Nerius Landys wrote:
First, my choise of internal network IP addresses is 192.168.0.x.  My
router machine's IP address will be (that's the
interface facing the internal network).  The IP addresses of the
machines behind the router will start at and go up.  I'm
wondering if this choice of IP addresses is conventional or good.  Is
this numbering scheme decent?  This is the way I had it set up
earlier.  I've seen a lot of networks using 192.168.1.x and the router
would be

Whichever works. I don't think there is reason to speculate in "best practices" as which gets to be number 1, however you may consider dividing the address space into ranges for different uses. You may like to group servers in a particular range and clients in another so that you can create firewall rules accordingly.

My network is 172.16/23. The range 172.16.0/24 I use for statically configured nodes, servers, access points etc. The 172.16.1/24 I use for dynamically configured nodes, laptops.

The reason is that I'm using dynamic dns on my LAN. The reverse map zones cannot be created for classless networks, you have to define reverse zone for a /16 or /24 network. So to ensure that my static servers reverse map cannot be modified I have split my range such that dynamic and static addresses can be separated.

For my static range, I have divided it into two, and, the first for production servers, the later for testing and development. This is just a convention I have established, I thought it might be a good idea, but it is not configured in any way.

For my dynamic range, in my dhcpd configuration I have created two ranges, and

The first I assign to known hosts, that is hosts I have registered the MAC address of and know the owner. I haven't statically assigned a particular ip to a particular MAC, I just created a host entry in the dhcpd.conf with the MAC.

The later range I use for unknown hosts, so when somebody connects they are easy to identify as foreign. This also permits creating special rules in my firewall so that strangers do not get the same unlimited access as friends. Of course, this is very crude as anyone can just reconfigure their address to get unlimited access, but

So now to the problem of being able to connect from a 192.168.0.x
machine to an outside IP address.  The way I did this before was by
adding 'gateway_enable="YES"' to /etc/rc.conf and then using the
OpenBSD packet filter (pf) to do a NAT thing.  I'm wondering if this,
in your opinion, is the preferred way to do things in order to set up
an internal network which can access the outside internet directly.

Yes, that's a great idea.

If so, can someone give me a really minimal yet secure packet filter
rule set that would do the job? (I'm prepared to read the pf docs,
which will take me a few hours.)  The router will connect to the
outside via DHCP, and from what I remember I had to add a rule to not
drop packets that were DHCP-related.

See the packet filter documentation, IIRC they have also sample filters for common setups such as yours.

BR, Erik
Erik Nørgaard
Ph: +34.666334818/+34.915211157        
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to