IP subnetting

Hi,

I have a 126 IP addresses on a single subnet all routing through the
same gateway. I have upgraded my router so I now have 2 interfaces. I
want to put an SMTP and HTTP server on the 2nd interface and keep the
internal hosts on the original interface. I think this is basically a
DMZ configuration.

My current IP address assignment is sporadic, with some static hosts
at one end or the other on the IP block and DHCP given a pool from
the middle.

I want to assign a /29 block of address from within my range to the
2nd interface giving me 5 addresses to use. I am a little unsure what
the impact of this change will be on other network services, in
particular DHCP.

Will I be turning my simple single subnet into 3 different subnets?
Do I configure my dhcp.conf with 3 subnet declarations? Can 2 subnets
share a gateway address even if it's not local? Would it be advisable
to re-configure those static hosts at one end of the block into the
other end so I only have 2 subnets? What other services might be
effected by this change? I can think of a few httpd.conf allow
statements that might need changing and possibly some smb.conf
changes.

Thanx in advance,
Dp.


--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: IP subnetting

Beginner wrote:

> I have a 126 IP addresses on a single subnet all routing through the
> same gateway. I have upgraded my router so I now have 2 interfaces. I
> want to put an SMTP and HTTP server on the 2nd interface and keep the
> internal hosts on the original interface. I think this is basically a
> DMZ configuration.
>
> My current IP address assignment is sporadic, with some static hosts
> at one end or the other on the IP block and DHCP given a pool from
> the middle.
>
> I want to assign a /29 block of address from within my range to the
> 2nd interface giving me 5 addresses to use. I am a little unsure what
> the impact of this change will be on other network services, in
> particular DHCP.
>
> Will I be turning my simple single subnet into 3 different subnets?

The number of addresses in A subnet will always be a power of two; you
can't make a subnet with e.g. 128 - 8 = 120 addresses. If your network
is a /25, and you want to carve out a /29, you would end up with at
least 5 subnets:

/29 + /29 + /28 + /27 + /26
8 8 16 32 64

That isn't a problem for the router, but configuring the hosts'
routing tables is likely to be a nuisance (assuming that the DMZ hosts
and non-DMZ host might occasionally want to talk to each other).

If you configure the hosts to believe that they're on a /25 subnet,
they will assume that they can talk directly to the DMZ hosts, without
needing to use a gateway. That will require proxy ARP.

OTOH, if you split the /25 into 5 subnets as shown above, either each
host will require routes to all of the other subnets, or hosts on
different subnets will have to route their traffic through the
gateway, which will significantly increase its load.

I suspect that you would be better off sticking to a single /25
network, and adding host routes and proxy-ARP entries for the DMZ
hosts.

On the router, you would add a route for your entire /25 network
through the first interface, and host routes for the individual DMZ
hosts through the second interface. You would also add proxy-ARP
entries for the DMZ hosts to the first interface, so that the non-DMZ
hosts can act as if the DMZ hosts are on the same network segment.

Or you could just use private (192.168.* etc) addresses for the
non-DMZ hosts and have the router perform NAT.

--
Glynn Clements
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: IP subnetting

On 14 Jul 2008 at 11:55, Glynn Clements wrote:
> Beginner wrote:
>
> The number of addresses in A subnet will always be a power of two;
> you
> can't make a subnet with e.g. 128 - 8 = 120 addresses. If your
> network
> is a /25, and you want to carve out a /29, you would end up with
> at
> least 5 subnets:
>
> /29 + /29 + /28 + /27 + /26
> 8 8 16 32 64
>
> That isn't a problem for the router, but configuring the hosts'
> routing tables is likely to be a nuisance (assuming that the DMZ
> hosts
> and non-DMZ host might occasionally want to talk to each other).
>
> If you configure the hosts to believe that they're on a /25
> subnet,
> they will assume that they can talk directly to the DMZ hosts,
> without
> needing to use a gateway. That will require proxy ARP.
>
> OTOH, if you split the /25 into 5 subnets as shown above, either
> each
> host will require routes to all of the other subnets, or hosts on
> different subnets will have to route their traffic through the
> gateway, which will significantly increase its load.
>
> I suspect that you would be better off sticking to a single /25
> network, and adding host routes and proxy-ARP entries for the DMZ
> hosts.
>
> On the router, you would add a route for your entire /25 network
> through the first interface, and host routes for the individual
> DMZ
> hosts through the second interface. You would also add proxy-ARP
> entries for the DMZ hosts to the first interface, so that the
> non-DMZ
> hosts can act as if the DMZ hosts are on the same network segment.
>
> Or you could just use private (192.168.* etc) addresses for the
> non-DMZ hosts and have the router perform NAT.


There's quite a lot to take in here. The router is managed by our
ISP. They suggested 3 options including one to break it into smaller
networks as you suggest. I want the maintenance and schema of the
network to be as simple as possible. I have more addresses than I
need so it seems daft to buy a few more to put on that interface.

I think I favour your idea to assign the lot to the first interface
and use proxy-ARP and host routes.

Thanx for the explanation.
Dp.

--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: IP subnetting

Beginner wrote:
> Hi,
>
> I have a 126 IP addresses on a single subnet all routing through the
> same gateway. I have upgraded my router so I now have 2 interfaces. I
> want to put an SMTP and HTTP server on the 2nd interface and keep the
> internal hosts on the original interface. I think this is basically a
> DMZ configuration.
>
> My current IP address assignment is sporadic, with some static hosts
> at one end or the other on the IP block and DHCP given a pool from
> the middle.
>
> I want to assign a /29 block of address from within my range to the
> 2nd interface giving me 5 addresses to use. I am a little unsure what
> the impact of this change will be on other network services, in
> particular DHCP.
>
> Will I be turning my simple single subnet into 3 different subnets?
> Do I configure my dhcp.conf with 3 subnet declarations? Can 2 subnets
> share a gateway address even if it's not local? Would it be advisable
> to re-configure those static hosts at one end of the block into the
> other end so I only have 2 subnets? What other services might be
> effected by this change? I can think of a few httpd.conf allow
> statements that might need changing and possibly some smb.conf
> changes.

Over 10 years ago, I had an office set up with a class C network. We
installed a terminal server with 16 dial-up lines, each with a modem for
dial-in. I reserved 32 IP addresses for office users to dial in on, and
their IP addresses were set based on a dial-back scheme used by the
terminal server. The IP addresses were all taken out of our class C
network as a lump at the end. I viewed it as a subnet of our network,
but in reality, I didn't have to. The TS was capable of proxy-arp for
the remote users, so they looked to the office network like a part of
the office network, even though they were all routed through the TS. It
made life simple. It would probably have been much more complicated if
we didn't use that particular TS or at least one capable of doing
proxy-arp. I'm sure you could set up something similar, so long as
whatever you are using to separate the second network is capable of
proxy-arp for the second network and will do the routing for you.


A.B.C.0/24 <-----> TS <-------> A.B.C.224/27 dial-in machines

--
Kevin J. Cummings
kjchome@rcn.com
cummings@kjchome.homeip.net
cummings@kjc386.framingham.ma.us
Registered Linux User #1232 (http://counter.li.org)
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html