|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|
|||
Router for external IP's
Hi,
Consider such a situation: ISP sets up OmniStack switch in which the first port has for example 20 external IP's. I have HP ProCurve 2650 switch. Cable goes from OmniStack first port to ProCurve, from ProCurve cable goes to FreeBSD routers first NIC. FreeBSD router has two NIC's. First NIC has for example "ext1" IP address, in natural situation for second NIC I would give one of the LAN IP's, and the servers which connects to the ProCurve switch could have LAN IP and EXT IP. But what to do if I don't want to give LAN IP to FreeBSD router second NIC? I don't want LAN IP's at all, I just want to make FreeBSD router to act like external IP's router. In such situation, what should I set for the second NIC of FreeBSD router? |
|
|||
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
*------------------------*
* ISP's OmniStack * *------------------------* |Port 1 ; Port 2 ... | ******************* *---------------------* * ProCurve * *---------------------* |Port 1 ; Port 2 ... | ***************** *---------------------* *FreeBSD router * *---------------------* |NIC 1 ; NIC 2 | ***************** OmniStack Port 1 has 20 external IP's, OmniStack's Port 1 connects to NIC 1, ProCurve connects to NIC 2. NIC 1 takes one external IP (left 19 ext IP's). Server1, Server2, ..., Server19 connects to ProCurve too and they need to have external IP's. What should I set for FreeBSD router NIC 2 and how the rules should look like, to allow Server1-19 to have external IP's? Or I should forget NIC2, and just connect everything to ProCurve, without the ability to manage the servers through FreeBSD router? Last edited by bichumo; 18th July 2008 at 09:00 AM. |
|
||||
You can assign 1on1 internal to external IP addresses with PF's BINAT capability.
http://www.openbsd.org/faq/pf/nat.html#binat |
|
|||
I am only accustomed to a simple analog,ISDN modems or ADSL setups. I wonder whether a switch can have 20 IP addresses assigned to it
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
It's fibre channel Ok, I'm done, everything runs fine for now, in love with ProCurve switches.
|
|
||||
Quote:
/16 is actually 256 Class C blocks- aka a Class B. I make mention of this because a few years back a client I consulted for decided to make this same reference to his ISP and BGP peer session. The ISP didn't vet this properly, propagated the erroneous /16, and as a result blackholed Microsoft for a short period of time (probably not a bad thing in hindsight lol.) It really highlighted the client's naivete... as you wouldn't announce anything smaller than a /24 over BGP in the first place, but that's another story. When in doubt about subnetting and CIDR, Wikipedia has a decent reference.
__________________
Network Firefighter |
|
||||
Quote:
Quote:
And yes i have done it like you described ... but anyway i have nat because, not all internal machines are with real ips (actually many of them doesnt need to be with real ips - it is more secure) Last edited by edhunter; 21st July 2008 at 09:34 AM. |
|
||||
Working with this stuff all the time... if I may make a few suggestions-
- Have your ISP configure a /30 connection to NIC1 of your FreeBSD router. That means the ISP gets the first usable host, and the FreeBSD router gets the second usable host. It is now your router gateway on your network. - Have them route the /28 (assuming this, as that's the closest subnet to 20 addresses (it's 16 total, 14 usable, 13 for your servers, 2 for subnet boundaries) across the /30 connection. The first usable address in that /28 is the address of NIC2 as it connects to the Procurve, and by definition, the rest of your servers. - The servers take usable hosts 2-13 for their public addressing, using usable host 1 that's assigned to NIC2 of your FreeBSD router as their default gateway. - This completely eliminates the need for your FreeBSD router to do any kind of NAT, and let's the servers themselves use the actual public addressing within their individual systems (and application configurations.) This, IMHO, makes life MUCH easier on a variety of fronts. I can diagram this if my explanation isn't clear.
__________________
Network Firefighter |
|
||||
The /30 when used as a gateway to a network does not need to be public. You won't be able to reach those specific interfaces from the general internet (so things like traceroutes will look odd), but that's not really an issue.
Now in regards to your comment about NAT being more secure... unless it's many-to-one, it's not any more secure. NAT is meant to emulate the behavior of publicly-addressed networking, so the security still comes down to the firewalling you employ to protect those assets. A poorly firewalled NAT translation is less secure than a well-firewalled public address. The only time a NAT translation is desirable from a security standpoint is when it's a many-to-one NAT situation where one public gateway address handles translations for everything behind it. This is the typical case for residential Internet connections. Even then, a well-crafted firewall rule set will accomplish the same level of security. Normally NAT in non-residential setups (specifically one-to-one NAT) just adds a layer of complexity, not necessarily security.
__________________
Network Firefighter |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
mounting external XFS HDD | rativid | OpenBSD General | 5 | 3rd September 2010 02:31 PM |
PF NAT and 2 external nic´s | Calderon | FreeBSD Security | 20 | 9th September 2009 12:46 PM |
External Ips | zomo | OpenBSD General | 12 | 20th November 2008 09:47 AM |
2 external NIC + 1 internal NIC | AlexV | FreeBSD General | 7 | 4th June 2008 08:18 AM |
ssh/external access | jwhal | OpenBSD General | 11 | 21st May 2008 07:19 PM |