Re: routing: subnet behind gateway in that subnet

To: debian-firewall@lists.debian.org
Subject: Re: routing: subnet behind gateway in that subnet
From: Stefan Radomski <sr@oop.info>
Date: 12 Mar 2003 03:23:22 +0100
Message-id: <[🔎] 1047435802.797.150.camel@hal9000>
In-reply-to: <[🔎] 20030311234939.GD28703@rix.fh-wedel.de>
References: <[🔎] 1047412508.825.96.camel@hal9000> <[🔎] 20030311234939.GD28703@rix.fh-wedel.de>

Hi Arne,
thanks to you and the others for taking the time to reply.

On Wed, 2003-03-12 at 00:49, Arne P. Boettger wrote:

> Elegant solution is splitting the /27 further apart. How many
> machines do you have that need to be publically reaced? 

As we have only 30 public accessible ip adresses and the deployment is
meant to be scalable, it is desirable not to loose one.

> You could split it in two /28s, and use one for the link to the
> provider and the other one for your local machines. 

That would "waste" 16 ip adresses as I understand it, unless we would
install a switch at the interface to the computer center (cc), but we
couldn't enforce security with our gateway/router.

> Or split it in four /29s, use one for the link to the provider and
> the rest for your machines. 

Wouldn't we loose 2 ip adresses with every split one for broadcast and
the network ip?

> Fact is that you should have public addresses for this structure.
> Another option would be to move the WLAN to another router with an
> official IP address behind your router/firewall.

I still don't understand why it isn't possible/desirable to have an
explicit route for our gateway and declare, that the rest of the net is
reachable through that gateway. 
Would it be a solution to ask for an additional ip for our router in
another subnet? 

> > Could anyone tell us, what options we have to get this setup working.
> > Not being able to access the internet for some strange routing problem
> > the computer center raises is kind of unsatisfying.
> > Which would be the obvious solution anyone with more experience in
> > routing issues than we have would come up with?
> 
> By the way: This is not a strange routing problem at the computer
> center, it's a strange idea you had - sorry to say that. 
> And either your computer center has noone understanding routing to
> consult you or you didn't tell them the whole story, because what
> you have now looks to me like you didn't tell your provider about
> that WLAN stuff... 

Well, as it raises the problems I mentioned (router only *reachable*
from internet) it seems strange to me, but I must admit that I had this
latent feeling that the cc was right.. :)
But nevertheless, it seems to me that every "elegant" solution implies a
loss of usable ip adresses, am I right here?

> Oh by the way, of course you can put a filtering bridge there
> instead, but filtering on layer two for layer three information is a
> bit awkward - proper routing should be prefered.

As the other replies point out too, this seems to be the way to go for
us, unless there is a solution not to loose a single ip address with
proper routing.
I would also prefer a clean routing solution, but loosing more than one
ip to achieve it is not an option. Are there any cons with a bridge
solution that anyone is aware of?

tia
Stefan

Reply to:

Follow-Ups:
- Re: routing: subnet behind gateway in that subnet
  - From: "Arne P. Boettger" <apb@rot26.de>

References:
- routing: subnet behind gateway in that subnet
  - From: Stefan Radomski <sr@oop.info>
- Re: routing: subnet behind gateway in that subnet
  - From: "Arne P. Boettger" <apb@rot26.de>

Prev by Date: Re: routing: subnet behind gateway in that subnet
Next by Date: Re: routing: subnet behind gateway in that subnet
Previous by thread: Re: routing: subnet behind gateway in that subnet
Next by thread: Re: routing: subnet behind gateway in that subnet
Index(es):
- Date
- Thread