routing, was: Re: <blank subject>
liquid at istop.com
liquid at istop.com
Sun Dec 7 09:04:05 PST 2003
Charles Swiger <cswiger at mac.com> said:
> Hi, Liquid--
>
> On Dec 6, 2003, at 3:06 AM, liquid at istop.com wrote:
> > I'm going to have a static IP - say xx.xx.yy.zz - and a subnet as
> > follows:
> > xx.xx.xx.zz/28
>
> Do you mean, "I am switching from a single static IP to a 16-address
> subnet", or are you going to have both a static IP on one connection
> AND a /28 subnet over a second connection?
Sorry I wasn't clearer on that. I have one corporate DSL connection with a
static IP. Along with the static IP, I'll get an additional /28
>
> > 1. Do I need to inform the ISP of my intentions so that people can
> > actually
> > connect to an IP which is part of my subnet, but behind this router I
> > intend
> > to build? (I didn't think it was necessary until I read 19.2.5 in the
> > handbook - it doesn't seem like it's necessary based on that alone,
> > but it
> > has placed some doubt in my mind).
>
> No, your ISP will route IP traffic for the subnet to you. On the other
> hand, certainly you should talk to your ISP about your network topology
> if you have any specific issues or questions for them.
>
> > 2. I currently run my FreeBSD router on a cable connection while
> > waiting
> > for the new ISP to get setup. I use NAT to translate the EXT. IP to
> > the
> > internal ones of my lan. I don't need to run nat for the setup I plan
> > to
> > have do I?
>
> No, you don't need NAT for IPs on your new subnet: they are "directly
> Internet routable" if you want a buzzword. :-) However, you should
> spend some time considering security and setting up a firewall.
That's what I thought. Again I just needed someone else to say so too for
me to be 100% certain. The whole reason for this is in fact security. I
plan to do some webhosting, and also, to generate some additional revenue,
give out a few accounts for irc bots. You KNOW that can be alot of
trouble ;)
I'm actually using an openbsd bridged firewall right now, have been for a
couple of years and I like it. Firewalling on the FreeBSD box I intend to
use as a router will only increase the security. Are there "tricks"
regarding running ipf on the router that I should look into?
>
> Sometime later, you might want to consider how to have machines on your
> new network be able to fail-over to your single-IP connection; and one
> way of doing so would be to use a NAT gateway of your public IPs from
> the /28 subnet via your original connection. [The inverse of
> -unregistered_only.]
>
> > 3. Finally, I've read (briefly thus far) about routed on FreeBSD.
> > Would
> > this daemon be used in such a way that I don't even need to add static
> > routes for LAN?
>
> Yes, but routed is really intended for dynamic routing within an
> intranet, and is overkill for your situation. Specificly, you would
> accomplish more by configuring DHCP on your FreeBSD machine and
> broadcasting the correct default router IP than you would gain by using
> routed.
>
> Ping all of your machines (or use the subnet broadcast address), and do
> an "arp -a" to get MAC addrs, then set up host sections to allocate
> static IPs via DHCP, so your machines can all be network
> auto-configured even if you rebuild/reinstall the OS on a particular
> box.
>
I think I'll just add the static routes for now. Sounds much simpler.
Besides, with all these IP's, I still only have 6 machines behind this
router...
route add default gw my.isp.gateway
route add net my./28.sub.net
Those appear to be the only two route commands needed. Of course, I can
only know for sure once I get my connection (sometime next week) and set it
all up. In the future I may toy with routed just so I can know how it
works. each of my machines will have wireless NIC's so they can
interconnect using non-routable addresses and so I can connect to them from
my desktop machine locally. Obviously I'm quite a routing nubile... my goal
would be to setup routing so that from one machine who's address is in my
subnet, I can connect to another machine within my subnet but ensure it's
all done locally without going out beyond the router for two reasons: A) My
monthly bandwidth is capped, B) It would only go at my internet connection
speed, and not the full 10/100mbit of the LAN.
> > Again, this address is not subscribed, so please answer by putting my
> > address in the cc: field.
>
> Done.
Thanks, and thanks also for the responses. Very helpful :)
>
> --
> -Chuck
>
>
--
More information about the freebsd-questions
mailing list