On Mon, 16 Nov 2009 10:05:43 +0000 Mark Rogers mark@quarella.co.uk allegedly wrote:
OK, I think I can make some sense of that. It's broadly what I expected, except I didn't (and still don't) see the point of the extra static IP (.170), so I thought I must be misunderstanding something.[*]
Mark - OK - there are a bunch of issues here so I'll address them in-line. But bear in mind I'm making some assumptions about your customer's setup and requirements.
Firstly, I agree you don't seem to need the slash 30 if you have a fixed external IP address assigned to the customer's router. Assumption number one I am making here is that they want to offer a publicly addressable service (such as a web server) on a DMZ at the end of their ADSL line and have told their ISP that. The ISP has then told them that they could have an additional 2 addresses (the minimum) if they took the slash 30.
Of course if they are only running one public service thay could do that via NAT/PAT on the router and the extra addresses are unnecessary. Better still, they could rent a VPS, or some other external service with loads of bandwidth and save the ADSL for local outbound access only. ADSL lines are not best suited for inbound traffic.
What I don't get now is how this maps to the firewall and what purpose any of this serves :-)
It serves the purpose of giving them two additional public addresses and means that the public address assigned to the router (88.x.b.170) can be locked down completely (so it refuses all attempted connections to itself) rather than advertising that address as the web/mail/whatever server they wish to use.
If I understand correctly, then (from outside) accessing 88.x.b.170 or 88.x.a.117 would access the router and 88.x.a.118 would go to whatever I wanted it to go to (in this case the firewall, which would port forward beyond that as necessary).
Yes. But see my point above. You could (and should) configure the router to refuse all direct connections to /its/ addresses. Inbound connections should then only be permitted to whatever device it is that they think they need a public address for (or, as you say, the inner firewall which then folds the connection through to some internal network).
So instead of having a single external IP address and configuring it as a DMZ (ie everything coming in on 88.x.b.170 would go to the firewall, giving me a single useful public IP), I have 5 IP addresses which between then accomplish exactly the same thing aside from giving me 2 extra IP addresses that access the router (which is a security weakness and nothing more). What am I missing?
Nothing. You have summarised the situation well. This just shows that taking the slash 30 is a waste of the additional 4 addresses assigned by the ISP.
[*] My guess would be that the combination of a single IP on the ADSL interface and a /30 block routed to it is just a way for the ISP to manage the connection and has no benefit at all to the end user, is that right? I still don't see the point of a /30 though.
Maybe. It depends on who owns the router. Personally I would not be happy allowing someone outbound of my network being able to play with my access router. It should be mine, and locked down. If it isn't and can't be, then I'd want a second router and F/W of my own which I /do/ control inbound of the access router.
I guess it looks something like this
Outside--88.x.b.170[ROUTER]88.x.a.117---inside---88.x.a.118[ROUTER]192.168.x.x
If I take that second [ROUTER] to be the internal firewall then I think I can see how this works now, even if I still don't see the point of it!
That's just one possible configuration. It was the first one which came to mind when I read your initial email.
Is this possible, assuming that I can tell the router to send everything it gets on the WAN side to the firewall Outside [ADSL ROUTER]---[FIREWALL]192.168.x.x .. Where the firewall has "external" IP addresses 88.x.a.117/88.x.a.118/88.x.b.170?
Not quite. The 88.x.b.170 address is the external address for the ADSL router. The F/W would take one of the two 88.x.a.116/30 addresses as its "external" address. That would leave you one routeable address for the public service inbound of the firewall. And as I said above, I think this would be better handled off site on a VPS or public hosting service.
The (Connexant-based) ADSL router is quite flexible and I'm not constrained by simple wizards etc. If I can work out what I want to do then there's a good chance the router will do it. However, I need to make sure I always know what the router's IP address is in order to get back in to make any additional changes. Ideally, it would use 88.x.b.170 as it's own external interface and provide NAT across a 192.168.x.x subnet to 3 of its 4 ports, and pass anything for 88.x.a.116/30 straight to the firewall on the 4th port. If this is possible in theory, then I think this router can do it (it's only a budget thing, I forget the brand but I've seen the Connexant config often enough in the past).
The ADSL router should always have the fixed 88.x.b.170 address teh customer is paying for. But as I said above, that address should be locked down so it refuses connections. If you want to get back in, then you will need to configure it to NAT through to a VPN (or SSH ) endpoint on the local network.
But all this sounds horribly complicated for what should be a simple setup. Maybe you should just forget about the slash 30 and configure the ADSL router with an internal RFC1918 address and NAT through for whatever service the customer wishes (or needs) to offer publicly. Alternatively, if the router can handle multiple IP addresses on its internal ports, then configure one for the slash 30 DMZ, and another for the RFC1918 network
PS: Is the "unnumbered" option on the WAN side relevant? (Little knowledge = dangerous thing!)
Not really these days. WAN unumbered was useful on point to point serial connections between routers when all network addrreses were routable and we needed to conserve address space. In these days of address translation, that approach is no longer necessary.
HTH
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------