Solved

Routing the same subnet.

Posted on 2000-04-09
9
226 Views
Last Modified: 2013-12-23
I'm setting up a OpenBSD gateway with the following conditions:

The gateway we have from our ISP is 2xx.xx.22.129.
My Gateway has two NIC's
xl0 2xx.xx.22.130/255.255.255.224 (ext, con. to wireless Internet)
xl1 2xx.xx.22.156/255.255.255.224 (int, con. to local switch)

The computers and servers inside uses 2xx.xx.22.131 to .158

How should I setup the route tables and arp on the gateway to get the
inside net to get Internet access?

Also, should I run "routed" ?,if so, with witch parameters and do I
need any special parameters in /etc/gateways ?

Also, Bridging is not a option since I cannot have more that one MAC
address out to our wireless equipment.
0
Comment
Question by:fred_nd
  • 4
  • 4
9 Comments
 

Author Comment

by:fred_nd
ID: 2697983
Adjusted points from 100 to 200
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2698185
Basically... You can't. The way routing works the inside and outside networks must be different. Otherwise the routing process can't tell which interface to use for an IP in the 2xx.xx.22.128/32 net. And you can't fool it by fiddling the netmask on the inside network, because you have to make corresponding change on the outside network.

However, you are in luck in that you are running OpenBSD and can use ipfilter, you can read about it at: http://cheops.anu.edu.au/~avalon/ip-filter.html. What I'd do is to change the inside network to be a "private network" and use ipfilter's NAT facility. If you want, you can set up static one-to-one translations so that each inside system has a fixed outside IP. Or you can set up a NAT pool and let the translation be dynamic. Or have some dynamic and some static. Your choice... Oh yeah, you get firewalling for free, so to speak.
0
 

Author Comment

by:fred_nd
ID: 2699349
By "private network" you mean a 192.168.x.x address or alike?

This is a problem because the machines inside the firewall has public addresses 2xx.xx.22.128/255.255.255.224 and I cant change that, mostly because this is Web, DNS and mail servers.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 40

Accepted Solution

by:
jlevie earned 200 total points
ID: 2699863
Ahh, but that's what one-to-one static NAT translations gets you. A particular inside machine, say 192.168.1.1 gets assigned an outside IP of 2x.x.22.130. You enable inbound web (port 80 & maybe 443) on the 2x.x.22.130->192.168.1.1 NAT conduit, and voila, you've got a web server that for all intents and purposes is "outside the firewall". It always appears to be at 2x.x.xx.130. Since you only enable inbound connections through the firewall on specific ports and to specific inside machines, the rest of the networks services and systems are protected from attack on all other ports. This is a "very good thing".

I do this all the time. Right now I've got six web servers (plain & SSL), an email server, and two DNS boxes inside of a firewall doing NAT (and have had most of them in place for 3-4 years). There are a few things that you can't easily do, like VPN's from an inside system, and some special things you must do, like a careful setup of the DNS for public/private IP's. Some of this gets handled by special boxes connected to the DMZ. And I should explain that term.

The standard configuration for a firewall protected network looks something like:

gateway router to the Internet
       |
       | DMZ network
       | w/"public" IP's
       |
  Firewall w/NAT
       |
Inside "private" network

Frequently you put special systems (like sendmail relays, external DNS servers, VPN hosts) outside of the firewall attached to the DMZ. These typically are specially hardened system that only provide a specific service(s). Everything else lives inside the firewall and static conduit's are provided though the firewall to those inside systems that need to accept inbound connections from the public (insecure) Internet.

0
 
LVL 2

Expert Comment

by:festive
ID: 2702342
you may want to look at the "winGate" product also...
0
 

Author Comment

by:fred_nd
ID: 2703559
When using NAT like this, assigning public IP numbers to private numbers, how will the logs on a WebServer look like?

Will the firewall be the visitor or will the users real IP number show here as it would do without the firewall?


0
 
LVL 40

Expert Comment

by:jlevie
ID: 2703629
The real (public) source IP will still be shown at either end. With lots of folks installing firewall'a and NAT'ing their internal networks these days (for security and to have more systems than the have public IPs for), you frequently can't tell a whole lot about who is actually accessing a site from the IP. For instance I've got some 700 nodes being dynamically NAT'd through 224 public IP's. Any given inside system can get any of the public IPs.
0
 

Author Comment

by:fred_nd
ID: 2703665
This works, not exactly the answer I where looking for, but this could work for me.

Thanks for the fast help, now I'm going to kick on my ISP, and force them to give me another wireless bridge that can handle more than one MAC address, then I will be able to setup a bridge instead.

But, thanx again for the fast and good help.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2704203
Yeah that would work also. If you decide you want to get into using ipfilter to NAT the network, I can be reached at jlevie@bellsouth.net
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question