Subnet question

[Hugg]

Hi

I know how subnetting works but here is a strange configuration of subnet.
I am going to build a wireless net that i want to control the comunication between the users.

So i figured that i could make a tcp/ip network with a subnetmask that will give every subnet only two users.
But here is the strange thing ,i will not have any routers in the subnets ,the users will use the same default gateway.
In the firewall/router i have configured a forward of every protocol between users who can comunicat with eachover in the internal net.
The users can't shange there configuration.

It works very good but i have never seen a configuration like this and i think there maybe will be trouble if i have more users than i tested with.

Somebody who can tell me what could happen or will it work.

 

[wybnormal]

Lets get one thing straight... without a router ( of some type) you will not be able to pass packets.. If you give the same default gateway for all users, most of them will be in the wrong subnet to even see the default gateway.

2 hosts per net is a /30 mask.. or 255.255.255.252 This gives 1 address for the wire, 1 for broadcst and 2 hosts. It's commonly used on WAN connections as something akin to security.. ie.. nobody can hang a W/S on *your* link and get an IP and login. Reality is a bit different but it's still used just the same.

COntrolling EVERY protocol is a big order once you remember that not only do you need to control the protocol ( IP, TCP, HTTP, UDP etc) but ALL the ports.. which is roughly 2,000 well known ports and a bunch of "custom" ports. It gets better!!! Say you want to block people playing music via the internet.. so you block real audio ports. People then use MS Media player.. which is nasty because it will play the music using port 80 ( http) intentionally to get through your firewall. At this point you need to block at layer 4 and not 3. Fun huh?

MikeS "Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Hugg]

Hi

Thanks for your answer.
First of all i didn't beliv it ever but it works.
I gave all testcomputers subnetmask 255.255.255.252 like you calculated and the default gateway 192.168.0.1.
In my firewall i said i have a subnetmask 255.255.255.0 in my internal net.
It worked perfect.
Then i tried to connect from one of the testcomputers to the other i could see in the firewall log that a packet
was coming from one of the testcomputers and was forwarded to the other.
I am using a softwar firewall that is called "Enternet".
In that firewall i can traficshape and i want to traficshape some of the protocols that are going between the computers and disallow other.
Out to the internet i use NAT.

 

[wybnormal]

Actually what you did is something called VLSM ( variable length subnet masking) fancy name for mixing subnet masks.

THink about what you did and yes, it would work.

First is that everyone is on the same subnet before a mask is applied.. 192.168.0.x

Then you apply 255.255.255.0 to the gateway which is a standard class C for the entire range of 192.168.0.x. So far so good. Then you take the SAME 192.168.0.x and apply it to the workstations but with a mask of 255.255.255.252

SO far so good... As far as the gateway is concerned everyone is still on the same wire because of the /24 mask allows him to know all 254 addresses. Can workstations from one subnet range ping a different workstation on one of the other ranges *without* the gateway? I say not.. the gateway( router) should allow it to ping across the subnets since he's legal for all 254.

Try it by changing the gateway to 192.168.1.1 and it should break.

VLSM is an interesting beast and a pain to keep straight in a production network. But it is a VERY useful way to share a subnet range without wasting IP address ranges.

I hope I have not too badly mangled the explantion.. if so I can try to re word it or you can read up on it on a few different web sites. "Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Hugg]

Hi

Thank you !

My configuration looks almost like a VLSM but the different is that i use only one gateway address.

I found some info about VLSM but they didn't tell anything about using same gateway address.
But it works and then it must be okay i think.

It's true that you can't ping workstation on the other subnets if you don't have the gateway.
All trafic must go through the Firewall/router.

But if user is a litle hacker he could maybe change the subnetmask to 255.255.255.0 and then he can go directly to a other subnet.

I will use a radius server in the wireless net to prevent this.
I will check the MAC adress and give the user the correct subnetmask and he can not change any configuration with out being stoped from accessing the net.

 

[wybnormal]

I have to admit that this is one of the more imaginative IP configs I've heard about Have fun with it!!!

MikeS
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Hugg]

Hi

Yes i know !
It's a litle bit strange but it has som interesting possibilities.

Thank you for your help !

 

[Gaz555]

we have learned that router never consider the host portion of the ip address.

my silly confusion is that is it true when assigning ip address to any of routers interface ....do we only declare different network no despite of host to identify that interface....

these days i m working on classless routing protocols which require subnet mask to declare also...
so if u pls clear my concept from scratch i will be out of this trouble....thanx in advance.

 

[Maruis]

Hey
This is some clever subnetting, well done and have fun!!!

Gazz555
As far as I know you need subnetting on routers.
The reason why I say this is:
Say you bought a few Ip adderesse, i.e. 210.176.89.194 mask 255.255.255.194. This will mean you only have 32 addresses.

You have to tell your router what he has to route so your subnet does come into play.

Hope this help