routing without eating up my IPs

I'm trying to make the best of a bad deal. I've been given a contiguous
range of public IPs that don't exactly fit into one subnet. The IPs are
..91 - .101

I want to set a firewall up in front of this range and don't mind losing one
public IP for the firewall's external NIC. But I really don't want to waste
an IP on the firewall's internal NIC.

I could always set up DNAT and set the internal systems up with private IPs.
I may end up just doing it all this way anyway.

What I'm wondering, is there a way I can set up the internal machines with a
public IP and have the firewall/gateway system not use one of the public.
It would look like this, but I'm just not sure how the routing will work
out:

Internet

|
|

.91
FIREWALL
?.?.?.?

|
|

.92 .93 .94 .95 ...
SERVER SERVER SERVER SERVER SERVER


I see something like this with my ISP where the cable modems have 10.x
addresses, yet there are public IPs on both sides of the modem.

Thanks for any insight!

On 2004-08-13, /dev/null <(E-Mail Removed)> wrote:
> I'm trying to make the best of a bad deal. I've been given a contiguous
> range of public IPs that don't exactly fit into one subnet. The IPs are
> .91 - .101
>
> I want to set a firewall up in front of this range and don't mind losing one
> public IP for the firewall's external NIC. But I really don't want to waste
> an IP on the firewall's internal NIC.
>
> [snipped]
>
> I see something like this with my ISP where the cable modems have 10.x
> addresses, yet there are public IPs on both sides of the modem.
>
I'm a 'bad' person and do some voodoo tricks on my routing table to recover
'lost' IP's which local machines are determined to think are the
network/broadcast addresses. I posted online all the details so I'll simply
throw you the URL

http://bbs.adslguide.org.uk/showthre...=&view=&sb=&o=
http://bbs.adslguide.org.uk/showthre...=&view=&sb=&o=

The ideas there can be used in your situation, you have to just think
carefully about what you are borrowing 'nextdoor'. As a hint, as most
braindead remote firewall admins think having .0 and .255 as an IP address is
a bad thing (useless excuses about Smuff attacks or something defunct) no one
dishes out these IP's as half the Internet is unobtainable with them.
However in your situation you can 'borrow' an entire /24 and then tweak the
routing table with proxy_arp including to make sure traffic ends up in the
right place.

Have fun

Alex

/dev/null wrote:
> I'm trying to make the best of a bad deal. I've been given a contiguous
> range of public IPs that don't exactly fit into one subnet. The IPs are
> .91 - .101
>
> [snip]
>
> I could always set up DNAT and set the internal systems up with private IPs.
> I may end up just doing it all this way anyway.

You can proxy arp the other IPs on the outside interface, DNAT/mangle
the packets, then route the packets through your internal interface.
This would be the recommended approach.

> What I'm wondering, is there a way I can set up the internal machines with a
> public IP and have the firewall/gateway system not use one of the public.
> It would look like this, but I'm just not sure how the routing will work
> out:
>
> Internet
>
> |
> |
>
> .91
> FIREWALL
> ?.?.?.?
>
> |
> |
>
> .92 .93 .94 .95 ...
> SERVER SERVER SERVER SERVER SERVER

You can define both firewall interfaces to be on similar subnets and
define explicit routing entries to override all the default ones. That
way lies a headache, though.

> I see something like this with my ISP where the cable modems have 10.x
> addresses, yet there are public IPs on both sides of the modem.

What you see with your ISP is
PC -- modem -- modem service -- Internet
The PC and the Internet have public addresses.
The modem and modem service have 10.x addresses to talk to each other.
Also there's DOCSIS encapsulation between the modem and modem service.
Bottom line: different from what you want to do.

On Fri, 13 Aug 2004 17:02:19 GMT, /dev/null <(E-Mail Removed)> wrote:
> I'm trying to make the best of a bad deal. I've been given a contiguous
> range of public IPs that don't exactly fit into one subnet. The IPs are
> .91 - .101
>
> I want to set a firewall up in front of this range and don't mind losing one
> public IP for the firewall's external NIC. But I really don't want to waste
> an IP on the firewall's internal NIC.
>
> What I'm wondering, is there a way I can set up the internal machines with a
> public IP and have the firewall/gateway system not use one of the public.
> It would look like this, but I'm just not sure how the routing will work
> out:
>
> Internet
>
> |
> |
>
> .91
> FIREWALL
> ?.?.?.?
>
> |
> |
>
> .92 .93 .94 .95 ...
> SERVER SERVER SERVER SERVER SERVER

You can use the same .91 IP on both sides of the firewall, but its public
interface should have netmask 255.255.255.255 and broadcast same as that
IP. You would likely enable proxy_arp for the public interface so it
would answer the public side for any IPs behind it..

The inside interface would have whatever netmask covers the most IPs, and
host route for any that fit outside the pattern.

--
David Efflandt - All spam ignored http://www.de-srv.com/

thanks all, looks like proxy arp was exactly what I was looking for.

Thanks again,

/dev