Get thee to a /30

jggimi · #1 **(View Single Post)** 10th July 2013

Code:

    Windows:
    I was the more deceiv'd.

    Hamlet:
    Get thee to a /30, why woulds't thou be a breeder of sinners?

    --
    Hamlet Act 3, scene 1, 120–121, revised.

Last month, in response to an ICMP issue, rocket357 had posted:

Quote:

Originally Posted by rocket357

...the easiest way to deal with Windows is to assign each Windows box it's own private /30 on your network and be done with it =)

I am intrigued. This seems like a great idea-- each workstation gets its own NAT translation and the benefit of never receiving any unsolicited packets, not just from the Internet, but from local sources.

I anticipate a somewhat complicated dhcpd configuration, but I wonder if there are any ARP issues that might arise from mapping multiple IP subnets onto a single Ethernet segment.

jggimi · #2 **(View Single Post)** 10th July 2013

Well, at least it won't be an issue for dhcpd(8). From dhcpd.conf(5):

Quote:

Some installations have physical networks on which more than one IP subnet operates. For example, if there is a site-wide requirement that 8-bit subnet masks be used, but a department with a single physical Ethernet network expands to the point where it has more than 254 nodes, it may be necessary to run two 8-bit subnets on the same Ethernet until such time as a new physical network can be added. In this case, the subnet declarations for these two networks may be enclosed in a shared-network declaration.

ocicat · #3 **(View Single Post)** 10th July 2013

Quote:

Originally Posted by jggimi

...each workstation gets its own NAT translation and the benefit of never receiving any unsolicited packets, not just from the Internet, but from local sources.
...
I anticipate a somewhat complicated dhcpd configuration, but I wonder if there are any ARP issues that might arise from mapping multiple IP subnets onto a single Ethernet segment.

As you already asserted, partitioning clients into their own subnets shields them from any broadcast traffic occurring in any other subnet. Does this have any ill effect? Nothing in which I am aware.

The router(s) separating these subnets from their supplying DHCP servers will need to be configured to allow DHCP requests to traverse subnets since by definition, routers will not forward DHCP traffic.

ocicat · #4 **(View Single Post)** 10th July 2013

You might be interested in the following which attempts to answer the question of balancing broadcast & multicast traffic:

http://www.google.com/url?sa=t&rct=j...48705608,d.cGE

FWIW.

jggimi · #5 **(View Single Post)** 10th July 2013

Thank you, ocicat. In my perceived use case, dhcrelay(8) would not be needed. Each Ethernet segment would have a NIC attached to a router running dhcpd with applicable shared-network clause(s) configured.

(You may wish to edit the URL in the link you provided. There are several extraneous characters following the file name.)

ocicat · #6 **(View Single Post)** 10th July 2013

Quote:

Originally Posted by jggimi

(You may wish to edit the URL in the link you provided. There are several extraneous characters following the file name.)

Done. Thanks.

jggimi · #7 **(View Single Post)** 10th July 2013

Quote:

Originally Posted by ocicat

[This topology] shields them from any broadcast traffic occurring in any other subnet.

Yes and no. It won't shield them from open broadcasts on the Ethernet segment, such as DHCP discovery requests, and of course it can't shield them from any non-IP datagrams that reach their NICs.

The IP shielding may eliminate some necessary NetBIOS functionality -- local name queries broadcast over UDP come to mind. I don't know much about Microsoft Networking but I assume a WINS server could provide the same capabilities.

marcolino · #8 **(View Single Post)** 11th July 2013

Why stop at /30? Go with /31!

(I know, it's impossible. I'm joking.)

J65nko · #9 **(View Single Post)** 11th July 2013

According to RFC 3021 you can use a /31 on a point-to-point link

jggimi · #10 **(View Single Post)** 11th July 2013

Just in case anyone wants to know, a /30 is the smallest IP subnet on a multi-point network. It has four IP addresses: a network address used for routing, two assignable IP addresses -- one for the connected device and one for the router, and a broadcast address.

Smaller subnets are possible, in certain instances:

/31 subnets (two IP addresses) may be possible for point-to-point network segments. (You can find examples of /31 implementations by searching the Internet, but I have never tested one.)
/32 subnets (one IP address) are usable with loopback and alias addresses.

marcolino · #11 **(View Single Post)** 12th July 2013

That's one reason why I come here - impromptu lessons. Thanks, J65nko and jggimi for teaching me something new today!

Now, I better go home before my brain overflows.

jggimi · #12 **(View Single Post)** 13th July 2013

Testing, it seemed to be easy, just worked, and did not require any 802.1Q VLAN configurations at all.

The router just needs aliases assigned for each extra subnet, such as 10.1.1.1/30, 10.1.1.5/30, 10.1.1.9/30... and so on. The dhcpd.conf needs the network address of each subnet. Here, for example, is the configuration for a network with two /30s:

10.1.1.0, with the router at 10.1.1.1 and the device at 10.1.1.2, broadcast at 10.1.1.3.

10.1.1.4, with the router at 10.1.1.5 and the device at 10.1.1.6, broadcast at 10.1.1.7.

Code:

shared-network LAN {
    subnet 10.1.1.0 netmask 255.255.255.252 {
        option routers 10.1.1.1;

        host one {
            hardware ethernet 00:00:00:00:00:01;
            fixed-address 10.1.1.2;
        }
    }

    subnet 10.1.1.4 netmask 255.255.255.252 {
        option routers 10.1.1.5;

        host two {
            hardware ethernet 00:00:00:00:00:02;
            fixed-address 10.1.1.6;
        }
    }
}

jggimi · #13 **(View Single Post)** 13th July 2013

Here's a routing table from host "two", which is using 10.1.1.6. You can see the network address 10.1.1.4, and the default gateway 10.1.1.5 (an alias address on the router):

Code:

Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            10.1.1.5           UGS        0        7     -     8 em0  
10.1.1.4/30        link#1             UC         1        0     -     4 em0  
10.1.1.5           00:00:00:00:00:03  UHLc       1        0     -     4 em0  
10.1.1.6           127.0.0.1          UGS        0        0 33192     8 lo0  
127/8              127.0.0.1          UGRS       0        0 33192     8 lo0  
127.0.0.1          127.0.0.1          UH         2       24 33192     4 lo0  
224/4              127.0.0.1          URS        0        0 33192     8 lo0

rocket357 · #14 **(View Single Post)** 14th July 2013

My configuration is documented (at least partially) here.

dhcpd wasn't that bad, and all of the inter-windows communications must take place via firewall rules on my OpenBSD firewall (quite convenient, IMHO). Since Windows doesn't have to bother with L2 (other than getting traffic to the gateway), I don't have to worry about ARP or any other silliness. My OpenBSD firewall has a fun routing table (ARP table is still the same size it was before, I believe), but other than that the Windows hosts believe they're the only hosts on their physical network. The only real complication is monitoring (iftop -NPi $interface doesn't show ALL NIC traffic (as you'd expect...you have to monitor per-vlan) =)

Pretty neat, since I'd actually lost sleep worrying if my daughter would get her Win7 box infected and that lead to my wife's Win7 box getting infected as well. Now I just need a vlan-capable wireless router (my access point is running dd-wrt (won't run openwrt), but this build of dd-wrt for this exact model has to have ipv6, vlans, and a bunch of other stuff turned off to fit).

Edit: didn't notice jggimi had quoted me with the embedded link to my LQ blog entry outlining this layout. Sorry for the double-link heh.