Another ISP thread...

Jima jima at beer.tclug.org
Fri Apr 26 18:49:33 MDT 2013


  I agree with most of Corey's outline.  Just to throw a few minor 
points in...

On 2013-04-25 14:53, Corey Edwards wrote:
> On 04/24/2013 06:41 PM, Tod Hansmann wrote:
>> Having not slept since Monday night, all of this is making less and less
>> sense as we go.  I may well need a diagram to clear it up after I get
>> some sleep.  My mind just keeps going in circles usually because I
>> somehow get thinking about point-to-point T1s as an example of
>> something, and then can't remember what.
>
> You're on the right track. Maybe I can get you the rest of the way there.
>
> For this example, let's say that your ISP assigns you a /28 of IP
> addresses, 192.0.2.0/28. Your usable range is 14 addresses, .1 to .14.
> There are two ways to do this.
>
> Setup A:
>
> ISP Router ---- 192.0.2.0/28 ---- Your Router ---- 192.168.0.0/24
>      192.0.2.1               192.0.2.2    192.168.0.1
>
> In this case, the ISP takes one of the IPs in your range (192.0.2.1),
> you take the second on your WAN interface (192.0.2.2) and then you have
> a separate range on your LAN (192.168.0.0/24). This would presume you
> use NAT, since you can't also put the /28 on your LAN. The only way to
> get addresses from the /28 onto your LAN is through a one-to-one NAT or
> proxy ARP or some other funny business. You can only use .3 to .14 this way.

  The architectural alternative for this model is to put a network 
switch between your CPE (cable/DSL/fiber optic "modem") and whatever 
device is providing the NATted network, for a DMZ (De-Militarized Zone). 
  Want to put a server in the /28?  Plug it into that switch (or into 
the right VLAN if you're weird like me).  With this model the only 
firewalling options for the DMZ are host-based-only or with a 
transparent bridge.

  Regarding "presume you use NAT," there are people who specifically get 
a static IP block in order to eliminate NAT from their house.  As much 
as I hate NAT (I'm an IPv6 advocate; the two often go hand in hand), 
it's become a necessary evil with IPv4 -- I did the math just now, and 
found I'd need at least a /25 (125 usable IPs) at home to avoid it. 
Yeah, not worth it.

> Setup B:
>
> ISP Router ---- 192.1.2.0/30 ---- Your Router ---- 192.0.2.0/28
>      192.1.2.1               192.1.2.2    192.0.2.1
>
> This would be the routed case which Jima and Steve are advocating (and
> for the record, the one I prefer as well). The ISP assigns you a
> separate /30 for your connection (192.1.2.0/30). This frees up 192.0.2.1
> and 192.0.2.2 for the LAN and doesn't require anything aside from
> standard routing. You *can* NAT if you want, but you don't *have* to.
> This is typically how T1s (and OC3s, etc) are set up, which is probably
> why it came to mind for you. In the case of a point-to-multipoint setup,
> you might have a larger subnet instead of the /30, but the same
> principle would apply.

  A couple fairly nitpick-y points here:

1) From the /28's perspective, .1 is not freed up -- it (or another IP) 
still needs to be used as the gateway address (unless you're doing some 
NAT shenanigans).

2) From the internet's perspective, you actually gained 5 IPs for 
various use -- .0, .1, .2, .15, AND the IP from your point-to-point 
subnet.  You can use these IPs for different NAT rules on your 
firewall/router -- unless very specifically configured to filter them 
(which would be fairly uncommon, IME), the router upstream of yours 
doesn't technically know (or care) that .0, .1, and .15 are "special" 
addresses.  From the /28's viewpoint, .0 and .15 are the 
network/broadcast addresses, so you can't abuse them in that context.

3) While with Setup A you'd normally lose an IP from your /28 to your 
NAT device, with Setup B you can do the NAT on the same device that 
routes the /28, freeing one more IP for other use.  (You can typically 
translate the outgoing traffic to the point-to-point IP, or any IP from 
the /28, including the reserved addresses above.)

4) As Corey touch upon, my "point-to-point" subnet at home is in fact a 
/24; for 90+% of discussions this detail is irrelevant, though. 
(Xmission throws all of us UTOPIA jerks with static blocks in this /24, 
I've been told.)

  Standard disclaimers: I am not a networking specialist (although I 
play one at work!), your mileage may vary, contains nuts.

      Jima


More information about the PLUG mailing list