I have just spent the afternoon trying to get my head around this one and failed.
A customer has been set up with a new ADSL account with the following IP addresses: 88.x.a.116/30 (routed IP range) 88.x.b.170 (static IP).
I need to configure the router to everything to a firewall that'll route traffic accordingly.
I can't even work out from this configuration how many usable external IP addresses this will give them?
(I can get the router connected with the static IP in a normal configuration without problem.)
PS: God bless my Ubuntu Live CD, the tools you have to manage without on Windows!
On Fri, 13 Nov 2009 18:05:44 +0000 Mark Rogers mark@quarella.co.uk allegedly wrote:
I have just spent the afternoon trying to get my head around this one and failed.
A customer has been set up with a new ADSL account with the following IP addresses: 88.x.a.116/30 (routed IP range) 88.x.b.170 (static IP).
I need to configure the router to everything to a firewall that'll route traffic accordingly.
I can't even work out from this configuration how many usable external IP addresses this will give them?
(I can get the router connected with the static IP in a normal configuration without problem.)
PS: God bless my Ubuntu Live CD, the tools you have to manage without on Windows!
A slash 30 gives two usable addresses. I'm assuming that the static IP (88.x.b.170) is assigned to the external interface of the ADSL router (so they have one external address). This router must be setup for no NAT because they have been allocated two routeable addresses internally (88.x.a.117 and 88.x.a.118). In this case I guess that means that the router's internal address will be 88.x.a.117 which gives you 118 to allocate to a firewall (or other router) which can NAT an internal RFC1918 address block to give you the network you want. (Or of course you could just NAT at the ADSL router).
I guess it looks something like this
Outside--88.x.b.170[ROUTER]88.x.a.117---inside---88.x.a.118[ROUTER]192.168.x.x
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
mick wrote:
A slash 30 gives two usable addresses. I'm assuming that the static IP (88.x.b.170) is assigned to the external interface of the ADSL router (so they have one external address). This router must be setup for no NAT because they have been allocated two routeable addresses internally (88.x.a.117 and 88.x.a.118). In this case I guess that means that the router's internal address will be 88.x.a.117 which gives you 118 to allocate to a firewall (or other router) which can NAT an internal RFC1918 address block to give you the network you want. (Or of course you could just NAT at the ADSL router).
OK, I think I can make some sense of that. It's broadly what I expected, except I didn't (and still don't) see the point of the extra static IP (.170), so I thought I must be misunderstanding something.[*]
What I don't get now is how this maps to the firewall and what purpose any of this serves :-)
If I understand correctly, then (from outside) accessing 88.x.b.170 or 88.x.a.117 would access the router and 88.x.a.118 would go to whatever I wanted it to go to (in this case the firewall, which would port forward beyond that as necessary).
So instead of having a single external IP address and configuring it as a DMZ (ie everything coming in on 88.x.b.170 would go to the firewall, giving me a single useful public IP), I have 5 IP addresses which between then accomplish exactly the same thing aside from giving me 2 extra IP addresses that access the router (which is a security weakness and nothing more). What am I missing?
[*] My guess would be that the combination of a single IP on the ADSL interface and a /30 block routed to it is just a way for the ISP to manage the connection and has no benefit at all to the end user, is that right? I still don't see the point of a /30 though.
I guess it looks something like this
Outside--88.x.b.170[ROUTER]88.x.a.117---inside---88.x.a.118[ROUTER]192.168.x.x
If I take that second [ROUTER] to be the internal firewall then I think I can see how this works now, even if I still don't see the point of it!
Is this possible, assuming that I can tell the router to send everything it gets on the WAN side to the firewall Outside [ADSL ROUTER]---[FIREWALL]192.168.x.x .. Where the firewall has "external" IP addresses 88.x.a.117/88.x.a.118/88.x.b.170?
The (Connexant-based) ADSL router is quite flexible and I'm not constrained by simple wizards etc. If I can work out what I want to do then there's a good chance the router will do it. However, I need to make sure I always know what the router's IP address is in order to get back in to make any additional changes. Ideally, it would use 88.x.b.170 as it's own external interface and provide NAT across a 192.168.x.x subnet to 3 of its 4 ports, and pass anything for 88.x.a.116/30 straight to the firewall on the 4th port. If this is possible in theory, then I think this router can do it (it's only a budget thing, I forget the brand but I've seen the Connexant config often enough in the past).
PS: Is the "unnumbered" option on the WAN side relevant? (Little knowledge = dangerous thing!)
On Mon, 16 Nov 2009 10:05:43 +0000 Mark Rogers mark@quarella.co.uk allegedly wrote:
OK, I think I can make some sense of that. It's broadly what I expected, except I didn't (and still don't) see the point of the extra static IP (.170), so I thought I must be misunderstanding something.[*]
Mark - OK - there are a bunch of issues here so I'll address them in-line. But bear in mind I'm making some assumptions about your customer's setup and requirements.
Firstly, I agree you don't seem to need the slash 30 if you have a fixed external IP address assigned to the customer's router. Assumption number one I am making here is that they want to offer a publicly addressable service (such as a web server) on a DMZ at the end of their ADSL line and have told their ISP that. The ISP has then told them that they could have an additional 2 addresses (the minimum) if they took the slash 30.
Of course if they are only running one public service thay could do that via NAT/PAT on the router and the extra addresses are unnecessary. Better still, they could rent a VPS, or some other external service with loads of bandwidth and save the ADSL for local outbound access only. ADSL lines are not best suited for inbound traffic.
What I don't get now is how this maps to the firewall and what purpose any of this serves :-)
It serves the purpose of giving them two additional public addresses and means that the public address assigned to the router (88.x.b.170) can be locked down completely (so it refuses all attempted connections to itself) rather than advertising that address as the web/mail/whatever server they wish to use.
If I understand correctly, then (from outside) accessing 88.x.b.170 or 88.x.a.117 would access the router and 88.x.a.118 would go to whatever I wanted it to go to (in this case the firewall, which would port forward beyond that as necessary).
Yes. But see my point above. You could (and should) configure the router to refuse all direct connections to /its/ addresses. Inbound connections should then only be permitted to whatever device it is that they think they need a public address for (or, as you say, the inner firewall which then folds the connection through to some internal network).
So instead of having a single external IP address and configuring it as a DMZ (ie everything coming in on 88.x.b.170 would go to the firewall, giving me a single useful public IP), I have 5 IP addresses which between then accomplish exactly the same thing aside from giving me 2 extra IP addresses that access the router (which is a security weakness and nothing more). What am I missing?
Nothing. You have summarised the situation well. This just shows that taking the slash 30 is a waste of the additional 4 addresses assigned by the ISP.
[*] My guess would be that the combination of a single IP on the ADSL interface and a /30 block routed to it is just a way for the ISP to manage the connection and has no benefit at all to the end user, is that right? I still don't see the point of a /30 though.
Maybe. It depends on who owns the router. Personally I would not be happy allowing someone outbound of my network being able to play with my access router. It should be mine, and locked down. If it isn't and can't be, then I'd want a second router and F/W of my own which I /do/ control inbound of the access router.
I guess it looks something like this
Outside--88.x.b.170[ROUTER]88.x.a.117---inside---88.x.a.118[ROUTER]192.168.x.x
If I take that second [ROUTER] to be the internal firewall then I think I can see how this works now, even if I still don't see the point of it!
That's just one possible configuration. It was the first one which came to mind when I read your initial email.
Is this possible, assuming that I can tell the router to send everything it gets on the WAN side to the firewall Outside [ADSL ROUTER]---[FIREWALL]192.168.x.x .. Where the firewall has "external" IP addresses 88.x.a.117/88.x.a.118/88.x.b.170?
Not quite. The 88.x.b.170 address is the external address for the ADSL router. The F/W would take one of the two 88.x.a.116/30 addresses as its "external" address. That would leave you one routeable address for the public service inbound of the firewall. And as I said above, I think this would be better handled off site on a VPS or public hosting service.
The (Connexant-based) ADSL router is quite flexible and I'm not constrained by simple wizards etc. If I can work out what I want to do then there's a good chance the router will do it. However, I need to make sure I always know what the router's IP address is in order to get back in to make any additional changes. Ideally, it would use 88.x.b.170 as it's own external interface and provide NAT across a 192.168.x.x subnet to 3 of its 4 ports, and pass anything for 88.x.a.116/30 straight to the firewall on the 4th port. If this is possible in theory, then I think this router can do it (it's only a budget thing, I forget the brand but I've seen the Connexant config often enough in the past).
The ADSL router should always have the fixed 88.x.b.170 address teh customer is paying for. But as I said above, that address should be locked down so it refuses connections. If you want to get back in, then you will need to configure it to NAT through to a VPN (or SSH ) endpoint on the local network.
But all this sounds horribly complicated for what should be a simple setup. Maybe you should just forget about the slash 30 and configure the ADSL router with an internal RFC1918 address and NAT through for whatever service the customer wishes (or needs) to offer publicly. Alternatively, if the router can handle multiple IP addresses on its internal ports, then configure one for the slash 30 DMZ, and another for the RFC1918 network
PS: Is the "unnumbered" option on the WAN side relevant? (Little knowledge = dangerous thing!)
Not really these days. WAN unumbered was useful on point to point serial connections between routers when all network addrreses were routable and we needed to conserve address space. In these days of address translation, that approach is no longer necessary.
HTH
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
mick wrote:
Mark - OK - there are a bunch of issues here so I'll address them in-line.
Huge thanks for the detailed answer, it has really been helpful.
[..BIG SNIP..] Of course if they are only running one public service thay could do that via NAT/PAT on the router and the extra addresses are unnecessary.
I agree, and have currently got them set up this way in order to get things working - I think I'll leave them this way!
Better still, they could rent a VPS, or some other external service with loads of bandwidth and save the ADSL for local outbound access only. ADSL lines are not best suited for inbound traffic.
Again, agreed. In this case their website links to a back-office system which gives a reason to host the site internally, although I wouldn't necessarily say I think it a compelling reason. At this point my goal was to get things working, I can look at better solutions in the future.
You could (and should) configure the router to refuse all direct connections to /its/ addresses. Inbound connections should then only be permitted to whatever device it is that they think they need a public address for (or, as you say, the inner firewall which then folds the connection through to some internal network).
Is this configuration (substantially) more secure than having a single IP and using NAT and port forwarding as appropriate?
But all this sounds horribly complicated for what should be a simple setup. Maybe you should just forget about the slash 30 and configure the ADSL router with an internal RFC1918 address and NAT through for whatever service the customer wishes (or needs) to offer publicly.
After messing around for a couple of days trying to get it working I gave up and went this route, and had everything working within about an hour. Most of that hour was spent undoing things that had been done to get the original config workking....
Looking at the system now, I'm >90% sure that they previously had a block of 8 IP addresses. The customer can only tell me that they had 5 addresses - well that could be the 1 static + 4 routed they have now, or it could be a reference to a block of 8 after the network, broadcast and router addresses have been discounted. Looking at what they have inside the network the latter case looks far more likely. Therefore if they want to replicate the old configuration then they need to change what they have and if I managed to make use of the /30 now it would break when if they needed a larger block later. So I'm happy with the way it's been left now and will suggest they return the /30 to the pool.
On Fri, 13 Nov 2009 18:05:44 +0000 Mark Rogers mark@quarella.co.uk allegedly wrote:
I have just spent the afternoon trying to get my head around this one and failed.
A customer has been set up with a new ADSL account with the following IP addresses: 88.x.a.116/30 (routed IP range) 88.x.b.170 (static IP).
Mark
You may find this helpful
http://www.subnet-calculator.com/
(I do....)
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
-
Mark Rogers -
mick