A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Public IP's on local Lan question



 
 
Thread Tools Display Modes
  #1  
Old July 4th 03, 09:42 AM posted to uk.telecom.broadband
Tony Lewis
external usenet poster
 
Posts: 18
Default Public IP's on local Lan question

Andrews & Arnold have allocated a number of public IP's on a subnet
mask 255.255.255.224, and have recommended to use the IP's on the lan
machines (ie no NAT).

My usual experience has been to use the non-routable range of IP's eg
192.168.x.x and NAT on the router.

There are a number of machines that do not require internet access.
Can they be given IP numbers outside of the supplied range and use a
standard 255.255.255.0 mask, or is it necessary to "burn up" from
the allocated range or is there another alternative?

Many thanks



--
TonyL
  #2  
Old July 4th 03, 10:10 AM posted to uk.telecom.broadband
Alex Butcher
external usenet poster
 
Posts: 5
Default Public IP's on local Lan question

On Fri, 04 Jul 2003 08:42:32 +0000, Tony Lewis wrote:

Andrews & Arnold have allocated a number of public IP's on a subnet
mask 255.255.255.224, and have recommended to use the IP's on the lan
machines (ie no NAT).

My usual experience has been to use the non-routable range of IP's eg
192.168.x.x and NAT on the router.

There are a number of machines that do not require internet access.
Can they be given IP numbers outside of the supplied range and use a
standard 255.255.255.0 mask, or is it necessary to "burn up" from
the allocated range or is there another alternative?


You could, in principle, use the other addresses, but:-

a) in order for both sets of hosts (i.e. those requiring internet access,
and those not), you would need to use a subnet mask of 255.255.255.0 on
the hosts requiring access too. Those hosts wouldn't be able to reach
hosts that are legitimately using those addresses (i.e. your neighbours in
the address space).

b) More concerning is that if the spuriously numbered hosts /do/ send
packets onto the Internet (intentionally or otherwise), they are
effectively spoofing traffic. This is frowned upon and may cause you
various types of trouble with your ISP and other Internet users.

Far better to use a multi-homed firewall between your router, performing
static/destination NAT for those hosts that require it, and
hide/masquerade NAT for those that don't:

Router
[a.b.c.(d+1)]
|
| a.b.c.d/255.255.255.224
|
[a.b.c.(d+2)]
FW[192.168.1.1]---DMZ--------------- 192.168.1.0/255.255.255.0
[10.0.0.1] | |
| | |
| www mail
|
------------------------- 10.0.0.0/255.0.0.0

If the web server on the DMZ has a native address of 192.168.1.100, use
the firewall to NAT it to a.b.c.(d+3), or DNAT it to port 80 of
a.b.c.(d+2) (i.e. the firewall's external address). If the former, you may
need to use Proxy ARP or add a static route on the router that tells it to
route packets intended for a.b.c.(d+3) to a.b.c.(d+2).

There are at least two other approaches to this problem (bridging
firewalls and subnetting) which have their own advantages and
disadvantages but this is the most common solution, and, I
reckon, the easiest to execute.

Many thanks


Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 http://www.assursys.com/

  #3  
Old July 4th 03, 10:48 AM posted to uk.telecom.broadband
Tony Lewis
external usenet poster
 
Posts: 18
Default Public IP's on local Lan question

On Fri, 04 Jul 2003 10:10:13 +0100, Alex Butcher
wrote:

On Fri, 04 Jul 2003 08:42:32 +0000, Tony Lewis wrote:

Andrews & Arnold have allocated a number of public IP's on a subnet
mask 255.255.255.224, and have recommended to use the IP's on the lan
machines (ie no NAT).

My usual experience has been to use the non-routable range of IP's eg
192.168.x.x and NAT on the router.

There are a number of machines that do not require internet access.
Can they be given IP numbers outside of the supplied range and use a
standard 255.255.255.0 mask, or is it necessary to "burn up" from
the allocated range or is there another alternative?


You could, in principle, use the other addresses, but:-

a) in order for both sets of hosts (i.e. those requiring internet access,
and those not), you would need to use a subnet mask of 255.255.255.0 on
the hosts requiring access too. Those hosts wouldn't be able to reach
hosts that are legitimately using those addresses (i.e. your neighbours in
the address space).

b) More concerning is that if the spuriously numbered hosts /do/ send
packets onto the Internet (intentionally or otherwise), they are
effectively spoofing traffic. This is frowned upon and may cause you
various types of trouble with your ISP and other Internet users.


Think I'll give this one a miss then.

Far better to use a multi-homed firewall between your router, performing
static/destination NAT for those hosts that require it, and
hide/masquerade NAT for those that don't:

Agreed, and as stated, this has been my usual experience. However, it
isn't how it is setup and due to other complications, plus the fact
that A&A are supporting it, it doesn't seem a good idea to change it.

There are at least two other approaches to this problem (bridging
firewalls and subnetting) which have their own advantages and
disadvantages

May be worth thinking about, or is it very complicated?

but this is the most common solution, and, I
reckon, the easiest to execute.


Thank you very much for your input.


--
TonyL
  #4  
Old July 4th 03, 11:27 AM posted to uk.telecom.broadband
Buzz on Lappy
external usenet poster
 
Posts: 4
Default Public IP's on local Lan question

Wandered in and burbled at us:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Lewis wrote:
| On Fri, 04 Jul 2003 10:10:13 +0100, Alex Butcher
|Far better to use a multi-homed firewall between your router, performing
|static/destination NAT for those hosts that require it, and
|hide/masquerade NAT for those that don't:
|
|
| Agreed, and as stated, this has been my usual experience. However, it
| isn't how it is setup and due to other complications, plus the fact
| that A&A are supporting it, it doesn't seem a good idea to change it.

We can give you a single address only for NAT use if you like, but it
can be a nuisances. You should consider some sort of firewall even if
its just zone alarm on the machines.

I would rather give you extra IP addresses than have you making them up
- - let us know how many machines you actually have and we will allocate
enough for all of them - this is probably the simplest and best solution.

- --
Rev Adrian Kennard
Andrews & Arnold Ltd

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/BVVXHBb4e52L0Y0RAk2bAJ9wPUkHHNh9W1LGggj/QIRNHolg5ACfQEFi
+TjNoPvrsg6fIl4Rc6s7yiU=
=jJDX
-----END PGP SIGNATURE-----


looking at the above, does this mean that I could simply change my
server IP from its local one to the spare IP that I have from my ISP and
which my global-lifeline domain is throretically pointing at? And if I
did, would I still use my router IP as gateway? And with that being
said, would the rules on my router applicable to the spare IP, (ie
opening ports 80 and 21, and linking server local IP to Spare IP then
become redundant?

Confused of essex
--
For Fun, Friends, fishwives, Tarts and a couple of Revs
http://www.free-n-easy.org.uk

For those that use the PC as a lifeline and contact point
http://revdaveb.force9.co.uk/forums/index.php
  #5  
Old July 4th 03, 12:06 PM posted to uk.telecom.broadband
Buzz
external usenet poster
 
Posts: 10
Default Public IP's on local Lan question

When I buzzed out of the hive I heard say...
Not quite sure what you are saying.
You can only use the IP addresses you have routed to youy by your ISP.

Yes, the ISP has given me a block of 4 IP addresses. The main one, I use
quite happily throughout my LAN. The spare one, (212.159.62.178) is for
my server. I also have the global-lifeline domain name set to point to
the spare IP by my ISP, and they say that a traceroute shows it is
indeed going to it.I originally set up a rule in my router that all
traffic in and out from server local IP is to use external IP as above,
with a couple of other rules added to open ports 80 and 21 both ways.
However I have just been told I can set the spare IP that the global-
lifeline is pointing to as the IP of my server, ie, in the server
machine

ip = 212.159.62.178
Subnet 255.255.255.0
Gateway 192.168.7.1 (router)
Primary DNS As F9
Secondary DNS As F9

Then delete all rules applicable to that IP in my router.

Just tried that, and now am getting abject failure, where am I going
wrong?

--
Jest Buzzin around!

www.komputers4kids.co.uk recycle old computers for the children
www.goldenagecomputing.co.uk Recycle old copmputers for the seniors
http://free-n-easy.org.uk Fantastic forums with a family feel
http://www.global-lifeline.co.uk Trying out on my own server
  #6  
Old July 4th 03, 12:18 PM posted to uk.telecom.broadband
Tony Lewis
external usenet poster
 
Posts: 18
Default Public IP's on local Lan question

On Fri, 04 Jul 2003 11:22:15 +0100, Adrian Kennard wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Lewis wrote:
| On Fri, 04 Jul 2003 10:10:13 +0100, Alex Butcher
|Far better to use a multi-homed firewall between your router, performing
|static/destination NAT for those hosts that require it, and
|hide/masquerade NAT for those that don't:
|
|
| Agreed, and as stated, this has been my usual experience. However, it
| isn't how it is setup and due to other complications, plus the fact
| that A&A are supporting it, it doesn't seem a good idea to change it.

We can give you a single address only for NAT use if you like, but it
can be a nuisances.


Why is it a nuisance? Is it in the router configuration or just that
some traffic doesn't necessarily necessarily like it (VPN IPSEC?)

You should consider some sort of firewall even if
its just zone alarm on the machines.


You've put in a Firebrick Plus and have bonded two adsl line for
improved upload/download.


I would rather give you extra IP addresses than have you making them up
- - let us know how many machines you actually have and we will allocate
enough for all of them - this is probably the simplest and best solution.


May have to consider this option. It just seems a waste to use public
IP's on machines that will never access the internet. Or are public
ip's not as limited as sometimes made out


--
TonyL
  #7  
Old July 4th 03, 01:47 PM posted to uk.telecom.broadband
Tony Lewis
external usenet poster
 
Posts: 18
Default Public IP's on local Lan question

On Fri, 04 Jul 2003 12:26:38 +0100, Adrian Kennard wrote:


|We can give you a single address only for NAT use if you like, but it
|can be a nuisances.
|
|
| Why is it a nuisance? Is it in the router configuration or just that
| some traffic doesn't necessarily necessarily like it (VPN IPSEC?)

There are a lot of reasons why NAT is a nusisance. Every protocol you
want to get through NAT either has to be a single outgoing session or
need some sort of assistance (e.g. ftp). Some protocols simply won't
work through NAT. Using the internet as it was intended works much better.


I guess I don't remember those days

|I would rather give you extra IP addresses than have you making them up
|- - let us know how many machines you actually have and we will allocate
|enough for all of them - this is probably the simplest and best solution.
|
|
| May have to consider this option. It just seems a waste to use public
| IP's on machines that will never access the internet. Or are public
| ip's not as limited as sometimes made out

There are rules for allocation of IP addresses. Sensible ones. They are
not going to run out tomorrow. The main "scare" some years ago was a
problem with routable blocks. With PA space, and allocations based on
what people need it is not as much of a problem as people had thought.


That's a relief!

Many thanks for your comments which are helpful. If you have time I
would appreciate further input.

I'll go a bit more into the scenario as I support my client's (your
customer) Novell server.

He has 3 NIC's in the server.
200.1.1.1 connected to a switch serving his PC network on IPX
201.1.1.1 connected to another switch serving his Apple network on IP
202.1.1.1 which is then bound to some special software (IPConnect)
which enabled all computers to access the internet with:

BIND FW TO ktc100
(fw is the IPConnect software firewall ktc100 is the NIC)
BIND IP TO FW ADDR=192.168.254.253 GATEWAY=192.168.254.254
MASK=255.255.255.0

The gateway being the old ADSL router being replaced by your system.

If connection is going to be direct to the Firebrick, then IP is no
longer needed on the PC (IPX) card.

The Apples need to see the server via TCP/IP so the second card will
now need to use an address in your supplied range. As this card
would never need to see the internet, and has no gateway statement, my
question is - could it use an IP address outside of those you have
supplied?

The question is more to aid my understanding. The loss of one
allocated IP address is not a major concern.

The third network card becomes redundant, but potentially could be
used to connect everyone to the Firebrick and hence only a couple of
IP addresses would be needed (subject to your other comments on NAT).

Going back to the client's original requirement. Large (300mB) FTP
transfers would fail after 20 mins quite often. Would you put that
down to the ISP (major popular? using the business option) or to the
use of NAT, or is that the internet in general?


--
TonyL
  #8  
Old July 4th 03, 03:48 PM posted to uk.telecom.broadband
Tony Lewis
external usenet poster
 
Posts: 18
Default Public IP's on local Lan question

On Fri, 04 Jul 2003 14:12:01 +0100, Adrian Kennard wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Lewis wrote:
|...
| That's a relief!
|
| Many thanks for your comments which are helpful. If you have time I
| would appreciate further input.
|
| I'll go a bit more into the scenario as I support my client's (your
| customer) Novell server.
|
| He has 3 NIC's in the server.
| 200.1.1.1 connected to a switch serving his PC network on IPX
| 201.1.1.1 connected to another switch serving his Apple network on IP
| 202.1.1.1 which is then bound to some special software (IPConnect)
| which enabled all computers to access the internet with:

Are those meant to be IP addresses?

You are part of the Corporacian Andina de Formento, the Comite Gestor da
Internet no Brasil, and Maritime Services Board of N.S.W. are you? Wow!

mmm - blushes. They were set up a long time ago following the
examples in the manual and I guess when I knew even less than the I
know now. In mitigation they were several layers behind transmission
to the internet as they got pushed through the address below and then
NATted (again?) through the ADSL router onto the dynamic public IP.

| BIND FW TO ktc100
| (fw is the IPConnect software firewall ktc100 is the NIC)
| BIND IP TO FW ADDR=192.168.254.253 GATEWAY=192.168.254.254
| MASK=255.255.255.0
|
| The gateway being the old ADSL router being replaced by your system.
|
| If connection is going to be direct to the Firebrick, then IP is no
| longer needed on the PC (IPX) card.
|
| The Apples need to see the server via TCP/IP so the second card will
| now need to use an address in your supplied range. As this card
| would never need to see the internet, and has no gateway statement, my
| question is - could it use an IP address outside of those you have
| supplied?

If it is a purely private subnet, it could use private addresses, i.e.
in 10.0.0.0-10.255.255.255, 192.168.0.0-192.168.255.255 or
172.16.0.0-172.31.255.255


Yes, but the Apples also need to access the internet, so they each
need to be allocated one of the public IPs supplied. The Novell NIC
would surely need then to be on the same network?


| The question is more to aid my understanding. The loss of one
| allocated IP address is not a major concern.
|
| The third network card becomes redundant, but potentially could be
| used to connect everyone to the Firebrick and hence only a couple of
| IP addresses would be needed (subject to your other comments on NAT).

We can set up several smaller blocks for your routing if that would
help.


We also run IP courses...


Nice plug. Ideally I don't want to have to know stuff at this level
but I'll bear it in mind


| Going back to the client's original requirement. Large (300mB) FTP
| transfers would fail after 20 mins quite often. Would you put that
| down to the ISP (major popular? using the business option) or to the
| use of NAT, or is that the internet in general?

Difficult to say - that should not happen, but I have seen broken NAT
implimentations before now that could do it. It is certainly easier to
diagnose without NAT.


It'll be interesting to see how the transfers cope over the new
system.
--
TonyL
  #9  
Old July 4th 03, 04:18 PM posted to uk.telecom.broadband
Uncle Wobbly
external usenet poster
 
Posts: 24
Default Public IP's on local Lan question

why not simply run to networks on the same cabling... each device can have
two IP addresses (or as many as you like) on the single NIC.... run a
10.x.x.x address for your private stuff, allocate each device an address in
this range, then allocate a second public address to those devices that need
inet access - this is exactly what I do here.

Things like printers and wireless routers all have addresses in the
192.168.0.x range, and machines that need inet also have an address of
62.3.121.x... works really well, I haven't "wasted" valuable public
addresses on stuff which doesn't need them, and they are totally safe from
direct inet access coz their addresses are not routable from the inet.


"Tony Lewis" wrote in message
...
Andrews & Arnold have allocated a number of public IP's on a subnet
mask 255.255.255.224, and have recommended to use the IP's on the lan
machines (ie no NAT).

My usual experience has been to use the non-routable range of IP's eg
192.168.x.x and NAT on the router.

There are a number of machines that do not require internet access.
Can they be given IP numbers outside of the supplied range and use a
standard 255.255.255.0 mask, or is it necessary to "burn up" from
the allocated range or is there another alternative?

Many thanks



--
TonyL



  #10  
Old July 4th 03, 04:43 PM posted to uk.telecom.broadband
Tony Lewis
external usenet poster
 
Posts: 18
Default Public IP's on local Lan question

On Fri, 4 Jul 2003 16:18:30 +0100, "Uncle Wobbly"
wrote:

why not simply run to networks on the same cabling... each device can have
two IP addresses (or as many as you like) on the single NIC.... run a
10.x.x.x address for your private stuff, allocate each device an address in
this range, then allocate a second public address to those devices that need
inet access - this is exactly what I do here.

Things like printers and wireless routers all have addresses in the
192.168.0.x range, and machines that need inet also have an address of
62.3.121.x... works really well, I haven't "wasted" valuable public
addresses on stuff which doesn't need them, and they are totally safe from
direct inet access coz their addresses are not routable from the inet.



Fine for Windows XP. I don't know if it can be done on Macs though
and not so easy on a number of Win9x machines (though I know it can be
done on Win98 by editing the registry).

Interesting thought though.


--
TonyL
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 04:54 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2017 BroadbanterBanter.
The comments are property of their posters.