Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Routing the same subnet.

Posted on 2000-04-09
9
Medium Priority
?
231 Views
Last Modified: 2013-12-23
I'm setting up a OpenBSD gateway with the following conditions:

The gateway we have from our ISP is 2xx.xx.22.129.
My Gateway has two NIC's
xl0 2xx.xx.22.130/255.255.255.224 (ext, con. to wireless Internet)
xl1 2xx.xx.22.156/255.255.255.224 (int, con. to local switch)

The computers and servers inside uses 2xx.xx.22.131 to .158

How should I setup the route tables and arp on the gateway to get the
inside net to get Internet access?

Also, should I run "routed" ?,if so, with witch parameters and do I
need any special parameters in /etc/gateways ?

Also, Bridging is not a option since I cannot have more that one MAC
address out to our wireless equipment.
0
Comment
Question by:fred_nd
  • 4
  • 4
9 Comments
 

Author Comment

by:fred_nd
ID: 2697983
Adjusted points from 100 to 200
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2698185
Basically... You can't. The way routing works the inside and outside networks must be different. Otherwise the routing process can't tell which interface to use for an IP in the 2xx.xx.22.128/32 net. And you can't fool it by fiddling the netmask on the inside network, because you have to make corresponding change on the outside network.

However, you are in luck in that you are running OpenBSD and can use ipfilter, you can read about it at: http://cheops.anu.edu.au/~avalon/ip-filter.html. What I'd do is to change the inside network to be a "private network" and use ipfilter's NAT facility. If you want, you can set up static one-to-one translations so that each inside system has a fixed outside IP. Or you can set up a NAT pool and let the translation be dynamic. Or have some dynamic and some static. Your choice... Oh yeah, you get firewalling for free, so to speak.
0
 

Author Comment

by:fred_nd
ID: 2699349
By "private network" you mean a 192.168.x.x address or alike?

This is a problem because the machines inside the firewall has public addresses 2xx.xx.22.128/255.255.255.224 and I cant change that, mostly because this is Web, DNS and mail servers.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 40

Accepted Solution

by:
jlevie earned 600 total points
ID: 2699863
Ahh, but that's what one-to-one static NAT translations gets you. A particular inside machine, say 192.168.1.1 gets assigned an outside IP of 2x.x.22.130. You enable inbound web (port 80 & maybe 443) on the 2x.x.22.130->192.168.1.1 NAT conduit, and voila, you've got a web server that for all intents and purposes is "outside the firewall". It always appears to be at 2x.x.xx.130. Since you only enable inbound connections through the firewall on specific ports and to specific inside machines, the rest of the networks services and systems are protected from attack on all other ports. This is a "very good thing".

I do this all the time. Right now I've got six web servers (plain & SSL), an email server, and two DNS boxes inside of a firewall doing NAT (and have had most of them in place for 3-4 years). There are a few things that you can't easily do, like VPN's from an inside system, and some special things you must do, like a careful setup of the DNS for public/private IP's. Some of this gets handled by special boxes connected to the DMZ. And I should explain that term.

The standard configuration for a firewall protected network looks something like:

gateway router to the Internet
       |
       | DMZ network
       | w/"public" IP's
       |
  Firewall w/NAT
       |
Inside "private" network

Frequently you put special systems (like sendmail relays, external DNS servers, VPN hosts) outside of the firewall attached to the DMZ. These typically are specially hardened system that only provide a specific service(s). Everything else lives inside the firewall and static conduit's are provided though the firewall to those inside systems that need to accept inbound connections from the public (insecure) Internet.

0
 
LVL 2

Expert Comment

by:festive
ID: 2702342
you may want to look at the "winGate" product also...
0
 

Author Comment

by:fred_nd
ID: 2703559
When using NAT like this, assigning public IP numbers to private numbers, how will the logs on a WebServer look like?

Will the firewall be the visitor or will the users real IP number show here as it would do without the firewall?


0
 
LVL 40

Expert Comment

by:jlevie
ID: 2703629
The real (public) source IP will still be shown at either end. With lots of folks installing firewall'a and NAT'ing their internal networks these days (for security and to have more systems than the have public IPs for), you frequently can't tell a whole lot about who is actually accessing a site from the IP. For instance I've got some 700 nodes being dynamically NAT'd through 224 public IP's. Any given inside system can get any of the public IPs.
0
 

Author Comment

by:fred_nd
ID: 2703665
This works, not exactly the answer I where looking for, but this could work for me.

Thanks for the fast help, now I'm going to kick on my ISP, and force them to give me another wireless bridge that can handle more than one MAC address, then I will be able to setup a bridge instead.

But, thanx again for the fast and good help.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2704203
Yeah that would work also. If you decide you want to get into using ipfilter to NAT the network, I can be reached at jlevie@bellsouth.net
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question