I agree with most of Corey's outline. Just to throw a few minor
points in...
On 2013-04-25 14:53, Corey Edwards wrote:
> On 04/24/2013 06:41 PM, Tod Hansmann wrote:
>> Having not slept since Monday night, all of this is making less and less
>> sense as we go. I may well need a diagram to clear it up after I get
>> some sleep. My mind just keeps going in circles usually because I
>> somehow get thinking about point-to-point T1s as an example of
>> something, and then can't remember what.
>
> You're on the right track. Maybe I can get you the rest of the way there.
>
> For this example, let's say that your ISP assigns you a /28 of IP
> addresses, 192.0.2.0/28. Your usable range is 14 addresses, .1 to .14.
> There are two ways to do this.
>
> Setup A:
>
> ISP Router ---- 192.0.2.0/28 ---- Your Router ---- 192.168.0.0/24
> 192.0.2.1 192.0.2.2 192.168.0.1
>
> In this case, the ISP takes one of the IPs in your range (192.0.2.1),
> you take the second on your WAN interface (192.0.2.2) and then you have
> a separate range on your LAN (192.168.0.0/24). This would presume you
> use NAT, since you can't also put the /28 on your LAN. The only way to
> get addresses from the /28 onto your LAN is through a one-to-one NAT or
> proxy ARP or some other funny business. You can only use .3 to .14 this way.
The architectural alternative for this model is to put a network
switch between your CPE (cable/DSL/fiber optic "modem") and whatever
device is providing the NATted network, for a DMZ (De-Militarized Zone).
Want to put a server in the /28? Plug it into that switch (or into
the right VLAN if you're weird like me). With this model the only
firewalling options for the DMZ are host-based-only or with a
transparent bridge.
Regarding "presume you use NAT," there are people who specifically get
a static IP block in order to eliminate NAT from their house. As much
as I hate NAT (I'm an IPv6 advocate; the two often go hand in hand),
it's become a necessary evil with IPv4 -- I did the math just now, and
found I'd need at least a /25 (125 usable IPs) at home to avoid it.
Yeah, not worth it.
> Setup B:
>
> ISP Router ---- 192.1.2.0/30 ---- Your Router ---- 192.0.2.0/28
> 192.1.2.1 192.1.2.2 192.0.2.1
>
> This would be the routed case which Jima and Steve are advocating (and
> for the record, the one I prefer as well). The ISP assigns you a
> separate /30 for your connection (192.1.2.0/30). This frees up 192.0.2.1
> and 192.0.2.2 for the LAN and doesn't require anything aside from
> standard routing. You *can* NAT if you want, but you don't *have* to.
> This is typically how T1s (and OC3s, etc) are set up, which is probably
> why it came to mind for you. In the case of a point-to-multipoint setup,
> you might have a larger subnet instead of the /30, but the same
> principle would apply.
A couple fairly nitpick-y points here:
1) From the /28's perspective, .1 is not freed up -- it (or another IP)
still needs to be used as the gateway address (unless you're doing some
NAT shenanigans).
2) From the internet's perspective, you actually gained 5 IPs for
various use -- .0, .1, .2, .15, AND the IP from your point-to-point
subnet. You can use these IPs for different NAT rules on your
firewall/router -- unless very specifically configured to filter them
(which would be fairly uncommon, IME), the router upstream of yours
doesn't technically know (or care) that .0, .1, and .15 are "special"
addresses. From the /28's viewpoint, .0 and .15 are the
network/broadcast addresses, so you can't abuse them in that context.
3) While with Setup A you'd normally lose an IP from your /28 to your
NAT device, with Setup B you can do the NAT on the same device that
routes the /28, freeing one more IP for other use. (You can typically
translate the outgoing traffic to the point-to-point IP, or any IP from
the /28, including the reserved addresses above.)
4) As Corey touch upon, my "point-to-point" subnet at home is in fact a
/24; for 90+% of discussions this detail is irrelevant, though.
(Xmission throws all of us UTOPIA jerks with static blocks in this /24,
I've been told.)
Standard disclaimers: I am not a networking specialist (although I
play one at work!), your mileage may vary, contains nuts.
Jima
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
