DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th July 2008
bichumo bichumo is offline
Port Guard
 
Join Date: May 2008
Posts: 21
Thanked 0 Times in 0 Posts
Default Router for external IP's

Hi,

Consider such a situation:

ISP sets up OmniStack switch in which the first port has for example 20 external IP's.
I have HP ProCurve 2650 switch. Cable goes from OmniStack first port to ProCurve, from ProCurve cable goes to FreeBSD routers first NIC. FreeBSD router has two NIC's. First NIC has for example "ext1" IP address, in natural situation for second NIC I would give one of the LAN IP's, and the servers which connects to the ProCurve switch could have LAN IP and EXT IP. But what to do if I don't want to give LAN IP to FreeBSD router second NIC? I don't want LAN IP's at all, I just want to make FreeBSD router to act like external IP's router. In such situation, what should I set for the second NIC of FreeBSD router?
Reply With Quote
  #2   (View Single Post)  
Old 17th July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,150
Thanked 182 Times in 149 Posts
Default

  • Assign the external NIC of the FreeBSD router all 20 addresses. First address as normal, the other 19 as alias.
  • Use a RFC 1918 address from 10/8 or 192.168/16 for the internal NIC and your LAN.
  • On the same FBSD router configure a packet filter like pf which has Network Address Translation capabilities.

    Outgoing connections, initiated by your LAN clients, will now use one of the 20 external IP addresses,

    See http://www.openbsd.org/faq/pf/nat.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 18th July 2008
bichumo bichumo is offline
Port Guard
 
Join Date: May 2008
Posts: 21
Thanked 0 Times in 0 Posts
Default

*------------------------*
* ISP's OmniStack *
*------------------------*
|Port 1 ; Port 2 ... |
*******************

*---------------------*
* ProCurve *
*---------------------*
|Port 1 ; Port 2 ... |
*****************

*---------------------*
*FreeBSD router *
*---------------------*
|NIC 1 ; NIC 2 |
*****************

OmniStack Port 1 has 20 external IP's, OmniStack's Port 1 connects to NIC 1, ProCurve connects to NIC 2. NIC 1 takes one external IP (left 19 ext IP's). Server1, Server2, ..., Server19 connects to ProCurve too and they need to have external IP's. What should I set for FreeBSD router NIC 2 and how the rules should look like, to allow Server1-19 to have external IP's? Or I should forget NIC2, and just connect everything to ProCurve, without the ability to manage the servers through FreeBSD router?

Last edited by bichumo; 18th July 2008 at 09:00 AM.
Reply With Quote
  #4   (View Single Post)  
Old 18th July 2008
Inty's Avatar
Inty Inty is offline
New User
 
Join Date: May 2008
Location: Netherlands
Posts: 6
Thanked 0 Times in 0 Posts
Default

You can assign 1on1 internal to external IP addresses with PF's BINAT capability.

http://www.openbsd.org/faq/pf/nat.html#binat
Reply With Quote
  #5   (View Single Post)  
Old 18th July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,150
Thanked 182 Times in 149 Posts
Default

I am only accustomed to a simple analog,ISDN modems or ADSL setups. I wonder whether a switch can have 20 IP addresses assigned to it
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 20th July 2008
bichumo bichumo is offline
Port Guard
 
Join Date: May 2008
Posts: 21
Thanked 0 Times in 0 Posts
Default

It's fibre channel Ok, I'm done, everything runs fine for now, in love with ProCurve switches.
Reply With Quote
  #7   (View Single Post)  
Old 20th July 2008
edhunter's Avatar
edhunter edhunter is offline
Real Name: Georgi Iovchev
Port Guard
 
Join Date: May 2008
Location: Sofia, Bulgaria
Posts: 41
Thanked 0 Times in 0 Posts
Default

does your isp provides you only with 20ips from same network, or you have additional ip only for your freebsd router to connect to your isp gateway ?

i am asking because i have similar situation - from the isp I have 16ips (mask /16), but i have additional ip for connecting to his gw...
write me if you need see how i did it in my case

Last edited by edhunter; 20th July 2008 at 06:48 PM.
Reply With Quote
  #8   (View Single Post)  
Old 20th July 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Working with this stuff all the time... if I may make a few suggestions-

- Have your ISP configure a /30 connection to NIC1 of your FreeBSD router. That means the ISP gets the first usable host, and the FreeBSD router gets the second usable host. It is now your router gateway on your network.

- Have them route the /28 (assuming this, as that's the closest subnet to 20 addresses (it's 16 total, 14 usable, 13 for your servers, 2 for subnet boundaries) across the /30 connection. The first usable address in that /28 is the address of NIC2 as it connects to the Procurve, and by definition, the rest of your servers.

- The servers take usable hosts 2-13 for their public addressing, using usable host 1 that's assigned to NIC2 of your FreeBSD router as their default gateway.

- This completely eliminates the need for your FreeBSD router to do any kind of NAT, and let's the servers themselves use the actual public addressing within their individual systems (and application configurations.) This, IMHO, makes life MUCH easier on a variety of fronts.

I can diagram this if my explanation isn't clear.
__________________
Network Firefighter
Reply With Quote
  #9   (View Single Post)  
Old 20th July 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Quote:
Originally Posted by edhunter View Post
does your isp provides you only with 20ips from same network, or you have additional ip only for your freebsd router to connect to your isp gateway ?

i am asking because i have similar situation - from the isp I have 16ips (mask /16), but i have additional ip for connecting to his gw...
write me if you need see how i did it in my case
Not to nitpick, but the way you are describing your subnet is not correct- 16 addresses is a /28 (255.255.255.240 subnetmask)

/16 is actually 256 Class C blocks- aka a Class B.

I make mention of this because a few years back a client I consulted for decided to make this same reference to his ISP and BGP peer session. The ISP didn't vet this properly, propagated the erroneous /16, and as a result blackholed Microsoft for a short period of time (probably not a bad thing in hindsight lol.) It really highlighted the client's naivete... as you wouldn't announce anything smaller than a /24 over BGP in the first place, but that's another story.

When in doubt about subnetting and CIDR, Wikipedia has a decent reference.
__________________
Network Firefighter
Reply With Quote
Old 21st July 2008
edhunter's Avatar
edhunter edhunter is offline
Real Name: Georgi Iovchev
Port Guard
 
Join Date: May 2008
Location: Sofia, Bulgaria
Posts: 41
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ai-danno View Post
Not to nitpick, but the way you are describing your subnet is not correct- 16 addresses is a /28 (255.255.255.240 subnetmask)
oops type mystake mask is really 28

Quote:
Originally Posted by ai-danno
I make mention of this because a few years back a client I consulted for decided to make this same reference to his ISP and BGP peer session. The ISP didn't vet this properly, propagated the erroneous /16, and as a result blackholed Microsoft for a short period of time (probably not a bad thing in hindsight lol.) It really highlighted the client's naivete... as you wouldn't announce anything smaller than a /24 over BGP in the first place, but that's another story.
))) ... so far I am not using BGP


And yes i have done it like you described ... but anyway i have nat because, not all internal machines are with real ips (actually many of them doesnt need to be with real ips - it is more secure)

Last edited by edhunter; 21st July 2008 at 09:34 AM.
Reply With Quote
Old 21st July 2008
edhunter's Avatar
edhunter edhunter is offline
Real Name: Georgi Iovchev
Port Guard
 
Join Date: May 2008
Location: Sofia, Bulgaria
Posts: 41
Thanked 0 Times in 0 Posts
Default

ai-danno may I ask a questions about the /30 mask...
bichumo sorry for ... "stealing" your threat

Does the /30 network has to be with real addresses??
the reason I ask is because first my isp gave /30 network from private ips - 10.10.11.0/30 (10.10.11.2 for me and 10.10.11.1 for gw). And I didnt have internet (I tried different tactics with adding routes and /32 ip addresses but didnt have much luck). Later he gave me real ips for the /30 network and everything were fine

Last edited by edhunter; 21st July 2008 at 09:38 AM.
Reply With Quote
Old 22nd July 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

The /30 when used as a gateway to a network does not need to be public. You won't be able to reach those specific interfaces from the general internet (so things like traceroutes will look odd), but that's not really an issue.

Now in regards to your comment about NAT being more secure... unless it's many-to-one, it's not any more secure. NAT is meant to emulate the behavior of publicly-addressed networking, so the security still comes down to the firewalling you employ to protect those assets. A poorly firewalled NAT translation is less secure than a well-firewalled public address.

The only time a NAT translation is desirable from a security standpoint is when it's a many-to-one NAT situation where one public gateway address handles translations for everything behind it. This is the typical case for residential Internet connections. Even then, a well-crafted firewall rule set will accomplish the same level of security. Normally NAT in non-residential setups (specifically one-to-one NAT) just adds a layer of complexity, not necessarily security.
__________________
Network Firefighter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mounting external XFS HDD rativid OpenBSD General 5 3rd September 2010 02:31 PM
PF NAT and 2 external nic´s Calderon FreeBSD Security 20 9th September 2009 12:46 PM
External Ips zomo OpenBSD General 12 20th November 2008 09:47 AM
2 external NIC + 1 internal NIC AlexV FreeBSD General 7 4th June 2008 08:18 AM
ssh/external access jwhal OpenBSD General 11 21st May 2008 07:19 PM


All times are GMT. The time now is 08:24 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick