Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Routing the same subnet.

Posted on 2000-04-09
9
Medium Priority
?
230 Views
Last Modified: 2013-12-23
I'm setting up a OpenBSD gateway with the following conditions:

The gateway we have from our ISP is 2xx.xx.22.129.
My Gateway has two NIC's
xl0 2xx.xx.22.130/255.255.255.224 (ext, con. to wireless Internet)
xl1 2xx.xx.22.156/255.255.255.224 (int, con. to local switch)

The computers and servers inside uses 2xx.xx.22.131 to .158

How should I setup the route tables and arp on the gateway to get the
inside net to get Internet access?

Also, should I run "routed" ?,if so, with witch parameters and do I
need any special parameters in /etc/gateways ?

Also, Bridging is not a option since I cannot have more that one MAC
address out to our wireless equipment.
0
Comment
Question by:fred_nd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 

Author Comment

by:fred_nd
ID: 2697983
Adjusted points from 100 to 200
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2698185
Basically... You can't. The way routing works the inside and outside networks must be different. Otherwise the routing process can't tell which interface to use for an IP in the 2xx.xx.22.128/32 net. And you can't fool it by fiddling the netmask on the inside network, because you have to make corresponding change on the outside network.

However, you are in luck in that you are running OpenBSD and can use ipfilter, you can read about it at: http://cheops.anu.edu.au/~avalon/ip-filter.html. What I'd do is to change the inside network to be a "private network" and use ipfilter's NAT facility. If you want, you can set up static one-to-one translations so that each inside system has a fixed outside IP. Or you can set up a NAT pool and let the translation be dynamic. Or have some dynamic and some static. Your choice... Oh yeah, you get firewalling for free, so to speak.
0
 

Author Comment

by:fred_nd
ID: 2699349
By "private network" you mean a 192.168.x.x address or alike?

This is a problem because the machines inside the firewall has public addresses 2xx.xx.22.128/255.255.255.224 and I cant change that, mostly because this is Web, DNS and mail servers.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 40

Accepted Solution

by:
jlevie earned 600 total points
ID: 2699863
Ahh, but that's what one-to-one static NAT translations gets you. A particular inside machine, say 192.168.1.1 gets assigned an outside IP of 2x.x.22.130. You enable inbound web (port 80 & maybe 443) on the 2x.x.22.130->192.168.1.1 NAT conduit, and voila, you've got a web server that for all intents and purposes is "outside the firewall". It always appears to be at 2x.x.xx.130. Since you only enable inbound connections through the firewall on specific ports and to specific inside machines, the rest of the networks services and systems are protected from attack on all other ports. This is a "very good thing".

I do this all the time. Right now I've got six web servers (plain & SSL), an email server, and two DNS boxes inside of a firewall doing NAT (and have had most of them in place for 3-4 years). There are a few things that you can't easily do, like VPN's from an inside system, and some special things you must do, like a careful setup of the DNS for public/private IP's. Some of this gets handled by special boxes connected to the DMZ. And I should explain that term.

The standard configuration for a firewall protected network looks something like:

gateway router to the Internet
       |
       | DMZ network
       | w/"public" IP's
       |
  Firewall w/NAT
       |
Inside "private" network

Frequently you put special systems (like sendmail relays, external DNS servers, VPN hosts) outside of the firewall attached to the DMZ. These typically are specially hardened system that only provide a specific service(s). Everything else lives inside the firewall and static conduit's are provided though the firewall to those inside systems that need to accept inbound connections from the public (insecure) Internet.

0
 
LVL 2

Expert Comment

by:festive
ID: 2702342
you may want to look at the "winGate" product also...
0
 

Author Comment

by:fred_nd
ID: 2703559
When using NAT like this, assigning public IP numbers to private numbers, how will the logs on a WebServer look like?

Will the firewall be the visitor or will the users real IP number show here as it would do without the firewall?


0
 
LVL 40

Expert Comment

by:jlevie
ID: 2703629
The real (public) source IP will still be shown at either end. With lots of folks installing firewall'a and NAT'ing their internal networks these days (for security and to have more systems than the have public IPs for), you frequently can't tell a whole lot about who is actually accessing a site from the IP. For instance I've got some 700 nodes being dynamically NAT'd through 224 public IP's. Any given inside system can get any of the public IPs.
0
 

Author Comment

by:fred_nd
ID: 2703665
This works, not exactly the answer I where looking for, but this could work for me.

Thanks for the fast help, now I'm going to kick on my ISP, and force them to give me another wireless bridge that can handle more than one MAC address, then I will be able to setup a bridge instead.

But, thanx again for the fast and good help.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2704203
Yeah that would work also. If you decide you want to get into using ipfilter to NAT the network, I can be reached at jlevie@bellsouth.net
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question