Another ISP thread...
ddavidegli at gmail.com
Sat Apr 27 03:59:09 MDT 2013
*At 2:23am on 4/26/2013, Corey Edwards wrote:*
*> You're on the right track. Maybe I can get you the rest of the way there.
*That's interesting. I seem to recall things like that when I worked for
the (now defunct) C4 communications. This brings a question to my mind. In
each scenario, how would you expect to handle ip routing from the outside
to multiple IPs, assuming they are all going through a Wi-Fi router (for
example, the Asus RT-16N mentioned a month or so ago). I doubt that the
standard firmware likely wouldn't handle it so you'd need to upgrade it to
one of the open source variants (DD-WRT, OpenWRT, Cherry, etc...), which
for this example is perfectly fine. But let's use a simplistic setup for
this. We'll assume two machines that I wish to access from the outside.
Given your example of a /28, let's say the two boxes in question receive
the IPs of 192.0.2.3 and .4. Let us also assume I wish to access DNS (tcp &
udp) as well as smtp & ssh on both. .3 also gets access to a posgresql
database, apache (normal and ssl), CIFS/Samba, and the secure+non-secure
flavors of IMAP. And just to make things interesting, let's assume that I
wish to limit any data transfers to/from .4 to 5mbit/sec, while leaving the
traffic to .3 unrestricted. Since the open source firmwares are basically
variants of Linux (from what I've heard at least) does that mean that I
could use IPtables on the router? Is there a way in the firmware's web
interface to accomplish all this? Do I need any kind of NAT in either
situation (setup A or setup B)?*
*I'll freely admit that while I know a fair amount of the basics of Linux,
getting into more advanced topics like ip routing and what not is reaching
to about the limit of my experience. So I turn to you folks for help on
this, with thanks!*
On Fri, Apr 26, 2013 at 2:23 AM, Corey Edwards <tensai at zmonkey.org> wrote:
> On 04/24/2013 06:41 PM, Tod Hansmann wrote:
> > On 4/24/2013 8:41 AM, Steve Meyers wrote:
> >> On 4/24/13 6:44 AM, Jima wrote:
> >>> You do need the /30 for a couple of those, actually. There are
> >>> around the others (like a transparent bridging firewall).
> >>> With IPv6, the point-to-point subnet is actually MORE important,
> >>> less. Have you ever dealt with an on-link /48? It's clear evidence
> >>> that whoever architected the ISP's IPv6 deployment had little idea what
> >>> they were doing. The only way around it is rather unpleasant hacks --
> >>> not hypothetically speaking.
> >> I completely agree with Jima. Tod, I'll diagram it out for you at the
> >> next PLUG meeting. :)
> >> Steve
> > Having not slept since Monday night, all of this is making less and less
> > sense as we go. I may well need a diagram to clear it up after I get
> > some sleep. My mind just keeps going in circles usually because I
> > somehow get thinking about point-to-point T1s as an example of
> > something, and then can't remember what.
> You're on the right track. Maybe I can get you the rest of the way there.
> For this example, let's say that your ISP assigns you a /28 of IP
> addresses, 192.0.2.0/28. Your usable range is 14 addresses, .1 to .14.
> There are two ways to do this.
> Setup A:
> ISP Router ---- 192.0.2.0/28 ---- Your Router ---- 192.168.0.0/24
> 192.0.2.1 192.0.2.2 192.168.0.1
> In this case, the ISP takes one of the IPs in your range (192.0.2.1),
> you take the second on your WAN interface (192.0.2.2) and then you have
> a separate range on your LAN (192.168.0.0/24). This would presume you
> use NAT, since you can't also put the /28 on your LAN. The only way to
> get addresses from the /28 onto your LAN is through a one-to-one NAT or
> proxy ARP or some other funny business. You can only use .3 to .14 this
> Setup B:
> ISP Router ---- 126.96.36.199/30 ---- Your Router ---- 192.0.2.0/28
> 188.8.131.52 184.108.40.206 192.0.2.1
> This would be the routed case which Jima and Steve are advocating (and
> for the record, the one I prefer as well). The ISP assigns you a
> separate /30 for your connection (220.127.116.11/30). This frees up 192.0.2.1
> and 192.0.2.2 for the LAN and doesn't require anything aside from
> standard routing. You *can* NAT if you want, but you don't *have* to.
> This is typically how T1s (and OC3s, etc) are set up, which is probably
> why it came to mind for you. In the case of a point-to-multipoint setup,
> you might have a larger subnet instead of the /30, but the same
> principle would apply.
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG