routing, was: Re: <blank subject>

liquid at istop.com liquid at istop.com
Sun Dec 7 09:04:05 PST 2003 

Charles Swiger <cswiger at mac.com> said:

> Hi, Liquid--
> 
> On Dec 6, 2003, at 3:06 AM, liquid at istop.com wrote:
> > I'm going to have a static IP - say xx.xx.yy.zz - and a subnet as 
> > follows:
> > xx.xx.xx.zz/28
> 
> Do you mean, "I am switching from a single static IP to a 16-address 
> subnet", or are you going to have both a static IP on one connection 
> AND a /28 subnet over a second connection?

Sorry I wasn't clearer on that.  I have one corporate DSL connection with a 
static IP.  Along with the static IP, I'll get an additional /28

> 
> > 1.  Do I need to inform the ISP of my intentions so that people can 
> > actually
> > connect to an IP which is part of my subnet, but behind this router I 
> > intend
> > to build? (I didn't think it was necessary until I read 19.2.5 in the
> > handbook - it doesn't seem like it's necessary based on that alone, 
> > but it
> > has placed some doubt in my mind).
> 
> No, your ISP will route IP traffic for the subnet to you.  On the other 
> hand, certainly you should talk to your ISP about your network topology 
> if you have any specific issues or questions for them.
> 
> > 2.  I currently run my FreeBSD router on a cable connection while 
> > waiting
> > for the new ISP to get setup.  I use NAT to translate the EXT. IP to 
> > the
> > internal ones of my lan.  I don't need to run nat for the setup I plan 
> > to
> > have do I?
> 
> No, you don't need NAT for IPs on your new subnet: they are "directly 
> Internet routable" if you want a buzzword.  :-)  However, you should 
> spend some time considering security and setting up a firewall.

That's what I thought.  Again I just needed someone else to say so too for 
me to be 100% certain.  The whole reason for this is in fact security.  I 
plan to do some webhosting, and also, to generate some additional revenue, 
give out a few accounts for irc bots.  You KNOW that can be alot of 
trouble ;)
I'm actually using an openbsd bridged firewall right now, have been for a 
couple of years and I like it.  Firewalling on the FreeBSD box I intend to 
use as a router will only increase the security.  Are there "tricks" 
regarding running ipf on the router that I should look into?

> 
> Sometime later, you might want to consider how to have machines on your 
> new network be able to fail-over to your single-IP connection; and one 
> way of doing so would be to use a NAT gateway of your public IPs from 
> the /28 subnet via your original connection.  [The inverse of 
> -unregistered_only.]
> 
> > 3.  Finally, I've read (briefly thus far) about routed on FreeBSD.  
> > Would
> > this daemon be used in such a way that I don't even need to add static
> > routes for LAN?
> 
> Yes, but routed is really intended for dynamic routing within an 
> intranet, and is overkill for your situation.  Specificly, you would 
> accomplish more by configuring DHCP on your FreeBSD machine and 
> broadcasting the correct default router IP than you would gain by using 
> routed.
> 
> Ping all of your machines (or use the subnet broadcast address), and do 
> an "arp -a" to get MAC addrs, then set up host sections to allocate 
> static IPs via DHCP, so your machines can all be network 
> auto-configured even if you rebuild/reinstall the OS on a particular 
> box.
> 

I think I'll just add the static routes for now.  Sounds much simpler.  
Besides, with all these IP's, I still only have 6 machines behind this 
router...

route add default gw my.isp.gateway
route add net my./28.sub.net

Those appear to be the only two route commands needed.  Of course, I can 
only know for sure once I get my connection (sometime next week) and set it 
all up.  In the future I may toy with routed just so I can know how it 
works.  each of my machines will have wireless NIC's so they can 
interconnect using non-routable addresses and so I can connect to them from 
my desktop machine locally.  Obviously I'm quite a routing nubile... my goal 
would be to setup routing so that from one machine who's address is in my 
subnet, I can connect to another machine within my subnet but ensure it's 
all done locally without going out beyond the router for two reasons: A) My 
monthly bandwidth is capped, B) It would only go at my internet connection 
speed, and not the full 10/100mbit of the LAN.

> > Again, this address is not subscribed, so please answer by putting my
> > address in the cc: field.
> 
> Done.

Thanks, and thanks also for the responses.  Very helpful :)

> 
> -- 
> -Chuck
> 
> 



--

More information about the freebsd-questions mailing list