mick wrote:
A slash 30 gives two usable addresses. I'm assuming that the static IP (88.x.b.170) is assigned to the external interface of the ADSL router (so they have one external address). This router must be setup for no NAT because they have been allocated two routeable addresses internally (88.x.a.117 and 88.x.a.118). In this case I guess that means that the router's internal address will be 88.x.a.117 which gives you 118 to allocate to a firewall (or other router) which can NAT an internal RFC1918 address block to give you the network you want. (Or of course you could just NAT at the ADSL router).
OK, I think I can make some sense of that. It's broadly what I expected, except I didn't (and still don't) see the point of the extra static IP (.170), so I thought I must be misunderstanding something.[*]
What I don't get now is how this maps to the firewall and what purpose any of this serves :-)
If I understand correctly, then (from outside) accessing 88.x.b.170 or 88.x.a.117 would access the router and 88.x.a.118 would go to whatever I wanted it to go to (in this case the firewall, which would port forward beyond that as necessary).
So instead of having a single external IP address and configuring it as a DMZ (ie everything coming in on 88.x.b.170 would go to the firewall, giving me a single useful public IP), I have 5 IP addresses which between then accomplish exactly the same thing aside from giving me 2 extra IP addresses that access the router (which is a security weakness and nothing more). What am I missing?
[*] My guess would be that the combination of a single IP on the ADSL interface and a /30 block routed to it is just a way for the ISP to manage the connection and has no benefit at all to the end user, is that right? I still don't see the point of a /30 though.
I guess it looks something like this
Outside--88.x.b.170[ROUTER]88.x.a.117---inside---88.x.a.118[ROUTER]192.168.x.x
If I take that second [ROUTER] to be the internal firewall then I think I can see how this works now, even if I still don't see the point of it!
Is this possible, assuming that I can tell the router to send everything it gets on the WAN side to the firewall Outside [ADSL ROUTER]---[FIREWALL]192.168.x.x .. Where the firewall has "external" IP addresses 88.x.a.117/88.x.a.118/88.x.b.170?
The (Connexant-based) ADSL router is quite flexible and I'm not constrained by simple wizards etc. If I can work out what I want to do then there's a good chance the router will do it. However, I need to make sure I always know what the router's IP address is in order to get back in to make any additional changes. Ideally, it would use 88.x.b.170 as it's own external interface and provide NAT across a 192.168.x.x subnet to 3 of its 4 ports, and pass anything for 88.x.a.116/30 straight to the firewall on the 4th port. If this is possible in theory, then I think this router can do it (it's only a budget thing, I forget the brand but I've seen the Connexant config often enough in the past).
PS: Is the "unnumbered" option on the WAN side relevant? (Little knowledge = dangerous thing!)