[ previous ] [ next ] [ threads ]
 
 From:  Arni Kekoni <kuhi at iwn dot fi>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Using non routable public IP's on LAN (working, but..)
 Date:  Tue, 8 Nov 2005 12:16:37 +0200
Hi,

I have a working setup where I am routing
non routable public ip's to lan.  What I was wondering
is am I asking for trouble with this kind of setup?
I realize that this is not how m0n0 is supposed to be
used and thus is unsupported feature.

My setup:

M0n0wall release 1.2
I have a /27 subnet that is routed to isp's router.

ISP router
----------
xxx.xxx.152.1/27
    |
    |
xxx.xxx.152.2/30
----------------
M0n0wall (GW xxx.xxx.152.1)
----------------
xxx.xxx.152.2/27
    |
    |
----------------
LAN network (152.1 and .2 are not used for clients)
GW (xxx.xxx.152.2)

I also have proxyarp turned on for addresses
xxx.xxx.152.3-xxx.xxx.152.30

And enabled advanced outbound NAT

End of setup:

For this to work you have to find a 2 ip CIDR that
includes both router ip and m0n0 ip.  Using same
CIDR on WAN and LAN interfaces causes a conflict on
routing table and dynamic route is not created for
LAN.

Only thing that seems funny with this setup is that
m0n0 WAN ip address shows up in routing table as an
alias (ifconfig alias if I understood freebsd doc
correctly).  I remember reading somewhere that you should
never use ip aliasing on wan interface.  I just can't find
that anywhere anymore.  Is this a possible problem?

Here is a link to my routing table when I was experimenting.
It uses public ip's on OPT interface and 1:1 NAT on LAN.
http://www.iwn.fi/~kekoni/stuff/route.txt

I also did little experimenting with firewall rules and NAT
and 1:1 NAT and all of them seem to be working correctly as
long as you don't define anything conflicting.

Arni Kekoni