|
Subnet Server setup
Hello!
I am looking for instruction for setting up a subnet router on linux. My ISP gave me a pool of static ip addresses and I need to set up a Linux router to forward packets for this pool out the other interface to a switch. The netmask is 255.255.255.248. I am wondering what ip address do I give the external and internal interfaces and what kind of routing should I set up? Thanks! Murdock |
|
Hello chitambira,
Thanks for the information. My case is dealing with a subnet and both internal and external IP addresses are under the same network, with my router serving as a subnet gateway. Here is an example: Network IP prefix: 172.32.0.0/255.255.0.0 My Subnet IP Prefix: 172.32.32.0/255.255.255.0 eth0 connects with external network eth1 connects with internal subnet Accordingly, I assume I set up the router as follows: Interfaces: eth0 is given 172.32.32.1/255.255.0.0 eth1 is given 172.32.32.1/255.255.255.0 Routing: 172.32.32.0 * 255.255.255.0 dev eth1 172.32.32.0 * 255.255.0.0 dev eth0 default * 0.0.0.0 dev eth1 Am I on the right track with this? Thanks, Murdock |
Depends on how you are connecting. ISDN, frame relay, DSL, broadband cable, other?
In most cases, a router is not a requirement. Many small businesses simply connect a switch to the modem, connect their external servers directly to the switch. (If it's a serial device like Frame relay, you will need a router.) For your internal network, you can create a NAT/Router/Firewall with Linux. This will still leave you with 4 IP's to use for everything else. (That's using the .248 mask) What you have defined will not work. You can't have the same subnet on both sides of a router. It's like being in a hallway with 2 doors, and they both open into the same room. Steve |
Hello Suncoast!
Thank you for the response. We have a direct connection to our ISP. I am not sure what kind of technology is being used - I think fiber optics, perhaps - and they supplied us with a standard RJ45 cable, which basically makes us another leg of their network. Again, the main gateway for the main network (called gateway1) is 172.32.0.0 with netmask of 255.255.0.0. An internal gateway (called gateway2) will be used for a subnet with IP address of 172.32.32.0. Gateway2's subnet's netmask is 255.255.255.0. There is no NAT at all being used between gateway2 and the main network. Everything is transparent. I only need to set a gateway2 for networking routing. Here is an example: INTERNET <-public ip address-> GATEWAY1 <-172.32.0.1/255.255.0.0-> MAIN INTERNAL NETWORK <-172.32.32.1/255.255.0.0-> GATEWAY2 <-172.32.32.1/255.255.255.0-> SUBNET So, in short, for gateway2, what should IP address should I give my two interfaces and their routing? Lastly, you wrote: Quote:
172.32.32.0 * 255.255.255.0 dev eth1 172.32.0.0 * 255.255.0.0 dev eth0 default * 0.0.0.0 dev eth1 Thanks! Murdock |
I can't get away from the basics here, they don't compute.
Network 172.32.0.0/16 contains IP addresses 172.32.0.0 through 172.32.255.255. (/16 = 255.255.0.0) That includes your network 172.32.32.0/24, which contains IP addresses 172.32.32.0 through 172.32.32.255. (/16 = 255.255.255.0) What bothers me about this scenario is the size of the remote network mask. TYPICALLY when connecting two locations, an address for the WAN side is something like 172.16.32.2 255.255.255.252. The network only has 4 possible IP addresses. The Network Id (172.16.32.0/30,) the broadcast IP (172.16.32.3,) and 2 IP addresses (172.16.32.1 & 172.16.32.2,) one for each end of the WAN link. In other words, the link between you and the ISP is itself a small subnetwork. Then it would be a simple matter to say, "I am on Network 172.32.32.0. If I want to get to network 172.16.0.0. The Default Gateway at 172.32.32.1 says it heard from 172.16.32.2 that it knows how to get there. IF you are really saying you want to connect to a network of say 172.16.0.0/16, and you want to carve out for yourself the portion of 172.16.32.0/24, then you are not routing. You are bridging. Essentially a remote extension of a larger network. Unless you are physically in the same area, this will not work. Steve |
Hello Suncoast,
Thanks for the followup. Okay, I think I know where the confusion is now. For some reason, I was thinking that it is necessary for me to set up the gateway to my subnetwork. However, as you pointed out, the ISP usually sets up one of their interfaces as the gateway (however, this may not always be the case. I could be given a connection from a blind switch that is only attached to a main network interface, in which I would need to set up the gateway for my subnet). Accordingly, my server would only be used a bridge to connect my subnet (my ISP gave me a submask of 255.255.255.248, up to 5 subnetted computers) with the gateway. In fact, I could probably get rid of the server altogether and replace it with a simple hub just to plug in the cables and things would still work. However, there is another factor involved. My subnet not only uses the pool of IP addresses given to me by my ISP, but I am also running a private network under my server through the same internal interface. So in theory, my server needs to act as a router for the private network (say 192.168.0.0/24) to the public network (172.32.0.0/16) and also as a bridge for the public IPs (172.32.32.0/255.255.255.248). Accordingly, how do I set up a bridge for IPs of the 172.32.32.0/29 series on a router for the 192.168.0.0/24 series? Is it possible just to create a bridge with brctl on top of the already existing router? Lastly, what do you mean when you say, "Unless you are physically in the same area, this will not work. "? Thanks! Murdock |
Ok, I think we're on the same page now.
A /29 network from an ISP is setup with these 8 IP's - in order - Network ID, Default GW IP, Host IP's times 5, Broadcast IP. So I'll make up this network as the network the ISP assigned you: Network 100.100.100.32/29 The Network ID is the first of the above 8 IP addresses. So, Network ID 100.100.100.32 (all 255.255.255.248) Default GW 100.100.100.33 Usable HOST ID's/IP's 100.100.100.34 through 100.100.100.38 Broadcast 100.100.100.39 (Note: Biggest mistake I see above is using a default gateway of 100.100.100.1, which often works, but causes problems.) You have a Server that is publicly available at 100.100.100.34. You have assigned this to eth1. ifconfig eth1 100.100.100.34 netmask 255.255.255.248 broadcast 100.100.100.39 up route add default gw 100.100.100.33 eth1 (Note: You are saying you have an internal network of 172.32.0.0/16. This is not a private IP range. 172.16.0.0/12 is. That IP range is 172.16.0.0 through 172.31.255.255. So I am going to use 31 instead of 32, because I think this is what you are referring to.) You have a private network of 172.31.0.0/16. It is not subnetted further. On your servers second Ethernet port, you assign the IP address 172.31.0.1/16. ifconfig eth2 172.31.0.1 netmask 255.255.0.0 up route add -net 172.31.0.0 netmask 255.255.0.0 eth2 Most of these commands can also be done with the "IP" command. Now this is where I think I need to clear another possible misconception. You can't use the private IP addresses on the Internet. They're only good on your own internal network. If a host on your private network wants to get on the internet, you will need to translate the IP with NAT. There are some good How-To on NAT, so I won't go into this. You have 5 IP addresses, and you've only used 1. You can have all 5 on the server, but keep in mind that is a single point of failure. You can either add more ethernet cards, or you can configure the same ethernet port with additional addresses using the eth1:1 eth1:2 etc interface names. If you need to get up and running quickly, you may want to temporarily utilize a commerical NAT/Bridge device like a linksys wrt54gs. You could setup the linksys with external IP 100.100.100.38, internal IP address 172.31.0.2 and setup all your regular internal hosts with a default gateway of 172.31.0.2. But for setting up and testing your NAT on the Server, you would point that hosts default gateway to 172.31.0.1. As to your last question. Any network has a certain amount of broadcast traffic. The bigger the network, the bigger the broadcast domain. If you were to bridge to the ISP's network, most of your WAN bandwidth would be consumed by broadcast traffic. Plus all your networks Broadcast traffic would be on the ISP's network. Broadcasts could be DHCP, Wins, UPNP, Netbios, Spanning Tree, or Samba Shares. Routers divide broadcast domains. Also, you could send packets onto the host network, but if the routers don't know how to get to you, no traffic will be returning to you. Steve Edit - On that last sentence, assumes you are using a subnet unknown by the ISP's router. |
Hello!
Fantastic...you've put things in a very straightforward manner. The server is already set up for rerouting internal IPs with NAT. I need to set up both the public IPs and private on the same interface, since some computers need to dynamically request public IPs and I don't want to be required to rewire whenever that happens. I still have one more issue with setting up the server for the public IP addresses. Should I set up eth2:1 (the internal interface) with public IP address of 100.100.100.35 and set routing to accommodate this? This will give the internal computers the ability to have 36, 37, and 38 (which I can set up either using DHCP or statically). On the other hand, is it possible to create a bridge instead as follows: 1. eth1 ip address 100.100.100.34/29 2. eth2 ip address 172.31.0.0/16 3. br0 - bridge devices eth1 and eth2 This will enable me to use IP address 100.100.100.35 as well for the internal computers and the server will only be a router for the internal IPs (127.16.0.0) Thanks again! Murdock |
You just went beyond my ability to answer you with specific Linux commands. I think I know what your asking, and if we were in a Cisco forum, I would be able to answer you with very specific instructions.
The Eth port facing the WAN should not have any private IP addresses. Think about how IP addressing works. The Netmask tells all devices what part of the address is a network, and what part is a host. On the same physical segment, the address 24.25.26.100/16 looks like the same address as 192.168.0.100/24 to the /24 hosts on that segment. (A segment is a broadcast domain, broadcast domains are separated by routers.) The first address is really saying nul.nul.26.100 is the host ID. The second address is nul.nul.nul.100. Things can get very confusing to the network devices. You could potentially have 2 devices responding to an arp request, which would result in intermittent connectivity. Just don't do that. You can route to other subnets on the same interface, but you can not have multiple subnets on the same segment. For your Public/Private IP's, you still need NAT (Network Address Translation.) (This is what you are calling Bridging.) NAT does not just translate multiple internal hosts to one external IP address, which is called NAT Overload. It can also be configured to know that a particular public IP address is mapped to a specific private IP address on the internal network. This form of simple NAT knows if it receives a packet for a particular public IP, it changes the IP header to reflect the internal IP address, and sends it along. Same in reverse. If no firewall/filtering exists on the NAT server, all ports would be open and sent to the internal host. This has the added benefit of the host also being able to talk to other local hosts using it's internal IP address. As to binding some internal devices access to a public IP address without rewiring, there are a couple of ways to do it. The easiest being to forgo DHCP and assign the workstation IP address manually. Or have all clients default to a dhcp pool of IP internal addresses, etc. But when you want to get the external address, manually change the workstation address to one of the internal IP addresses that are mapped through NAT to the public IP. So if your internal network is 172.16.0.0/16, and you have DHCP setup to assign 172.16.1.0 through whatever, you still have the IP range 172.16.0.1 to 172.16.0.255 available for static IP addressing. So if you bound through NAT public IP 100.100.100.35 to 172.16.0.10, all you would need to do is set the workstation default gateway to 172.16.0.10, and the outside world now sees you as that IP address. |
eth1 100.100.100.34/29
eth1:2 100.100.100.35/29 eth1:3 100.100.100.36/29 eth1:4 100.100.100.37/29 eth1:5 100.100.100.38/29 eth2 172.31.0.1/16 eth2:2 172.31.0.10/16 eth2:3 172.31.0.11/16 eth2:4 172.31.0.12/16 eth2:5 172.31.0.13/16 Nat Overload - eth1 to eth2 Nat Simple eth1:2 to eth2:2 Nat Simple eth1:3 to eth2:3 Nat Simple eth1:4 to eth2:4 Nat Simple eth1:5 to eth2:5 DHCP Pool1 172.31.1.0 to ...? How many do you need? |
Hey Murdock,
I found this link which explains address "Redirection" with natd. Last section on the page. The command is -redirect_address localIP publicIP Steve |
| All times are GMT -5. The time now is 07:02 PM. |