A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Any advantage in using private ranges other than 192.168.x.x in NAT router?



 
 
Thread Tools Display Modes
  #41  
Old February 14th 19, 10:07 PM posted to uk.telecom.broadband
Vir Campestris
external usenet poster
 
Posts: 242
Default Any advantage in using private ranges other than 192.168.x.x inNAT router?

On 14/02/2019 00:11, Theo wrote:
Optimist wrote:
Why were 172.16.x.x and 192.168.x.x allocated as private ranges? Surely every routable IP address
can just use 10.x.x.x anyway?


10.0.0.0/8 is 2^24 addresses, or just over 16 million. That's not enough to
go round, even within a single company. Comcast has 22.3 million
subscribers. Even with the additional 1.06 million from the other two ranges,
they say they exhausted RFC1918 private addresses - in 2005.

Amazon have several subnets running inside the company. Once of them is
routable to the other subnets, and is allocated for things that need to
be generally visible - but mostly, Engineering addresses are only
visible inside Engineering, etc.

Andy
  #42  
Old February 16th 19, 03:45 PM posted to uk.telecom.broadband
Theo[_2_]
external usenet poster
 
Posts: 74
Default Any advantage in using private ranges other than 192.168.x.x in NAT router?

NY wrote:
"Theo" wrote in message
...
10.0.0.0/8 is 2^24 addresses, or just over 16 million. That's not enough
to
go round, even within a single company. Comcast has 22.3 million
subscribers. Even with the additional 1.06 million from the other two
ranges,
they say they exhausted RFC1918 private addresses - in 2005.


Er, hang on. 10.0.x.x and 192.168.x.x are *non-routable* addresses, to be
used on the private LAN side of a router. So you only need as many addresses
as you have devices in your LAN (eg within an office block served by a
single router). That's totally separate from running out of IPv4 routable
addresses as used on the public WAN side of a router.


A company like Comcast has a substantial internal network. In this
particular case:

Every cable modem has an internal (to Comcast) IP address for its management
interface
Every TV STB has an internal IP address for receiving TV, and probably
another one for management
Network infrastructure (headends, routers, etc) have internal IP addresses

With 22m subscribers, each needing 1-3 private IPs, you can see how the
RFC1918 space is easily exhausted.

On top of that is overlaid the public IP network that customers see.
They don't generally see internal IPs except possibly in packet traceroutes.
(on Virgin Media my traceroutes used to go through a few hops of 10.x.x.x
before emerging on the publically routable internet)

Comcast could, of course, segment the network into multiple overlaid 1918
spaces, but that gets awkward. For example, you see a 10.x.x.x IP in a
logfile - to which instance of that IP does it refer? It was a lot easier
to just go IPv6 at this point.

I never understood why IPv6 was designed the way it was. Yes, increase the
address to 6 rather than 4 bytes to give move WAN addresses, but why did
they then go and spoil things by getting rid of WAN-to-LAN
address-translation (NAT). If all traffic on the LAN becomes public, it
means that the onus for firewalling is devolved to every single device,
instead of being performed by the router. I would have expected IPv6 to
still use NAT and IPv4 addresses within the LAN, even though the router's
WAN address is IPv6.


As has been stated, the router does the firewalling. It can be more
efficient because it doesn't have to keep track of connection state as
needed by NAT.

Is there any advantage in having a server computer generate DHCP addresses
rather than letting a router do it, given the big problem if more than one
of those servers gets on the same LAN by accident.


In the enterprise, often routers don't do DHCP. For example Active
Directory servers handle DHCP, DNS, provisioning of machine config, user
logins, updating software, etc.

It is not a given that your big Cisco router (that handles a gazillion
packets per second) is the best place to run your local DHCP.

Theo
  #43  
Old February 16th 19, 04:01 PM posted to uk.telecom.broadband
Theo[_2_]
external usenet poster
 
Posts: 74
Default Any advantage in using private ranges other than 192.168.x.x in NAT router?

Richard Tobin wrote:
The NAT table effectively acts as a simple firewall in that it rejects
packets not part of a connection it knows about. If you're not doing
NAT you don't have *that* table. If you still want to reject
unsolicited packets you have to maintain a table with much the same
function, and you might as well call it a firewall and give it
firewall features.


Technically, you need both the NAT function and the firewall. If a packet
comes in the WAN port that claims to be to an IP of the LAN side, the NAT
function of itself won't block it. According to the routing rules, that
doesn't need any translation and so it should be forwarded to the LAN.

It's only because there's a firewall rule that says 'drop all packets to
RFC1918 addresses received on the WAN port' that prevents incoming packets
like this having an effect.

(and your ISP may also choose not to send you such packets, but you
shouldn't have to trust them in this)

Theo
  #44  
Old February 16th 19, 04:45 PM posted to uk.telecom.broadband
Richard Tobin
external usenet poster
 
Posts: 263
Default Any advantage in using private ranges other than 192.168.x.x in NAT router?

In article ,
Theo wrote:

Technically, you need both the NAT function and the firewall. If a packet
comes in the WAN port that claims to be to an IP of the LAN side, the NAT
function of itself won't block it. According to the routing rules, that
doesn't need any translation and so it should be forwarded to the LAN.

It's only because there's a firewall rule that says 'drop all packets to
RFC1918 addresses received on the WAN port' that prevents incoming packets
like this having an effect.

(and your ISP may also choose not to send you such packets, but you
shouldn't have to trust them in this)


"may also choose not to send you such packets"?

What possible reason could they have for sending such a packet to
*you*? Why would they think your external IP address was a route to
an RFC1918 address?

But yes, your router should discard such packets anyway.

-- Richa
  #45  
Old February 16th 19, 05:11 PM posted to uk.telecom.broadband
Theo[_2_]
external usenet poster
 
Posts: 74
Default Any advantage in using private ranges other than 192.168.x.x in NAT router?

Richard Tobin wrote:
"may also choose not to send you such packets"?

What possible reason could they have for sending such a packet to
*you*? Why would they think your external IP address was a route to
an RFC1918 address?


- because they're not your friend (malice)
- because they're an idiot (stupidity)
- because some other customer on your shared bit of infrastructure is
emitting such packets and they haven't filtered them (incompetence)
- because the private IPs the ISP uses for managing their network happen to
overlap with the private IPs you use for yours

But yes, your router should discard such packets anyway.


Better not to trust things you don't control.

Theo
  #46  
Old February 16th 19, 08:04 PM posted to uk.telecom.broadband
Andrew Benham
external usenet poster
 
Posts: 289
Default Any advantage in using private ranges other than 192.168.x.x inNAT router?

On Thu, 14 Feb 2019 15:00:00 +0000, Andy Street wrote:

On Thu, 14 Feb 2019 13:58:19 +0000
Paul Welsh wrote:

So the point I'm not understanding is how the simpler, but
functionally equivalent, IPv6 solution introduces the need for a
firewall as opposed to an IPv4 NAT solution which didn't.


Let's say that an IPv4 NAT device receives an incoming request from the
WAN to connect to a webserver on the LAN. Since any of the internal IP
addresses could potentially be a webserver the NAT does not know which
LAN IP address to use to rewrite the packet and will therefore discard
it. You can get around this problem by telling the NAT to forward all
incoming connections (often on a port-by-port basis) to a particular
LAN IP address.

By implementing a policy of blocking incoming connections by default and
allowing the user to set exceptions the NAT is acting as a kind of
rudimentary firewall. For a lot of simple IPv4 NATted networks an
additional firewall is not required.

Since IPv6 is (usually) publicly addressable there is no ambiguity
regarding destination of the packet and no need for a NAT. It is
therefore necessary to have a firewall to restrict incoming connections
from the WAN from entering the LAN.


I guess if you wanted to you could use NAT with IPv6. My Ubuntu box has
an ip6tables binary which supports the 'nat' table - although the modem/router
has an ip6tables binary which doesn't have the 'nat' table built in.
Then you could allocate fd00: addresses on your network and NAT away.
You might also need to come up with new solutions for NAT problems, like
IPv6 STUN servers...

I'm saying it looks possible, I'm not saying it's a good idea.
  #47  
Old February 17th 19, 12:21 AM posted to uk.telecom.broadband
Theo[_2_]
external usenet poster
 
Posts: 74
Default Any advantage in using private ranges other than 192.168.x.x in NAT router?

Andrew Benham wrote:
I guess if you wanted to you could use NAT with IPv6. My Ubuntu box has
an ip6tables binary which supports the 'nat' table - although the modem/router
has an ip6tables binary which doesn't have the 'nat' table built in.
Then you could allocate fd00: addresses on your network and NAT away.
You might also need to come up with new solutions for NAT problems, like
IPv6 STUN servers...

I'm saying it looks possible, I'm not saying it's a good idea.


It's actually quite sensible. For example, you need to have stable local
addressing, rather than the prefix handed to you by your ISP which could
change on their whim. Or you have multiple outbound routes and want
failover across them. In these cases you don't want to be dependent on the
prefix your ISP delegates.

The difference against v4 is it's stateless NAT. You simply take
fd00:q::xyz
and rewrite the prefix to make it a public IP:
aa:bb:cc::xyz
On the inbound you just do the reverse.
(obviously also applying firewall rules each way)

That's trivial for the router to do, so there's minimal performance hit.
Your machines are still globally routable, if you want them to be.

Theo
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot logon to router using 192.168.1.1 me uk.comp.home-networking (UK home networking) 3 September 21st 05 10:58 PM
Any benefit by changing 192.168.0.1? Barrie uk.comp.home-networking (UK home networking) 13 March 2nd 05 12:03 AM
Wireless subnets 192.168.0 and 192.168.1 Alfie uk.telecom.broadband (UK broadband) 7 October 31st 04 07:49 PM
Can't get WHOIS for 192.168.100.1 David Wood uk.telecom.broadband (UK broadband) 0 October 1st 04 08:14 PM
Can't get WHOIS for 192.168.100.1 will kemp uk.telecom.broadband (UK broadband) 0 October 1st 04 08:05 PM


All times are GMT +1. The time now is 04:25 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.