WAN IP Alias / Masq

[Inertia]

Hi guys.

Not sure wether this belongs here or in internet & security.

Bsicaly I have a /29 subnet on the internet provided by my ISP and my growing number of servers and workstations and devices has stretched it to its limit in routing mode. I have begged my ISP for a /28 but as i cant justify it, and the world is running short on IPv4 adresses they wont let me have one.

My solution would be to buy a Draytek Vigor 2600 router , which means i can put my network on a local subnet, say 192.168.1.0/24 then this router is capable of me setting up what it calls WAN IP aliases so the 6 unused ip adresses (network, broadcast and router are taken) in my /29 could be forwarded to 6 ip addresess i specify on my /24 network.

lets say i wan ip alias internet ip adress 123.123.123.123 to 192.168.0.10

the router cleverly shows all outgoing traffic on the wan port which comes from 192.168.0.10 on the lan port to be coming from 123.123.123.123 and then any traffic comign in on the routers wan port adressed for 123.123.123.123 it forwards to 192.168.0.10 . this means that whilst 192.168.0.10 can co-exist on my now much mor eexpndable network, it can also benefit from public ips and be accessable fro mthe outside.

However, i cannot afford a Draytek vigor router, but i do have a spare pc (p2-300 256mb ram 2 nics :) ) and my current router can bridge, so i could bridge it to my spare box and let that do the routing.

I have been looking at linux distros to do this. one i have seen has been ipcop which seems to manage this only half way, it can masquerade traffic inwards but not outwards.

I have also looked at smoothwall which doesnt seem to have the ability to do this at all.

can anyone suggest a solution and/or point me in the right direction ?

BTW the linux box also acting as a firewall would be nice, but its not necaserry as i can firewall the machines themselves.

[+BudMan MVC]

Dude, I got your PM -- and I would be glad to help. But I'm a bit confused - Why do you need all those public IP's?

You mention "growing number of servers and workstations and devices", and then state something about not being able to afford the router you want? Dude unless I am missing something - that router is like ?200, surely someone that can afford "growing numbers of servers and workstations" can afford to lay out 200 clams on the router they want??;))

Is this a business or all for your own Fun? Anyway - off the top, I know for a fact that the clarkconnect 3.0 (beta right now - http://www.clarkconnect.org/projects/beta4_notes_3.0.php) router/firewall distro can do it right out of box - with a pretty web interface page to set it all up with;))

You want 1 to 1 NAT -- correct?

The home edition is FREE - fits your budget;))

Why exactly do you need to bridge anything with your old router? Just use the PC router, which you can even put in multiple nics to allow for a DMZ segment, etc.. Just connect into a switch - or multiple switches... Why exactly do you need to bridge anything?

Any distro running IPTables can do 1:1 natting, so I am guessing your looking for a distro that has it all ready for you to play with? CC is one of those - but I am sure most of the others can do it as well, just might need a bit of help;))

[Inertia]

cheers dude, its not for business, its just for my fun (the link in my sig has nothing to do with it btw) , I guess i lie when i say i cant afford a vigor 2600, but ide rather do it this way and save the money.

I havent come across CC until now, it looks just what I need.

The point is I dont need ALL of those public IPS but i need a few, and I want all my devices on the same network , which has been fine as ive used my /29 but im just about to grow out of it with a new laptop. now with this solution I can have a more expandable private network, and map through the public IPs to machines where relevant.

when i talk about bridging to the linux box, its because i have adsl, and I dont have an adsl modem, just a combined ADSL modem/router, but i can set this to transparent bridging mode so that it just puts all traffic onto a NIC on the linux box.

I was reading up on the iptables 1:1 nating after i posted this, i was going to play with it, but i would prefer something with a web interface, this CC seems perfect (as far as i can see the competition IPCOP an Smoothwall dont offer 1:1 NAT (AKA wan ip aliases) in their interfaces, although im sure its possible to just do it through the console if i sused out how.

anyways CC it is then , thanks buddy big help.

[Vlad]

k...why do you "need" public address space? I can't imagine why anyone would need that many public addresses all at the same time. And if you already have a router, why don't you just use that? Why do you need a "Draytek Vigor 2600"? Why not just buy a cheap Linksys/Netgear cable/dsl router? They're like sub-$70 USD.

Maybe you should add second NICs to your PCs and setup a private network. One NIC for the public address space, the other private. That makes security about 100000000 times easier to manage, since you only need to firewall the public connection. Sorry if this comes off as rash, but I totally don't get what it is you're doing.

Oh, and linux will easily be able to handle that stuff.

[+BudMan MVC]

anyways CC it is then , thanks buddy big help.

585265285[/snapback]

Your more than welcome - let me know if you have any ?'s with CC - been using it for a quite bit now, pretty slick little distro. This is their first release using Fedora - they use to run on RH, if you want to play with any of the snort stuff, there is a bit of a bug in this beta - but instuctions on how to run apt-get to fix it is in the forums. They may have already updated the iso?

Glad to hear I could help - there was another thread today, where I was a "D_CK" and he had fogotten more than I knew, etc.. ;) And everyone on the board thought so, etc..

I really do believe the man was off his meds or something - I asked a question, and next thing I know I don't know anything, I'm a D_CK, etc.. etc..

The thread has been deleted - not sure exactly why, never heard anything from the mods about it or anything ;)

[Inertia]

k...why do you "need" public address space?  I can't imagine why anyone would need that many public addresses all at the same time.  And if you already have a router, why don't you just use that?  Why do you need a  "Draytek Vigor 2600"?  Why not just buy a cheap Linksys/Netgear cable/dsl router?  They're like sub-$70 USD.

Maybe you should add second NICs to your PCs and setup a private network.  One NIC for the public address space, the other private.  That makes security about 100000000 times easier to manage, since you only need to firewall the public connection.  Sorry if this comes off as rash, but I totally don't get what it is you're doing.

Oh, and linux will easily be able to handle that stuff.

585265360[/snapback]

I need a few public adresses to map to a few servers, whilst the rest of my machines have internet access and remain on the same network. my current router and a sub $70 router would be able to NAT or route but not both together and not mixed A vigor, or the solution budman gave above could.

Adding 2nd nics to machiens makes it messy, and why do that when it can be done in software.

Im not sure why you dont get what im doing, I explained it pretty well. but like you say linux can handle it easily, I realised that it was just a case of how, and the easiest answer seems to be the CC linux distro above.

I will post back when ive got it all running, might be a couple of days yet, got to do it in my spare time which isnt that much.

[Inertia]

Glad to hear I could help - there was another thread today, where I was a "D_CK" and he had fogotten more than I knew, etc.. ;)  And everyone on the board thought so, etc..

I really do believe the man was off his meds or something - I asked a question, and next thing I know I don't know anything, I'm a D_CK, etc.. etc..

The thread has been deleted - not sure exactly why, never heard anything from the mods about it or anything ;)

585265420[/snapback]

yeh he was a muppet, I spotted the thread, was following it, and then it disapeared.

[+BudMan MVC]

yeh he was a muppet, I spotted the thread, was following it, and then it disapeared.

585265456[/snapback]

hehehe - was kind of funny ;) I had just put together quite a few "Thank You" links in answer to his request I do my own research about my threads and how I don't help anyone, etc.. Next thing you know - thread gone? I think maybe he had me mistaken with someone else?? He made some comment about 14,000+ posts -- but had my join date right.

Crazy ;)

So you got CC downloaded and installed yet? ;)

[Inertia]

So you got CC downloaded and installed yet? ;)

585265503[/snapback]

Not yet, i will do though, and ile let you know how it goes.

Like i said above, i have precious little spare time, but this is a project i want to do properly. Im going to use 3 NICs too so that I can keep my wireless network seperate and have vpn over wireless for LAN access.

This is gonna be a fun project.

Edited January 10, 2005 by Inertia

[Inertia]

Ive got it installed and workign now :D i love it very powerfull, but for soem of the features it says i need to register, how do i make an account to register ? Ive had a quick scout around their site and cant sus it, i am knackered though ive probably missed it.

wel its working well at the mometn, ile tweak it up when im more awake.

[+BudMan MVC]

Ive got it installed and workign now :D i love it very powerfull, but for soem of the features it says i need to register, how do i make an account to register ? Ive had a quick scout around their site and cant sus it, i am knackered though ive probably missed it.

wel its working well at the mometn, ile tweak it up when im more awake.

585269976[/snapback]

Yeah they do hide it quite well (who would ever think to look under the login tab? --> ;) I mean really ;)

Have some coffee - try again :) Then you register your system as a home system, etc.. This will allow to check some basic stats of your machine from anywhere - from their website, etc.. They provide dns to the public IP address, etc.. So of the other features are not available to the FREE home verison, etc..

[Inertia]

yeh i nailed that the morning after i posted :)

im loving this system the pptp vpn is handy from work, and the bandwidth shaping works very well, i can nail my bandwidth with p2p and when anything more important needs bandwidth it gets throttled temporarily, very clever stuff :)

[+BudMan MVC]

Have I ever steered you wrong in the past? ;) Its a great little distro, and you can not beat the price! I have played with quite a few of the router/firewall distos -- and this by far one of the best. It might have more features than some people need, etc.. if your looking for a very small footprint, etc.. then use freesco, etc.. Other than that - its got about anything you could think of, and if not - just install it yourself, its just running on fedora 2 core, etc..

Example - I do not like that dns caching thing they use, so I uninstall that and install BIND. I would also suggest you install webmin, which can be used to admin the machine as well... for anything else you install on it, or when their interface is lacking -- ie their samba controls are very limited, etc.. same for fetchmail (maildrop), etc.. and I like the DNS tools webmin, etc..

[Inertia]

I use webmin on a different linux server, when ive put a bit more ram in I may put webmin on that too.

no rush though as the interface already covers everything i need it for, im just using this box for routing/shaping and firewall , no fileserving / ftp / http etc.

I like how it integrates MRTG into its interface stuff, i keep finding new cool stuff.

[Inertia]

2 Questions ;)

1) how can i make my https webadmin server acessable from the outside without vpn ? Ive tried forwarding to port 81 and this doesnt seem to work.

2) on bandwidth shaping, where it asks for IP address , if i put 0.0.0.0 will that mean all ip adresses ?

Thanks :)

[Inertia]

Sorry for the triple posts, it wont let me edit for some reason.

anotehr Q

3) is ther ea way (like in the netgear dg834 router) that you can tell the DHCP server to reserve specific ip adresses in its block, and assign them to dhcp requests from specific hardware mac adresses ?