On Tue, Jun 19, 2007 at 10:40:12AM +0100, Greg Hennessy wrote: > > > > Quick question, assuming I can get a /24 public network, > > Who do you propose to bribe @ RIPE to get a /24 ? Can you pass me their > details via pm :-)
Well, it's just 256 addresses, which is not excessive. I have a /24 myself (thinly populated so far, but vservers can fill up space very quickly) for a business of mine, but this is for my dayjob which is getting a GBit Ethernet fiber connection (only 100 MBit/s used, for time being). It's a very good deal, since we're paying about the same as the 2 MBit/s SDSL we have now (there's an ISP in the same building, so that's why). > > and have > > a private /24 address (quite densely occupied), does it have any > > advantages, > > from the firewall simplicity point of view, or should I get for > > a smaller network (say, /26)? > > None, TBH you'll be exceedingly lucky to get anything larger than /27-28, > The paperwork to justify it is worse than pulling teeth. > Here in the UK most ISPs will provide /28s & /29s without much hassle. We need at least at /26, and should have no issues getting it. The point is whether a /24 inside and a /24 outside would be easier to map, since no longer requiring NAT. Would it? (I realize it would be an awful waste of address space). > > > Some of the LAN machines need to have no access to the Internet nor LAN > > (zone 0), most LAN machines do, but would be happy with NAT (zone 1), a > > few need to live in DMZ space, firewalled from LAN (zone 2). > > Depending on what your requirements are, you could conceivably get away with > something as small as a /30. > For anything bigger, I would tend to utilise a /30 for the outside, with the So this means 4 addresses, which use NAT? Why not just one NAT address? > rest hung from a real addressed DMZ, this allows easy propagation of routes > to/from whatever IGP you're using. Can you expand a bit on how and why this is a good thing? > > > I have 4 NICs, and VLAN-capable switches, so I was planning to do that > > with VLANs, and work with a /26 public IP network. Does this make > > sense, > > Mixing different trust levels on the same switch is rather frowned upon. Because of potential vulnerabilities in the switch OS, allowing an attacker to reassign VLANs? > At the very least you should configure up PVLANS on the switch. I'm not sure our consumer-grade (Netgear) switches can do PVLANs. I can use a dedicated dumb switch for the DMZ and the no-access machines, of course. > Or consider a sandwich design with edge and internal firewalls, with a layer > 3 switch hosting same trust level VLAN separated DMZs in between. I'm not sure I can get another firewall approved, I work for people who I had severe trouble explaining why one needs to buy new switches and new firewall at all. (Yeah, I should quit, I know). > > > or should I try getting a public /24 network, if I can get it? > > TBH, getting a 24 is not likely. There are practical issues (of getting it), ethical issues (should I ask for it?) and practical issues (does a 1:1 /24 to /24 mapping makes things easier on my end?) -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
