Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Newbie needs help with multiple IP's sollution 2

Status
Not open for further replies.
Spinaker

Spinaker

Technical User
Oct 4, 2003
13
DK
Hi all Linux Guru's

I am new to linux, but a fast learner too. REcently I become admin for a 25 appartements with 2Mbit ADSL connection. I got an offer from ISP. This is how it looks:

PPPoE

WAN IP (NAT IP): 213.xxx.3xx.253

Subnet: 213.xxx.4xx.144-151
Subnet mask: 255.255.255.248
LAN IP (Default gateway): 213.xxx.4xx.145

For now im using only one IP and DHCP for connecting all machines from the LAN. That is working fine.
But couse i have same more public IP's that are not used, as you can see, i would like to use them.
I know that one of the IP's is used as broadcasting address.
So one for broadcast, one for gateway, im standing here with 6 addresses to use. Some of the people in the building and also myself, would like to have those addresses hooked up to our machines, but also we would like to stay in the LAN to see other machines.

Please help me with solving that. I dont want whatsoever DMZ sollution. I guess it is possible the way i want it, but i just simply dont know how to do it.



Thanks in advance, Spinaker.

Gone with the wind...
 
Sort by date Sort by votes
I can't think of a real good reason for using those other ip addresses. Back in the olden days, networks would get bogged down when you had more than a few nodes chattering. To fix this they would break things down into smaller workgroups or sub-nets. Nowadays you can get very busy before you notice any change or slowdown in performance. You can use them to create smaller sub-nets but why?
 
Upvote 0 Downvote
Actually i forgot to tell that the subnet was given to me, as part of the offer. So basically i have a subnet in a range 213.150.48.144-151 mask 255.255.255.248 plus WAN IP (NAT IP) 213.150.38.253, stands like that on a paper i got.
I just first would like to be able to make those addresses working and visible outside if it is possible.

Thanks in advance, Spinaker.

Gone with the wind...
 
Upvote 0 Downvote
Spinaker, I have to agree with RythemAce on this discussion. You haven't given us anything that really justifies the need to assign both public and private IPs to your LAN hosts.

That said, you could consider biding other IPs to the public interface of the firewall/router. If it was Linux-based you could add them readily using ifconfig.

Then you would use IPTables SNAT/DNAT to create a port-based or IP-based NAT between the public IP and a private box.

I STILL cannot think a single valid reason to use the public IPs on the private LAN boxes. This is generally a very bad idea and, unless you can provide a road-map for why you need to do this, I will argue against it.

"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
Ok, sorry for the mess, i just wanted to see your opinions, first of all i agree that putting LAN boxes with public IP is not so smart, so i was thinking of some NATing so the users of the boxes could gain out of having public IP and security.
I have checked several ready servers based on Linux like SME server from e-smith, or diskless firewalls, but there is never a description how to enable, or how to do my solution. Please help.

Thanks in advance, Spinaker.

Gone with the wind...
 
Upvote 0 Downvote
hey hey spinaker. Good to you see you post again about your situation.

Ok, first of all, how many floors / sections / appartments per floor in the appartment building ? Simply put, you could probably assign one subnet for each section ( with one IP for the gateway and 4 for appartments ). This solution would provide a pugblic IP for everyone that will go thru 2 routes to get the internet

(block4) --- ( block4 switch) -------(main firewall/gateway)
/
(block3)----(block3 switch) --/

(block2)... etc...

I think it's good that you think first about how the configuration will be done. IT may seem pointless, but after you're done, you will have a firm plan of action and an easier time configuring that firewall, and then the basic routing.

--Dave

_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.
 
Upvote 0 Downvote
That was supposed to be " 2 hops to the internet" and no 2 routes...

BTW, NATing is usually used when you have a shortage or public IP adresses so that the gateway masquerades as the users on the lan. IF you have enough IP adresses for everyone NATing becomes more of a security decision than anything else.

For example, when ipv6 hits, NATing may become a technique that becomes obsoleted by the availability of giving an ip to everything.



_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.
 
Upvote 0 Downvote
No No No! Lully, I'm sorry but I disagree.
NAT is not now normally used as a method of meteing out IP resources any more. It is a method of allowing a network architect to build a private IP space on their LAN of one or more network segments and to build the necessary internal controls to meter and route that traffic to each subnet and also to the Internet.

If I were given a Class C of public IPs (253 usable) to support a network of 10 PCs, I would STILL USE NAT. This allows for growth and change on the internal network without any mucking about with the public IPs I've been assigned.

MOST IMPORTANTLY, the use of NAT also allows the network architect to carefully control who reaches the Internet from inside, who reaches the inside from the Internet, which resources (bandwidth) can be expended for which tasks, and when those rules are in effect.

This is why I argued against the use of public IPs for internal hosts. The ISP may have a need to renumber the customer's allocation of IPs (for any reason) and you'd be stuck chasing around your LAN trying to renumber and rebuild your IPTables rules, etc. If you used NAT, you have perhaps only one device (the router) to reconfigure.

Spinaker has agreed that there's no utility in providing public IPs to his/her implementation. I would hate to see another reader view this thread and conclude that "using them because I have them" is an appropriate way to utilize public IPS. In fact, given the argument that IPv4 IPs are limited/scarce, it would be good 'Net citizenship to only use one (or the least number possible) IPs for the public port and use Private IPs for your (boundless) local networking. Thus you would save IPs for other customers/users/netizens.

On another note, I agree with Lullysing's proposal to segment your users into subnets by some physical geography - using Private IPs, of course.

My $0.02

"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
Ok lullysing, here is how it is:

ADSL --- linux box --- managed switch --- appartements
modem | (block1)
|-- managed switch --- appartements
| (block2)
|-------------- appartements
(block3)

Managed switches are uplinked.
linux box has a DHCP server to manage basic users, i do not have enough switches, but it is simply the same method you talked about.

This is already my topolgy.

Now i need to implement intranet server (i guess it can stand on the same linux box with firewall, i would like to have my own privat server with email, ftp and WWW, which will have other IP than main traffic from the users (i guess i could use one of the four IPs i have) and one more user would like the same solution, Rest would be reserve in case some more users would like to play with it or to put other servers like game server or file sharing server.



Thanks in advance, Spinaker.

Gone with the wind...
 
Upvote 0 Downvote
At least put another NIC in the Linux firewall and route traffic that way.

ADSL -> eth0
Servers/DMZ -> eth1
Users/DHCP -> eth2

Use IPTABLES and DHCP config to only respond to DHCP requests on eth2.
Use IPTABLES and ROUTE to only allow traffic from eth0 <-> eth1 and only from eth0 <-> eth2 based upon IP.
You could potentially allow certain clients by IP or MAC to breach the DMZ from User space...

I really don't suggest running anything on the firewall - put together another $250USD server in the DMZ for your email, www, etc.

&quot;Surfinbox Shares&quot; - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
I would say the main problem with NAT is that some thing don't work, or work real funky thru NAT ( for example, FTP ) . One possible way to work thru this would be the usage of internal proxy servers which could easely have the port redirected to directly (ftp proxy , web proxy) . I'll grok more on this a little bit later, as i'm kinda busy atm.

_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.
 
Upvote 0 Downvote
mmm... the main reason that i figured it might be a good thing to have public IPs assigned to every appartment was because:

a) It would make managing things a whole lot simpler.
b) It would not affect compatibility with any kind of application ( since essentially, everyone is pretty much separate and the main gateway acts like a big ass router)
c) Since appartments are a pretty much static platform and don't change much, it would be pretty easy to have sheets with the IP-per-appartment, subnet, etc.
d) It would feel kinda like if everybody was on dialup, everybody has it's own ip, they don't have to worry about much stuff but that their network card works, etc.

BUT

e) I do concurr that if the ISP changed the allocations it would mean rethinking the network architecture, but appart from that, just rethink, reissue IP-PER-APP&subnet , reconfigure routing and it works again.
f) Security would be an issue, but each user would just have to deal with it on their own


____________

I do Realise that NATing as a security technique is a very sound practice. Hell, it's what i'm gonna do when the boys finally get off their fat asses and assign my fixed IP so i can run my servers on 3M adsl with 1 fixed ip.

The reason it's so effective is because you might have a million people being the NATbox, but to everybody on the internet, there's only one guy doing a lot of unrelated requests everywhere. And there's also the fact that if you run absolutly no services on the NATbox, then it becomes much harder to actually get entrance to the internal network, banning trojans, bad port fowarding configs or man-in-the-middle attacks.

We would have to think about the restrictions ( the method we put for the network) would give the users, while considering configurability, usability, etc.

In other words, let's talk and grok some more.

- Spinaker, Kudos for coming in here and exposing such a great brain teaser for us.

- Daver, let's grok some more. What do you think of the feasability of application proxies in a NAT setting, for this perticular case, or of a multiple IP gateway, redirecting directly to a host within the internal network ( aka, anything sent to fee.foo.waa.116 gets redirected to 192.168.foo.bar) ?


_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.
 
Upvote 0 Downvote
Thanks guys for your replyies, its very nice to see that sombody cares, also your are all welcome for my teaser question.

As i read and read, i can see that DMZ wouldn't be such a bad idea. Especially when thedaver mensioned about allowance by MAC addresses, that would help keeping it more secure, as of course i have some youngster hackers probably as my neighbours just waiting to compromise me :). That will be hell of a job, but i am getting more and more positive on the DMZ sollution.
Lullysing, i dont have enough IP's to assign them to every appartement, each appartement by the way, ok 60% have more than one box.

So that would be a waste, but from the theoretical point of view that would be nice sollution for everybody.

Im not so experienced in the subject, but what about segmenting users, fx. in my case by blocks, and setting gateways in each block with public IP, that would at least lower amount of routing and NATing for only one gateway sollution.

Ok and now, i would like to ask you about some good configuration for the DMZ sollution. I have the box, and 3 NICs, should i look for some ready made linux firewall, or should i put my own linux and configure everythink myself?
Any suggestions?


Thanks in advance, Spinaker.

Gone with the wind...
 
Upvote 0 Downvote
Spinaker, your &quot;this far&quot; away from starting to incur billable consulting hours on this......... ;-)

Let's assume that you have some money and/or extra PCs available to build this network with linux.

Router/Firewall 1: Include 3 NICs, use Jay's Firewall
Use the public IP on the public NIC0 for ADSL. Assign all your public IPs to this NIC so that it answers for them. You can bind multiple IPs to the same NIC, this is a good thing.

Use network 10.0.0.0/8 on NIC1 with DHCP for your apartment users. DO NOT assign any public IPs to the apartment users. Load up the IPTables modules to support FTP, IRC, ICQ, etc.

Create DMZ from NIC2 using NAT/DNAT into network 192.168.0.0/16. As you get &quot;colo&quot; customers (and your own box) into the DMZ, you'll need to modify the firewall to match the Public IP:port to the DMZ Private IP:port. This is an excellent way to control the services on those boxes as well to ensure that someone doesn't light up a rougue Gnutella super-server and blow away all your bandwidth.

You should consider the opportunity of adding another firewall between your current firewall and the DMZ. Why? You could add a rule to ignore traffic from 10./8 except by IP or MAC. This keeps the apartment kiddies away from your customers unless the enter through the public IP interface, which is what everybody else will be doing anyhow. You could really nutty and build a complicated firewall here that only allows each IP to talk to the Internet or to itself. In this manner you'd go ahead and assign IPs one per &quot;network segment&quot;. Assuming you'll only have a dozen or so &quot;colo&quot; customers, you could assign customer #1 IP 192.168.5.1/24 and customer #2 182.168.6.1/24. Then you build your routes and firewall rules such that you're creating a VLAN where the only egress from the colo customers is to the Internet. They can't bother each other and they cannot bother your apartment users.

This second firewall would also be eminently useful to constrain the aggregate bandwidth used by the servers. You could cap their bandwidth at 50% of your 2MB SDSL and ensure that everybody gets their money's worth.

Good luck. I need to end my role in this thread.







&quot;Surfinbox Shares&quot; - A fundraising program that builds revenue from dialup Internet users.
 
Upvote 0 Downvote
Thanks thedaver,
That helps me to be on the right tracks,
and as to the billable consulting hours, well i guess if there will be a possibility that we will meet one day, Chivas Regal 12 years old would be waiting. :)

Cheers, Robert. (Spinaker)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
319
Krus1972
Krus1972
AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
484
AbidingDude
AbidingDude
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
213
harro1968
harro1968
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
285
vacunita
vacunita
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
268
CecilXavier
CecilXavier

Part and Inventory Search

Sponsor

Back
Top