Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Global IPs and Routers [solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Thu Sep 01, 2005 6:33 am    Post subject: Global IPs and Routers [solved] Reply with quote

Hi-

I've got an 8 ip address block from my ISP. I want to use the
3 ips for a 1 https(SSL)box ,
1 ip for http web box
and 1 ip for a mail server box.

I also want to break my office into 2 subnets, one that allows inbound outbound traffic and
one that only allows outbound for my client machine subnet. I plan to distribute ips on the client subnet via dhcp.

I've never used more than 1 global ip before and I'm not sure what kind of router I need.

Should I go with :



Any advice appreciated.

Cheers,


Last edited by newtonian on Fri Dec 09, 2005 12:56 pm; edited 1 time in total
Back to top
View user's profile Send private message
HogRider
Apprentice
Apprentice


Joined: 29 May 2002
Posts: 160

PostPosted: Mon Sep 05, 2005 1:53 pm    Post subject: Reply with quote

Good Morning,

Like all great questions in the universe, it depends...

Are you familiar (competent) with Cisco IOS/PIX?
Are you comfortable with the linux command line interface?

Why the different internal subnets?

Having multiple public ip addresses isn't that different from having a single, it's just more flexible.

BTW, are these three boxes external, or are you nat'ing them to internal boxes?
_________________
Mike

"Computers are like air conditioners, they stop working properly if you open Windows"
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
Back to top
View user's profile Send private message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Mon Sep 05, 2005 4:03 pm    Post subject: Routing multiple ip addresses Reply with quote

HogRider wrote:

Are you familiar (competent) with Cisco IOS/PIX?

I've read about and know what it is, but I have never used it before.
So, no, I'm not familiar with IOS/PIX. But I could learn. Do you think
IOS/PIX is easier or more difficult to learn basic routing than iptables?

HogRider wrote:

Are you comfortable with the linux command line interface?

Yes, if I spent enough time with iptables I think I could get the hang with
it. But it will take some time.

HogRider wrote:

Why the different internal subnets?

Security. I'd like to stop access from the internet to my office client computers, yet I'd
like to allow access from the Internet to my mail and web servers. I feel safer knowing
that my Samba file server isn't on a subnet that is directly accessable from the Internet.
It also makes me feel better knowing that my client LAN isn't accessable from the web or
mail server in the event they get hacked into.

I'm sure I could figure out(at some point in time) how to block access to and from computers
if they were all on the same subnet, but 2 different subnets feels like a cleaner solution.

HogRider wrote:

Having multiple public ip addresses isn't that different from having a single, it's just more flexible.

All of my 3 servers and and 15 clients are all using 1 global ip right now. Everything is
working ok. The problem is that I need the extra ips to be able to use multiple web SSL
certificates. Being able to have 2 web servers both accepting traffic on port 80 will be nice too.

Some web hosting clients want to do telnet, ftp and other protocols that send passwords around in clear text.
I'd like to put those web hosting clients on their own machine. I'd like to run a different machine that is more secure
for my web apps. My web apps sometime handle sensitive customer data. I'd like to make this machine
accessable only through SSH and https.

HogRider wrote:

BTW, are these three boxes external, or are you nat'ing them to internal boxes?

The three server boxes are connected to a nic called "orange", on a linux box. The 15 clients
are connected to the same linux box via a nic called "green". The linux box is connected to
a fiber modem(for the lack of a better term) via a nic called "red". Currently all traffic comes
through on 1 ip and is nat'd to all of the machines.

Currently, I'm using smoothwall, an open source firewall to do all of this. It has served me well

with 1 ip, but I'm having a hard time getting it to work with multiple ip's. There is a module available
for multiple ip's but I haven't been successful with it. So I'm thinking about dropping smoothwall and
going with a gentoo solution, because gentoo is best :wink: or maybe going with a CISCO router
because people have told me they are a good option if you have more than 10 computers.

But I don't have the necessary knowledge to make a good decision, so here I am.
Back to top
View user's profile Send private message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Fri Dec 09, 2005 12:55 pm    Post subject: Re: Global IPs and Routers Reply with quote

newtonian wrote:
Hi-

I've got an 8 ip address block from my ISP.
I've never used more than 1 global ip before and I'm not sure what kind of router I need.

Should I go with :



Here's what I did. In Japan, the trick to handling multiple ip's with a router is to buy a
router with IP Unnumbered functionality. You then connect a computer to your
router, add an ip address from your new block to /etc/init.d/net

These computers will be directly connected to the net, so make sure you have some
good firewall rules in iptables before you connect.


Cheers,
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Tue Dec 13, 2005 11:23 pm    Post subject: Reply with quote

OK, you have some options - but here is what I think. First some "gotchas"

Note: This is all based upon my experience with ADSL in the UK.

8 IP Addresses

From your 8 IP addresses you will have 5 usable that you can assign to servers/machines etc. This is because you need to use 2 for broadcast, and another one for the router on the LAN side.

You should have have 8 IPs + 1 other static IP in a different range:
Say you are given a /29 IP address block, you will have (or something similar):

62.5.201.1
62.5.201.2
62.5.201.3
62.5.201.4
62.5.201.5
62.5.201.6
62.5.201.7
62.5.201.8

Your other static IP address will be something like:
213.232.94.122

[X] = the static IP from above (213.232.94.122)
[Y] = the second IP from the /29 block 62.5.201.2

[Internet]----[X][ROUTER][Y]----[HUB]---*

This leaves 5 addresses left from your 8 IP block.

You need the other public address so that you ISP can route the traffic for your /29 block to somewhere. It cant be to itself - it always need a next hop from the ISP end.

Router
Now what you can do is to use a Gentoo machine plugged into your [HUB] as shown above and another IP from your /29 block (62.5.201.3) on one interface. On another NIC you assign it an IP address within your LAN range and plug it into your LAN switch. You could even use something like Smoothwall to easily set up NAT to share the Internet connection on your LAN if you dont want to use a Gentoo machine.

You can add other machines this way to put them straight onto the Internet with a public IP address. Or you can multi-home your Gentoo machine.

The only reason you might need to buy a Cisco (or other) router would be if you need a managed switched ports to create a VLAN. This will let you create scalable virtual lans on a single managed switch - and prevent clients/servers/machines etc from talking to each other.

Webservers
I'd recommend you only use 1 IP address for it though - using a total of 4 for HTTPS x 3 + 1 HTTP is a waste in my opinion. If you do need need unique IP addresses for the SSL certificates then I would say just use 3 and share one of them with HTTP because it won't make any difference to the SSL usage.

DMZ

Take a look at linux firewall packages like Smoothwall which have something called a DMZ - or de-militarized zone. Basically its a seperate network which is seperated by putting in a 3rd (or Nth) network card and setting up a different IP subnet. The basic rules allow for traffic to flow from the LAN to the DMZ but not the other way. This means you can put webservers or other public things on the net, and if they are compromised the attacker doesnt have access to your local lan, clients, computers etc. Computers on your lan can access them fine, as if they are on the same physical network.

If you use the router in this way, you are less likely to need to create a DMZ. Once a DMZ machine is compromised all machines in the DMZ are vunerable to an "inside" attack potentially launched from a compromised machine of yours.

Conclusion

Only you will know what is truely best - this is what network designers are for! ;) If you think you will continue to scale upwards, then I would say invest in a Cisco switch now - since for hosting (especially dedicated servers) seperate VLANS for your clients or groups can be very important, and stop unwanted traffic and attackers/exploits from spreading around your network. It's also good for traffic accounting since you can usually graph bandwidth usage on the switch via SNMP - and not on the server itself.

For the moment I would recommend a Cisco 870 series router, which is designed for small/SOHO networks and would do everthing you need if required. Cisco IOS is hard to pick up though, so unless you have good friends you can call on when you are stuck to answer questions then I would be careful. The web admin doesnt cover much more than the basics from what I have seen of the Cisco 830 series.

Waffling on a bit now.. I've written more than you....

Hope it's of some use.. and I welcome corrections/amendments/rebutales from anyone else.
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Tue Dec 13, 2005 11:29 pm    Post subject: Reply with quote

Never mind, its solved!

I still love wasting my time on the Gentoo forums though.. *sigh* :oops:
Back to top
View user's profile Send private message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Wed Dec 14, 2005 6:24 am    Post subject: Thanks for the info Reply with quote

Martz wrote:
Never mind, its solved!

I still love wasting my time on the Gentoo forums though.. *sigh* :oops:


Thanks for the info. I had only answered about 10% of what I wanted to know.
I think you answered the remaining 90%. :D

You're answer is much appreciated.

Cheers,
Back to top
View user's profile Send private message
Suicidal
l33t
l33t


Joined: 30 Jul 2003
Posts: 959
Location: /dev/null

PostPosted: Wed Dec 14, 2005 8:05 am    Post subject: Reply with quote

Ummm,

I have never seen an ISP issue a non usesable IP i.e. broadcast or network ID's at least not on DSL circuits.

As far as the global IP(s) you could get around with 1 global IP using nat or pat as long as you dont need to use the same port 2 times. If you need that then you will need an additional IP.

For example: (yes I know these are both non-routeable)
10.0.0.1:25 >> E-MAIL BOX (192.168.1.1)
10.0.0.1:80 >> WEB BOX (192.168.1.2)
10.0.0.1:443 >> WEB BOX (192.168.1.3)
10.0.0.1:53 >> DNS BOX (192.168.1.4)

As far as exposing subnets you could set it up that way, general rule of thumb is that you only
expose what ports need to be exposed to get the job done.

You could set up servers on one vlan and clients on another this is the general rule of
thumb on enterprise networks and more secure it is also generally more expensive.
For example on my network I have a server, printer, switch, router, managment & voice vlan

As far as equipment I would say that depends on where you are going with your hosting enviroment; Cisco is nice and easy for most nix users to pick up. although it is probably close to the most expensive out there. I would suggest Cisco if you really plan to scale to a larger network and wany a good building block a Cisco 2811 series would be a good start.

Otherwise I would say a iptables or linksys, or a lower end cisco soho type of device.
Iptables being the cheapest but also least user freindly if you are not a seasoned user of it.
Back to top
View user's profile Send private message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Wed Dec 14, 2005 8:39 am    Post subject: name based hosting with SSL certs Reply with quote

Suicidal wrote:
Ummm,
As far as the global IP(s) you could get around with 1 global IP using nat or pat as long as you dont need to use the same port 2 times.


Thanks for the input. I don't have much experience with SSL certs but don't you need a different IP for each cert?
I've got five clients that all want their own SSL certificates. I thought that because the request was
encrypted you weren't able to use name based hosting with SSL certs. So I assumed that you need separate ips
for each domain with it's individual SSL cert. That is the main reason why I moved from 1 global ip to 8 global ips.


Cheers,
Back to top
View user's profile Send private message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Wed Dec 14, 2005 9:01 am    Post subject: I have never seen an ISP issue a non usesable IP Reply with quote

Suicidal wrote:
Ummm,
I have never seen an ISP issue a non usesable IP i.e. broadcast or network ID's at least not on DSL circuits.


This link is in Japanese, so I'm assuming it is worthless to you but I'll translate:

http://www.interlink.or.jp/service/flets/bip/naiyo.html
Quote:

IP8個 インターリンク名義グローバルIPアドレス8個(利用可能なIPアドレスは5個)
IP16個
インターリンク名義グローバルIPアドレス16個(利用可能なIPアドレスは13個)
IP32個
インターリンク名義グローバルIPアドレス32個(利用可能なIPアドレスは29個)


Quote:

IP8 Interlink Global IP address 8 (Usable IP addresses 5)
IP16 Interlink Global IP address 8 (Usable IP addresses 13)
IP32 Interlink Global IP address 8 (Usable IP addresses 29)


So what they are saying is that you loose 1 ip to the external rooter interface, 1 ip to the
internal router interface and 1 to the broadcast address. For me my router has ip unumbered
functionality so my external router ip is linked to my internal router ip. So I save 1 ip.
So if I get the 8IP plan I can use a total if 6IP addresses.

That's the way they do it in Japan anyway. The US might do it differently.

Cheers,
Back to top
View user's profile Send private message
mudrii
l33t
l33t


Joined: 26 Jun 2003
Posts: 789
Location: Singapore

PostPosted: Thu Mar 09, 2006 3:37 am    Post subject: Reply with quote

You lose 3 IP from 8
Mean 1 for ppp0 and eth will use 1 IP not 2 second you have network address and Broadcast address this is 2 IP go down so you can use only 5.
_________________
www.gentoo.ro
Back to top
View user's profile Send private message
newtonian
Guru
Guru


Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan

PostPosted: Thu Mar 09, 2006 6:28 am    Post subject: only 5 Reply with quote

mudrii wrote:
You lose 3 IP from 8
Mean 1 for ppp0 and eth will use 1 IP not 2 second you have network address and Broadcast address this is 2 IP go down so you can use only 5.


Yes this is true if you use a linux box for your rooter.
But if you buy a rooter with "ip unnumbered" then ppp0 and eth0 share the same ip address.
This way you can use 6 ips instead of 5.

Here's an ip unnumbered faq: http://www.apnic.net/info/faq/ip_unnumb.html
It talks about how you can save 1 ip address. Would be nice if linux boxes setup as routers had this
function too.

Cheers,
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum