Static IP range routing on Linux
I just got business Internet service and signed up for a block of static IPs.
I'm a bit confused as to how the routing for this should work.
The ISP just provides a modem with a single Ethernet coming out the back. My Linux box has two interfaces and has until now been being used successfully as a NAT router.
Oddly, they gave me a single static IP, then a range which is completely different.
Here's basicallly what I got, with IPs masked for privacy:
172.16.0.2/30, with a gateway of 172.16.0.1.
172.16.200.2/28 (.2 through .14), with a gateway of 172.16.200.1.
(Whenever I use these ranges in this description, remember these are just masked - the IPs given by the ISP are real public routable IP addresses.)
Let's assume eth0 is the LAN and eth1 goes to the cable modem.
I want to be able to have both a NAT range (for computers that don't need access to the internet) and public IP routing. The computers all may need to access each other in a LAN setting (I should be able to use things like Apple's discovery protocols and stuff between any device, whether it has a public IP or a private one.)
I got my box online using that single IP (172.16.0.2 in this case) but I can't figure out how to get the /28 subnet routed.
I understand that packets going to 172.16.200.1 must go out eth1 to the modem.
What I tried to do is to set my internal LAN (eth0) network card to have a second IP address (say, 172.16.200.2) contained in the static IP space, and then manually add a route to put 172.16.200.1 out eth1. This doesn't work, because machines send out ARP requests for 172.16.200.1 (if they believe that's the gateway they should be using) and nothing answers.
If I tell machines that 172.16.200.2 is the router, they just pass through the NAT and their traffic goes out 172.16.0.1.
I'm sure I'm missing something here but could anyone give me at least a pointer in the right direction? I do have some experience with IP routing but this situation is new to me.
What's confusing me is that the default gateway (172.16.200.1) is on one interface but the machines with the static IP addresses are on another interface. This means I basically have one subnet that crosses two interfaces. Using raw Ethernet bridging wouldn't be an option because this would interfere with the NAT function (at least I think it would??) and as far as I know would interfere with computers having static addresses being able to access NATted machines. Adding a NAT router would screw up LAN-based discovery protocols and such - due to the design, a non-NATted computer wouldn't be able to access a NATted one.
Any advice is greatly appreciated!
This is common, the WAN ISP redirects those other IPs to the WAN IP you have, it acts as the gateway for those. There is no routing involved. Your router, whether it be the ISP modem with built in router or your Linux machine will have to identify requests coming into these IPs and do something with them. In a NAT environment this would usually entail what the call mapping and IP or 1-1 NAT. In Linux this would be handled by IPTables see this http://www.linuxhomenetworking.com/w...les#Static_NAT
The ability to access these Public IPs from internal LAN machines will depend of whether your router handles hairpinning.
I will post a detailed network diagram later today.
I have packet-sniffed the WAN interface on my box while sending pings at my range of static IPs. The packets come in unaltered. No NAT is being done at all on the ISP side. If I ping 220.127.116.11 from outside, I see a ping coming in on the wire destined for 18.104.22.168.
The only immediate way I've solved this is to assign ALL of the static IPs as secondary (multihoming) IPs on the WAN interface then use IPtables/NAT to forward connections to the desired internal machine.
While this works for most situations, there's a few cases - namely SIP but others as well - where things get confused without the boxes having their real IPs. For example if the box thinks its IP is 192.168.1.55 but it is directly accessible from the world via 22.214.171.124 then it causes problems when it broadcasts that its IP is 192.168.1.55 to the Internet...
So my goal was to be able to give the machine on the internal LAN its public side IP (even if this must be done with static IPs) but still be able to access that machine from other machines inside the LAN via its world-routable IP. So for example, on machine 192.168.1.5 I want to be able to go to 126.96.36.199 and reach that box even though it's on the same LAN...
This seems like it has to be possible somehow as I've seen it done on large networks.
Diagrams coming soon.
There won't be any NAT on the ISP side the NAT is on your router and 1-1 NAT configured on your router, it's essentially the same as giving a public IP to the machine it maps that for all intensive purposes the PC with the internal IP address of X is the machine that is given the public IP address of Y.
You can do what you want but you will likely have to place the router and the machine you want to have the public IP behind the modem, or gateway, or place the machine in a DMZ on a bridged (no NAT) interface behind your router.
I am facing one problem while connecting internet on my PC which has Ubuntu installed on it. Everytime I have to edit the IP address then only it is getting connected. Suggest me something so that this problem (everytime changing IP) will not come again.
|All times are GMT -5. The time now is 01:13 PM.|