Networking :: I.P Addressing For Simple Screened Subnet Architecture?
Jan 8, 2011
I'm wanting to set up a network that has a simple screened subnet architecture. The boarder router will have a switch plugged into it. My servers will be plugged into this switch. Also plugged into this switch will be a dedicated firewall. This firewall will protect the internal network. The boarder router is not very flexible. You can have hosts that use dhcp but that get the same internal I.P address each time their interface is configured.Or you can configure static I.Ps on hosts that are outside the dhcp range of the router, but that have the same subnet address.
The most simple way to set up such a network would be for every interface to have a static internal address that is obtained via dhcp from the boarder router. Like i said the boarder router is doesn't give you much freedom. Meaning that it lets you have a static internal address but not a different network address for different interfaces. That is where the confusion is, for me. If all the interfaces that get theirI.P addresses from the boarder router are on the same network, then what about the systems on the internal network. They might as well get their I.Ps from the boarder router as well, to avoid NAT being done twice before their packets get sent out to the Internet?.I wanted a three interface firewall to separate the DMZ from the internal network, instead of using a screened subnet architecture, but the boarder router only allowed one interface to be in the DMZ, i think and it didn't seem to have a well designed way of controlling the DMZ ie setting a new default gateway etc.
Should i let NAT be done twice for packets from the internal network i.e have the dedicated firewall do dhcp and NAT for the internal network, but this firewall's external interface have a static internal I.P from the boarder router, and the internal I.P of the dedicated firewall have a static internal I.P from the router as well?. It looks like all the interfaces have to have the same network and subnet address, except the machines on the internal network(which can get their I.P from the dedicated firewall)
I have TWO L3 + router switch (say switch1 and switch2). I created VLAN100 with VLAN ID 100 in both the switches. I created router 192.168.1.1/24 in Switch1. I created router 192.168.2.1/24 in Switch2. Switch1 is connected with 1.x/24 PCs. PCs are configured with 1.1 gateway. Switch2 is connected with 2.x/24 PCs. PCs are configured with 2.1 gateway. Both Switch1 and switch2 are connected by a trunk to carry VLAN100 data.
1)I have few PCs of 1.x connected to say Switch1 Is it possible for PC with IP 192.168.1.100(x) to ping PC with IP 192.168.2.100(y)?What are the configuration required in both switches to make them communicate ? All the device in both the subnets should ping/communicate with each other.
2)Move PC (192.168.1.100) to switch2. Move PC (192.168.2.100)to switch1.What will happen when PC(1.100) ping (2.100) and vice versa?What will happen when PC(say 1.80 in switch1) pings PC (say 1.100 in switch2) and vice versa? What will happen when PC(say 1.80 in switch1) pings PC (say 2.100 in switch1) and vice versa?
I installed Redhat Enterprise linux server5. it has two LAN card and two subnet connected to these two LAN card. i can browse network from these two network easily. But i created VLAN on one network card.Now i cant browse network from these VLAN subnet.
It's more just straight networking rather than Linux related - possibly a rather large gap in my knowledge.Been asked to set up a Linux firewall / router for a friend, and he wants an external address on his PC and his firewall. He's got a /30... ISP seem to think this is normal. My understanding was different router interfaces should be in different subnets when it comes to addressing. eg:
WAN 1.1.1.1LAN 192.168.1.1/24 (then PC 192.168.1.2)This is how I'd set up an enterprise router, and from memory how I had to regurgitate networking for my Cisco exams. But they would have been large devices within a BGP environment, how does this compare to home use? Can you have interfaces on the same router within in the same subnet? I'm looking for the real world answer - not my CCNA answer or the config addressing scheme I just blindly followed...Is this right or can different interfaces be in the same subnet?If they can be in different subnets How would you do that with an eternal 1.1.1.1/30? egWAN 1.1.1.1LAN (what IP?) then PC 1.1.1.2Would you actually just set the router up as a /29 and then use the additional IP addresses for the LAN NIC on the router? (yes I'm aware you couldn't route to where it had actually been allocated)
Then with that how do I route the 1.1.1.1/30? Which interface do I point it at? Even with a /29 I'd still have a routing issue right?Or are the ISP expecting you to do something with NAT / port forwarding. (and yes I could do this to get it working - but I want to understand it better) I'm asking the question here, because rather than just wanting a magic file to get things working, I'd actually rather understand the principles rather than just press a button and have it work.
I'm having some trouble addressing computers by name. I've just upgraded most my my box's to Lucid, and it was all working fine, but suddenly stopped - not quite sure why, or what I did, but I need it to come back! At first I thought it was my old router dying (which it was) but a new router hasn't helped.
I've now moved DHCP from the router to my server, and that's working fine, giving out static IPs from MAC addresses, and so forth, but I still can't address anything by name. My server is on 192.168.100.1 and called myth-server, if I
I'm wanting to set up a network. I'm still confused as to how to set it up. I think the easiest design is to have a switch on my border router.n this switch will be the servers. Also attached to this switch will be a Linux box. This will be a dedicated firewall. On it will be another switch. And the machines on the internal network will be attached to this switch. In the book "building Internet firewalls"(o'reilly) this set up is described as a screened subnet architecture. However the external interface on the Linux dedicated firewall will have to get it's I.P via dhcp (192.168.1.*) from the border router.
That or it can be a static I.P on the same subnet as the border routers dhcp range 192.168.1.*(but outside the dhcp range) but that would be trickier.The internal interface of this dedicated firewall would be static and on a different subnet as the external interface (192.168.2.*). Then this internal interface could give out I.Ps to the internal network that are on 192.168.2.*. If it did N.A.T for packets from the internal network then N.A.T would be being done twice; once by the Linux dedicated firewall and once on the border router, before going off to the net.Or is it a better approach to NOT do N.A.T on the Linux firewall and have all I.Ps on the whole network assigned as static(outside of the border router's dhcp range, but all on the same subnet(192.168.1.*))?.
Basically is there any point in the Linux box doing dhcp and N.A.T for hosts on the internal network?. I guess the answer is no. But i just wanted to hear your opinions, if you have the time. The border router is a home router. nted to have a normal triple-homed dedicated firewall and put it in the border router's DMZ but it proved unpredictable and tricky. So i just wondered what the best I.P addressing scheme would be for my newer way.
Why does a NIC need a permanent individual way to distinguish it? Why not give it the host name in a form that is not a permanent hardwired hardware? Seems that the last ethernet router before reaching your PC is really seeking your NIC. So why is not the expression "What is your NIC Address" instead of "What is your IP Address"?
I cannot get static addresses to work on eth0 and eth1. eth0 seems to use DHCP while eth1 uses the static information. Sometimes the static info is used but the interfaces get the addresses reversed.
From /etc/sysconfig/network NETWORKING=yes HOSTNAME=mosaic
I start to learn wpa_supplicant recently,and I got the code already,but the code is complicated,and I don't know how to start learning,and Is there any book to discuss the architecture about wpa_supplicant?
I have 2 x PCs and a NAS. Both PCs have 2x NICS. PC connectivity to Internet is via an ADSL router. Current config: Thus far (by choice) I've used static IPs in the 192.168.168.x range for my internal network, connecting all PCs and NAS via a jumbo frame enabled gigabit switch. This has facilitated moving data between the PCs and the NAS at high-speed. As both PCs also required Internet access from time to time, both are also connected to the ADSL router using the 2nd NIC and using subnet 192.168.1.x. I'm sure some of you are shaking your heads by now, but it works well and has been entirely hassle free.
However, I've an app running on the NAS that I'm keen to get Internet connected also. As my existing network devices are not using DHCP I figured the simplest method would be to change my ADSL router configuration such that it is in the same 192.168.168.x subnet, change its DHCP server settings to serve IPs in the same subnet (but in a restricted range I know won't cause any conflicts with the static IPs) and problem solved. On changing the ADSL router confiruration with all machines already booted up and configured as described above, everything worked. All devices could see one another, and access the Internet. On later rebooting the system this no longer works
- Internet access is fine but PCs don't see one another or the NAS. If I disconnect the ADSL Router from the PCs then all devices see one another again.
- Does having 2x NICS on a single device each assigned unique IPs in the same subnet create an issue and can it be overcome? I'd like to overcome it because making one of my PCs the gateway forces me to have it on anytime another device needs access.
- If I'm forced to use Internet connection sharing with one PC on the network connected to the router, how do I best configure this?
- One of the things I need to retain is gigabit connectivity between the PCs and PCs and the NAS (currently achieved by 192.168.168.x subnet being linked via gigabit switch).
I am trying to make Apache web server, it's work but cannot be browsed outside my subnet.I am on huge LAN network, not sure how it works, know it have TL-SL2428WEB Smart Switches and probably some kind of DHCP, every user have maximum 64KB, just plug UTP cable, and I have static address on that subnet like: "my.sub.net.ip" witch I know from Java NetworkInteface class or when I try to update IP on my www.dyndns.com Dynamic DNS account with ez-ipupdate, but my subnet is connected to Web with another IP like "my.isp.provider.ip" witch I get from whatismyipaddress.com and I check that is my Cable ISP provider web IP. It is possible that there is more subnet layers between these two IP.Problem occurs when I try to access to my web site from another computer. When I set dyndns host name to be my.sub.net.ip or use localhost everything works fine from my computer, I can access my web site, Apache work, I can use ssh. To illustrate you it work like this: Go to DNS server, find my host name, get my "my.sub.net.ip" and say "This is actually my localhost IP, no need to go on Web, lets loopback". But when I try from another computer even from my college's computer on same subnet it don't succeed. When host name is set on "my.isp.provider.ip" of course nothing works.
We, users of LAN, don't have access to our LAN nor we have admin. For example sometimes we stuck without net and we cannot even press reset button on switches or something like that, we have to wait for day to they, owner of LAN, order some professional to do that. It seems they are just user of Cable TV and IP, and they bay and install LAN without any kind of admin. Also, I use Fedora 13, with httpd, ssh and others packages that comes with Fedora 13 DVD. I know to write bash scripts, use yum, very good in C++ and Java, great programmer, but newbie in networking, , a very little Perl, html, web servers, I heard for DHCP, DNS, NAT, IP forwarding. How you see it is problem in my lack of knowledge about networking. I hope that I succeed to describe by problem with enough details. Please, try to help me. I be very graceful for any kind of help. Don't afraid to bomb my head with any kind of information hard to understand.
I've rent a server from a Germany data center,They use a single IP as their gateway that is not in range of my servers IP,Strangly server is working well and when I use 'route -n' command the gateway which is in other subnet appears properly./etc/sysconfig/network contains no gateway IP and I don't know how they set the default gateway while after reboot the gateway is the same, also the IP is static and there's now DHCP.I need to know how they did it so I can do the same on my VPSes.
I have 2 NIC's in a box. One of them is external and doesn't matter for this question I don't think.
The other NIC is 192.168.100.3. It hosts an iSCSI Target and SMB Share on my LAN. It's works great.
I have another PC that has NIC at 192.168.100.101 and it hosts my DHCP (Scope: 192.168.100.5-25) server for my LAN.
I have a hardware firewall at 192.168.100.1 and it serves inet to the LAN on a different external connection.
So...
I currently have a WAP (cheap p.o.s. netgear router in WAP mode that keeps overheating). I want to eliminate the WAP device and add a WiFi NIC to the Top PC above.
So, on the first system I would have:
NIC 1: External IP and External Gateway NIC 2: Static IP 192.168.100.3 Proposed WiFi NIC 3: Static 192.168.100.4
Then I simply put the WiFi in Ad Hoc, will another WiFi in Ad Hoc (for example my laptop) be able to "see" 192.168.100.101 (DHCP) & 192.168.100.1 (Gateway) (via WiFI 192.168.100.4 through the bridge to 192.168.100.3 and on to the LAN)?
Also, can the two NIC's be bridge together even though they are the SAME subnet?
I have read NUMEROUS tutorials and explanations on the net about this, but they all seem to assume an informed understanding of IP networking. I have limited knowledge (basically I know how to set up my own home network and use the normal commands for troubleshooting.).I am doing a project at work which requires networking our new store with our original store (throughA VPN).I am just trying to understand in the most basic way how sub netting and subnet masks work. I don't believe this is necessary knowledge for setting up the network via VPN, but I would just like to understand it and I feel like I will be prepared to study further. basically:
1. How does a network mask isolate a particular host on a network? 2. How does changing the mask allow for more addresses to be used?
For example, if my address is, say, 192.168.1.36, how does 255.255.255.0 isolate my machine to receive traffic? I suppose what I am really not understanding is how it does this with more than one host on the network with the same mask.
I installed apache2 on my Ubuntu machine and I am trying to access the server from another subnet. The server is connected using ethernet and has a static ip address. I can ping from the server to any machine in the other subnet but non of the machine on that subnet can ping the server. iptables does not seem to be running
Code:
# service iptables status iptables: unrecognized service
I have some trouble setting up a printer on my network. My network is divided so that all wired connections are in one subnet, while all wireless devices are in another. My printer is Canon MP640 and is connected via wireless. When I use the network printer scanner utility from Canon, it will only scan my wired subnet, and is thus unable to see the printer. I can ping the printer, so there is no problem with subnet segregation.
On my router, I have Debian and iptables. My initial thought was that I could somehow set iptables to just forward all packets to an address to my printer. This address, of course, wouldn't exist "physically". But I have no idea whether or not this is the right approach. A suggestion I received from a colleague was to set up forwarding of broadcast packets. However, I am unsure whether this will have an impact on the wired subnet. If any of you could conjure a magical iptables rule for this or have suggestions other than plugging the printer into the wired net
I'm trying to work out how to route all traffic destined for the internet from all devices connected to eth0 to a wireless router access point via wlan0 on my Slackware box. I also have dhcpd providing ip addresses on the same subnet to any device connected to both eth0 and wlan0.
If I connect to the router/access point via wireless or directly to the Server via a crossover cable I can obtain an ip address from dhcpd, so that works. As far as I can see I just need to how to route between eth0 and wlan0 then I can provide internet access to those devices!
ifconfig:
Code:
eth0 Link encap:Ethernet HWaddr **:**:**:**:**:** inet addr:192.168.2.253 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::201:2eff:fe27:aea3/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1
Im trying to configure a GRE over IPSec connection between two subnets. The IPSec tunnel is opened and now I want to add a GRE tunnel over it.So, what I didn't understand is why I can't route my subnet over the tunnel, once the only route I have there says that it should route the tunnel IP over the GRE01 interface. Any hint? Thanks.
I'm living at a friend's right now, and he's got a wireless access point in the house that I set my laptops wlan0 interface to route through the eth0 to my desktop. It's been working fine for internet sharing and internal networking ( ssh and ftp ) between the laptop and the desktop, but there's a problem with both subnets being able to communicate with each other, and I haven't been able to solve it with DNAT either.
The wireless access point is 192.168.0.1 and has its own lan on 192.168.0.0/24 of which my laptop is 192.168.0.5. I setup the little subnet I created by routing with the laptop to 192.168.1.0/24 and my desktop is 192.168.1.50. With shorewall I can configure iptables to DNAT all of my ssh traffic destined to 192.168.0.5 to 192.168.1.50, but the problem seems to occur when ssh on my desktop fails to connect rather than the DNAT failing.
Using iptraf I've seen that all of the routing does work properly, because I can see on the connection in iptraf that only the SYN packet is being sent from a 192.168.0.x address, there is no ACK packet sent back. I believe this is because in the connection dialog it always shows a 192.168.0.x ip as the source of the connection, but I don't have a route to 192.168.0.0/24 from 192.168.1.0/24 setup and I'm unsure of how to do so.
I'm pretty much in over my head because I don't know what is wrong, I thought it should work like this. Everything else from port configurations, to the configurations of the software itself seems fine so I don't think it's anything like that preventing a connection, but I can't think of what it would be aside from the lack of routing between each subnet.
Is there anyway to just add a route so that 192.168.1.0/24 and 192.168.0.0/24 can communicate with each other directly? I know there should be, I'm just not at all sure how it would be done.
does somebody know how dnsmasq / iptables need to be configured such that requests to my public IP from lan are correctly NAT'ed to the host that handles them? Currently my routing device treats them like "oh, these are anyway for me, gnam gnam" which actually doesn't work.Unfortunatly setting up NAT rules that redirect requests from my lan correctly as they are redirected from wan is an option I would like to use only if there is no other possibility.I would like some kind of solution that treats packets that are sent to my public IP as normal packets that are not looped back before they even get out. So they would need to be at least sent to the wan gateway where they are directed back where my firewall can successfully treat them like all other public requests.
I just changed my CentOS server from DHCP to static IP address. After the change, I cannot ping other hosts on the same subnet. (I can ping the CentOS itself).The IP address of CentOS is 192.168.0.202.After pinging 192.168.0.106 (106 is on and other host can ping it), arp -a shows? (192.168.0.106) at <incomplete> on eth0 It looks ARP cannot resolve MAC address of hosts 192.168.0.106.
Trying to start dhcpd reports "no subnet declaration for eth0 (192.168.1.1)" and "no subnet declaration for eth1 (10.100.1.17)". Is dhcpd using /etc/dhcpd.conf, or do I have the wrong config file? If it's right, why is this failing?
I have a network with multiple subnets from 10.12.056.0 to 10.12.060.0 using net-mask 255.255.248.0 and one gateway 10.12.056.1. I want to setup a dhcp server and wonder how should I config it? All the hosts in the network using the same net-mask and gateway.
I have installed a Xen with 2 VM's inside. They are all under the same subnet. The Xen machine can see the outside network but both machines in it cannot. How do I create the bridge correctly (to xenbr0 i guess) so it fixes this?
Here's what I tried: It's RHEL5.3 1. '/etc/sysconfig/network-scripts/ifcfg-eth0' is ok on both VM's 2. iptables service is disabled, system-config-network shows IP,DNS, GW are correct. 3. On the VM's the route -n shows the gw ip though I cannot ping it. 4. checked hosts.allow, hosts. 5. In '/etc/xen/xend-config.sxp' unmarked: (network-script network-bridge) (vif-script vif-bridge) 6. in xen/<images_location>/ I modified vm.cfg so vif = [ 'ip=10.2.0.54' ] for one of my virtual machines. 7. I cannot however find '/etc/network/interfaces', can anyone advise if actually in my case it's the ifcfg-eth0? 8. I basically followed the Bridged Networking scenario in Xen Networking: [URL]
Ifconfig on the Xen Parent: [root@XEN_PARENT]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:50:56:8B:3A:E4 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:130021 errors:0 dropped:0 overruns:0 frame:0 TX packets:75097 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10315149 (9.8 MiB) TX bytes:12038346 (11.4 MiB) Interrupt:17 Base address:0x2000 .....
I am basically from system side and often confused about the calculation of the IP addresses.Just i want to know that what how can i calculate the following of a IP Address:
(1) Available IP in a Network (2) Broadcast IP (3) Network Prefix or Net Mask
I have a motherboard which has 4 x 1Gbps Ethernet controllers. I would like to use it as a Gateway for my home network. I have a static IP from my ISP which I can use to configure eth0 (I haven't done it yet as the LE-565 is currently sitting behind my Netgear router until I've got DHCP working). I would like to use eth1, eth2 and eth3 for my LAN. How do I set things up so that DHCP is handing out IP addresses on the same subnet (192.168.0.0/24) on all three interfaces?
P.S. I think what I'm asking is: how do I combine all 3 interfaces to behave like a switch (ie. just like my Netgear router)?
