*At 2:23am on 4/26/2013, Corey Edwards wrote:* * *
* * *> You're on the right track. Maybe I can get you the rest of the way there. * * * *That's interesting. I seem to recall things like that when I worked for the (now defunct) C4 communications. This brings a question to my mind. In each scenario, how would you expect to handle ip routing from the outside to multiple IPs, assuming they are all going through a Wi-Fi router (for example, the Asus RT-16N mentioned a month or so ago). I doubt that the standard firmware likely wouldn't handle it so you'd need to upgrade it to one of the open source variants (DD-WRT, OpenWRT, Cherry, etc...), which for this example is perfectly fine. But let's use a simplistic setup for this. We'll assume two machines that I wish to access from the outside. Given your example of a /28, let's say the two boxes in question receive the IPs of 192.0.2.3 and .4. Let us also assume I wish to access DNS (tcp & udp) as well as smtp & ssh on both. .3 also gets access to a posgresql database, apache (normal and ssl), CIFS/Samba, and the secure+non-secure flavors of IMAP. And just to make things interesting, let's assume that I wish to limit any data transfers to/from .4 to 5mbit/sec, while leaving the traffic to .3 unrestricted. Since the open source firmwares are basically variants of Linux (from what I've heard at least) does that mean that I could use IPtables on the router? Is there a way in the firmware's web interface to accomplish all this? Do I need any kind of NAT in either situation (setup A or setup B)?* * * *I'll freely admit that while I know a fair amount of the basics of Linux, getting into more advanced topics like ip routing and what not is reaching to about the limit of my experience. So I turn to you folks for help on this, with thanks!* * * *--- Dan* On Fri, Apr 26, 2013 at 2:23 AM, Corey Edwards <ten...@zmonkey.org> wrote: > On 04/24/2013 06:41 PM, Tod Hansmann wrote: > > > > On 4/24/2013 8:41 AM, Steve Meyers wrote: > >> On 4/24/13 6:44 AM, Jima wrote: > >>> You do need the /30 for a couple of those, actually. There are > ways > >>> around the others (like a transparent bridging firewall). > >>> > >>> With IPv6, the point-to-point subnet is actually MORE important, > not > >>> less. Have you ever dealt with an on-link /48? It's clear evidence > >>> that whoever architected the ISP's IPv6 deployment had little idea what > >>> they were doing. The only way around it is rather unpleasant hacks -- > >>> not hypothetically speaking. > >> I completely agree with Jima. Tod, I'll diagram it out for you at the > >> next PLUG meeting. :) > >> > >> Steve > > Having not slept since Monday night, all of this is making less and less > > sense as we go. I may well need a diagram to clear it up after I get > > some sleep. My mind just keeps going in circles usually because I > > somehow get thinking about point-to-point T1s as an example of > > something, and then can't remember what. > > You're on the right track. Maybe I can get you the rest of the way there. > > For this example, let's say that your ISP assigns you a /28 of IP > addresses, 192.0.2.0/28. Your usable range is 14 addresses, .1 to .14. > There are two ways to do this. > > Setup A: > > ISP Router ---- 192.0.2.0/28 ---- Your Router ---- 192.168.0.0/24 > 192.0.2.1 192.0.2.2 192.168.0.1 > > In this case, the ISP takes one of the IPs in your range (192.0.2.1), > you take the second on your WAN interface (192.0.2.2) and then you have > a separate range on your LAN (192.168.0.0/24). This would presume you > use NAT, since you can't also put the /28 on your LAN. The only way to > get addresses from the /28 onto your LAN is through a one-to-one NAT or > proxy ARP or some other funny business. You can only use .3 to .14 this > way. > > Setup B: > > ISP Router ---- 192.1.2.0/30 ---- Your Router ---- 192.0.2.0/28 > 192.1.2.1 192.1.2.2 192.0.2.1 > > This would be the routed case which Jima and Steve are advocating (and > for the record, the one I prefer as well). The ISP assigns you a > separate /30 for your connection (192.1.2.0/30). This frees up 192.0.2.1 > and 192.0.2.2 for the LAN and doesn't require anything aside from > standard routing. You *can* NAT if you want, but you don't *have* to. > This is typically how T1s (and OC3s, etc) are set up, which is probably > why it came to mind for you. In the case of a point-to-multipoint setup, > you might have a larger subnet instead of the /30, but the same > principle would apply. > > Corey > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
