 在防火墙上,向NIC添加一个VLAN子接口,与交换机上的VLAN ID相同。
- 在LAN和广域网VLAN之间设置NAT。
Network Engineering用户
发布于 2018-01-31 15:21:32
一种方法是使用802.1q集群在防火墙上创建两个逻辑接口(可信接口和不可信接口)。您将把您的交换机端口配置为一个具有两个VLAN的主干。从逻辑上讲,您的Linux盒将有两个端口。
Linux配置在这里是一个不讨论的话题。您可以获得有关在服务器故障上配置802.1q的详细信息。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/47506
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号