[ previous ] [ next ] [ threads ]
 
 From:  "David Cook" <david at dave dash cook dot co dot uk>
 To:  <aaron at robinson dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Public IP's on LAN
 Date:  Thu, 26 Feb 2004 22:08:48 -0000
Aaron,

H'mm... lots of different options on configuration.

It would be useful to have some more info on your current situation and
how things might develop in the future. A few quick questions:

1. how many individual customers do you supply internet services to now
2. how many individual customers do you anticipate supplying internet
services to in the future (within 5 years)
3. how many individual customers have requested a public ip address
4. does your isp know how you are using the connectivity they are
providing
5. how much bandwidth do you have on your sdsl connection and where are
you based (just curious)

To give you an idea where I am coming from with the questions:

If the answer to question 4 is no then we can come up with a config
using the public ip subnet you have been allocated. If the answer is
yes, it might be better to go to your isp and request an public ip
subnet that is large enough for your estimated demand in the next 5
years. This is permissible under RIPE rules and regs, it just has to be
justified. 

In an ideal situation all your customers would have a routed public
address, this means that all internet applications will work as some
seriously break when behind NAT, MS Messenger is an example of this. Of
course you could still block some ports and apply traffic shaping so
that your bandwidth is not hogged by any particular user(s).



> -----Original Message-----
> From: David Cook [mailto:david dot cook at jetpress dot com] 
> Sent: 26 February 2004 21:46
> To: David Cook
> Subject: FW: [m0n0wall] Public IP's on LAN
> 
> 
>  
> 
> -----Original Message-----
> From: Aaron Robinson
> To: David Cook
> Sent: 25/02/04 18:14
> Subject: Re: [m0n0wall] Public IP's on LAN
> 
> 
> Thanks for your reply. I'm not in a huge rush with this, but am going 
> to try to implement it in the future. I'm learning a lot 
> along the way 
> and am trying to not mess with paying customers :)
> 
> If you don't feel like answering, I'd understand. I have lots of 
> questions!
> 
> Responses are below.
> 
> On Feb 25, 2004, at 1:34 AM, David Cook wrote:
> 
> >> This is what I had thought initially, but it seems I can't use the 
> >> 64.xxx.28.198 as an address. The SDSL router is 
> 64.xxx.28.197, but if
> 
> >> I
> >> try to use 64.xxx.28.198 with the above information, I get 
> nothing. I 
> >> can't ping the 64.xxx.28.197 gateway or the internet. Should I be
> able
> >> to use 64.xxx.28.198?
> >
> >> All I can figure is that 64.xxx.28.198 is not meant to be 
> used by me.
> 
> >> I
> >> can use any of the LAN addresses without a problem, but I 
> don't know 
> >> how I should set this up if LAN addresses are all I can use. In my 
> >> initial e-mail someone mentioned having to have the WAN and LAN in 
> >> different subnets. Is there a way I could do that? Could I 
> ask my ISP 
> >> to do something to make this easier?
> >
> >> Thanks!
> >> Aaron
> >
> >
> > Aaron,
> >
> > I think I know what is going on here. Looking at the 
> information that
> > the
> > ISP has supplied ....
> >
> >> IP address:      64.xxx.28.198
> >> subnet mask:     255.255.255.252
> >> gateway address: 64.xxx.28.197
> >>
> >> LAN IP Addresses (if any)
> >> -------------------------
> >> LAN subnet:      255.255.255.240
> >> Starting IP:     64.xxx.26.176
> >> First Usable IP: 64.xxx.26.178
> >
> > .... I'm guessing this is the configuration they anticipated you to
> > use:
> >
> > 		ISP Network
> > 	-----------------------
> > 	Gateway (on ISP Network)
> > 		64.xxx.28.197/30
> > 			|
> > 			|
> > 		(xDSL Network)
> > 			|
> > 			|
> > 		64.xxx.28.198/30
> > 		xDSL Interface
> > 	-----------------------
> > 		Your SDSL Router
> > 	-----------------------
> > 		Ethernet Interface
> > 		64.xxx.26.177/28
> > 			|
> > 			|
> > 			|
> > 		Your LAN
> > 	64.xxx.26.178 - 190/28
> >
> > To clarify their info:
> >
> >> LAN subnet:      255.255.255.240
> >> Starting IP:     64.xxx.26.176
> >
> > 64.xxx.26.176 is the network address, this identifies the subnet and
> is
> > unavailable for assigning to an interface.
> >
> >> First Usable IP: 64.xxx.26.178
> >
> > 64.xxx.26.178 is the first uasble IP address on your LAN 
> assuming you
> > assign
> > 64.xxx.26.177 to the LAN (inside) interface of the router. You then 
> > have all
> > the addresses upto and including 64.xxx.26.190 for use on the LAN.
> > 64.xxx.26.191 is the LAN broadcast address.
> >
> > If this is correct, using m0n0wall as a firewall there are 
> a number of 
> > options available to you to make best use of the assigned public IP 
> > addresses relevant to the size/configuration of your 
> network. How did 
> > you want to use these addresses?
> >
> 
> You seem to have deciphered my description perfectly...I'm 
> sure a feat 
> in itself as I know nothing about real routing.
> 
> ==========
> Background
> ==========
> I set up a network at the condo's where I live at so that we can all 
> enjoy less expensive internet access. Right now it works 
> perfectly with 
> m0n0wall (64.xxx.26.178) doing DHCP and NAT. However I've had a few 
> people wanting a public IP which I have no problems with and 
> that's why 
> I have a small block of them.
> 
> What I would like to do is still do DHCP and NAT for ease of 
> use and to 
> conserve IP's for those that don't need/want them and then 
> allow people 
> to statically assign a routable IP if I give them one.
> 
> My issue is that I am not sure if I can separate the traffic in that 
> way. I have a switch connected to 4 buildings. Each building has an 8 
> port HPNA access concentrator (it's like an 8 port switch). Each port 
> is connected to a unit and provides an ethernet port inside using the 
> HPNA (black box) bridge.
> 
> SDSL---->m0n01--->Switch--->HPNA boxes--->Customer
>          |----->m0n02------^
> 
> If I want to give out a mix of addresses, I have to put both 
> public and 
> private addresses on the same switch. I don't see a way using one box 
> to do NAT on the LAN and advanced NAT on OPT, so I haven't tried it. 
> What I have done is put up a 2nd mono box (.79/28) with DHCP off. 
> However I haven't figured out how to run public IP addresses 
> on the LAN 
> side of m0n0 by turning off advanced NAT. I know where it is, 
> I just am 
> not sure of how to get it working once advanced NAT is on.
> 
> ========
> Question
> ========
> Would it be possible to have m0n0#1(.78/28) running DHCP/NAT and 
> m0n0#2(.79/28) set up to do advanced NAT, both plugged into the same 
> switch? Would that allow what I am looking to do?
> 
> 
> 
> A couple of other suggestions by others...
> 1) Set the SDSL router to bridging mode and have m0n0 with a WAN 
> address of 64.xxx.28.198/30 and LAN of 64.xxx.26.177/28. 
> Allows me more 
> flexibility with the network (traffic control etc.)
> 
> Would there be advantages/disadvantages to putting the SDSL 
> router into 
> bridging mode with a m0n0 box there? Old PC's aren't an issue.
> 
> 2) Use one of the ISP LAN IP addresses for the WAN IP of monowall and 
> use bridging
> 
> I'd prefer to not use bridging since I have heard a few people 
> complaining about it. I did get it working just fine though 
> and can use 
> routable IP's through it.
> 
> Lots of questions...lots of things to learn! It's fun though 
> and what I 
> have now works just fine. I'd like to set up a couple more apartments 
> once I have this setup the way I'd like it to be.
> 
> Thanks!
> Aaron
> 
> 
> ______________________________________________________________
> __________
> This e-mail has been scanned for all viruses by Star 
> Internet. The service is powered by MessageLabs. For more 
> information on a proactive anti-virus service working around 
> the clock, around the globe, visit: http://www.star.net.uk 
> ______________________________________________________________
> __________
> 
> JET PRESS LIMITED
> Nunn Close
> Huthwaite
> Nottinghamshire
> NG17 2HW
> UK
> 
> Web:	www.jetpress.com
> Tel:	+44-1623-551 800
> Fax: 	+44-1623-551 175
> 
> 
> Confidentiality Notice 
> This message and its contents are confidential.  The contents 
> are solely for the attention of the recipient(s) named above 
> and any unauthorised disclosure, copying or distribution is 
> forbidden.  If you are not the recipient named above, please 
> contact the sender immediately and destroy this message.  The 
> views expressed in this message are those of the sender and 
> not necessarily those of JET PRESS LIMITED.
>