We need cirtain machines to use the statics but also beable to access the lan at the same time I no it's a really weird setup. We have dhcp handling the internals but the machines that need to have the statics still need to interact with the nat so we have to do some routing to get all of that to work.
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, February 01, 2013 12:18 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] multiple static ip and same nat
the statics wouldn't come in to play. Machines talking to each other on
LAN shouldn't use the statics. Or what am I missing?
On Feb 1, 2013, at 1:16 PM, MIKE
wrote: Wewantthestaticstofreelyaccessanythingonthenat.
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott Granados Sent: Friday, February 01, 2013 12:12 PM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] multiple static ip and same nat
I'm a little confused as to what you're trying to do.
If you have apple TV and so on internally you should be able to reach
Hi scott,
Maybe this write up will help you a little better I had another tech right
it up.
The setup is as follows:
Linux-based router - so it's flexible enough to do whatever configurations
are needed.
Presently two Ethernet interfaces - one serving the LAN, one connected to
the Internet Presently using NAT routing - receive one IP on the WAN side,
and using private IPs on the LAN side.
The ISP gave me a block of static IPs in addition to a single static IP.
I'm going to use private IPs here to illustrate things but here's what we
have (remember, some of these actually are world-routable IPs):
A single static IP from ISP: 172.16.0.2, subnet mask 255.255.255.252 (/30).
Default gateway for this connection is 172.16.0.1.
A separate block of static IPs from ISP: 172.16.200.2 through 172.16.200.14,
subnet mask 255.255.255.240 (/28). Default gateway for all IPs on this
subnet is 172.16.200.1.
(Note that the above two IPs I changed to private IPs for this explanation
but on the actual server these are two separate blocks of real
world-routable IPs.)
A block of internal IP addresses for NAT machines that do not need a public
static IP: 192.168.1.1 through 1.254, subnet mask 255.255.255.0.
eth0 is my internal network (LAN) interface, and eth1 is connected directly
to the cable modem. The cable modem expects the router to handle all the
addressing and routing.
I static assigned the single static IP to my eth1 interface and have live
Internet through the NAT. I am using iproute2's ip command, without any
extra frameworks or front ends (LFS box.) I executed:
ip addr add dev eth1 172.16.0.2/30
ip route add default via 172.16.0.1
This combined with my existing rules gave me Internet access via NAT.
Now here's where it gets tricky. I want to use that second block of static
IP addresses for specific computers inside the LAN. For example, if I put up
a NAS server and want to allow access to it from outside, I want to assign
it one of the 13 static IP addresses. From the Internet, you'd then be able
to go directly to, say, 172.16.200.2 to access the NAS.
The caveat is that machines that are communicating directly to the outside
like this still need to be able to access the LAN. They need to be able to
use auto-discovery services (examples would be Apple's AirPlay system
[mDNS]). They may need to receive UDP broadcasts that apply to both NATted
LAN computers and computers with a static address.
My original idea was to bridge the two connections on the Linux box, and
then manually assign static IPs. The problem with this is that it doesn't
allow me to continue to run the NAT routing in Linux as well, as far as I
know. Once I create a bridge interface, I'd assume I can't still use the
non-bridged interfaces to perform the NAT on the same network.
Another idea was to use bridging, but then attach a separate NAT hardware
router (say a cheap WiFi box) to the network and assign it one of the static
IPs. This would work except it would have the effect of isolating the WAN
And the LAN sides of the network, so computers that have static IP addresses
wouldn't be able to access those behind the NAT.
Basically the problem is that I'd need to somehow split the subnet for the
block of IPs across two interfaces. 172.16.200.1, the gateway, is connected
to eth1, but all the client machines would be connected to eth0. This
obviously creates a confusing situation in the router as it has two
interfaces that both appear to belong to the same subnet.
I would also want this all routed through the box for policy purposes. If I
were to say use the bridge method, anyone who knew the IP address scheme
could just "give" themselves a public IP address by statically assigning it.
Using the Linux box as a router would enable me to, say via scripts, only
allow routing through the box, even if from one of the static IPs, if
someone's authenticated first. Also, i'd want to be able to use iptables to
enforce fire walling for the static IPs at the Linux router, rather than
having to manually deal with firewalls on each computer. Say for example
172.16.200.5 is a Web server, and it only needs port 80 open. Rather than
having to configure and maintain a firewall on that box, I'd want the router
itself to be able to say "traffic coming into 172.16.200.5 from the Internet
must be for port 80."
So summarize it this way. I want to be able to do all of the things I can
currently do with NAT routing, i.e. control access to the Internet per IP
address and port and so on, but I want to be able to do it using the static
IP addresses.
Using a static NAT route would work except for one caveat - the server
machines inside the LAN would still have private IP addresses, even though
on the public side they have publicly accessible addresses. This can cause
lots of problems for applications like FTP/SIP/etc. where the server expects
to have the actual IP address that is used to connect to it. Or there may
even be licensing situations where a server is licensed based on the IP
address it has.
I hope this makes some sense as there's a lot going on and a lot that I
would like to be able to accomplish.
Remember, 172.16.1 and 172.16.200 are being used here to illustrate the
problem, but on my actual setup, both of these subnets are actual
world-routable IP addresses, not private addresses.
-----Original Message-----
From: Blind-sysadmins
[mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Scott
Granados
Sent: Friday, February 01, 2013 12:30 PM
To: Blind sysadmins list
Subject: Re: [Blind-sysadmins] multiple static ip and same nat
Sounds overly complicated.
Depending on your router just do a source nat for the whole internal subnet
on the outgoing direction and then do specific destination hats for the
inbound pointing at each machine you need.
something like
set routing source-nat source-nat-rules outgoing source 0.0.0.0 (or
192.168.x.x) destination 208.28.165.177
etc
then
set source-nat destination-nat rule incoming-http from any to 208.28.185.177
on port 80
yada yada
Idon't think you need to get involved in any further routing.
On Feb 1, 2013, at 1:21 PM, MIKE
over the LAN and the static IP wouldn't play in to it.
Give me a better idea of what you want to do and what kind of hardware?
THanks Scott
On Feb 1, 2013, at 1:10 PM, MIKE
wrote: Hi,
I have 14 static ips. I am setting cirtain systems up with static ips but have things like apple tvs etc on the nat and I need to beable to have all the static see them using linux. Any ideas?
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins