RE: Running public IP's inside an RFC 1597 network

From: Ted Mittelstaedt (tedm_at_toybox.placo.com)
Date: 01/26/05

  • Next message: Jon Drews: "Re: Xmms FreeBSD and buzzing or skipping sound" 
    To: "Doug Poland" <doug@polands.org>, <questions@freebsd.org>
Date: Tue, 25 Jan 2005 23:04:37 -0800

    owner-freebsd-questions@freebsd.org wrote:
    > Hello,
    >
    > I'm running a typical Class C RFC 1597 network in my lab. What I want
    > to do is create another network, accessible from my private addresses,
    > that use public IPs. The public IPs exist in the wild but I
    > want to have
    > an isolated environment where I can test what happens in
    > public space, in
    > my lab, before I deploy changes.
    >

    Hoo boy. OK first of all an IP is an IP is an IP. Machines don't
    know or care if we humans designate a subnet as public or private.

    In any case you cannot have 'public' ip's 'inside' a private IP
    subnet, unless there's some tunnel connection from the public
    network on the inside to the real outside Internet.

    > All the machines in question are running 5.3-STABLE.
    >
    > What I've setup so far are two test servers, host1 (H1) and host2 (H2)
    > with public IPs, and a gateway (GW) machine with one public IP and one
    > private IP. All three machines are on a switch, the gateway has two
    > NICs, one on the public switch and one on the private switch.
    >
    > e.g.,
    >
    > External IP Internal IP Defaultrouter IP
    > --------------------- -------------- ---------------
    > GW 123.456.789.1/24 10.20.30.40/24 10.20.30.1
    > H1 123.456.789.154/24 123.456.789.1
    > H2 123.456.789.161/24 123.456.789.1
    >
    >
    > I can ping between the 3 "public" IP's fine until I turn on the GW
    > interface with the private IP. At that point, the GW cannot ping the
    > two "public" servers.
    >

    Impossible. Or more accurately, if the GW is correctly configured
    it don't work this way.

    a default route such as:

    0.0.0.0 0.0.0.0 -> 10.20.30.1

    is the absolute most general route there is for a machine. ANY route
    other than another default, is more specific than it, and thus will
    take priority.

    In a correctly configured system when you define an interface, such
    as 123.456.789.1/24 the system automatically creates a /24 route
    for the 123.456.789.0 subnet that points out that interface. This
    route is -more specific- than the default, thus ANY IP that has a
    prefix that matches this subnet will follow the more specific route,
    and be routed out of the interface. This is a fundamental property
    of any host.

    You aren't saying how your 'turning on' the GW interface. If you have
    NOT defined gateway_enable="YES" in the /etc/rc.conf file then
    it might be possible to get funny behavior like this if you have
    multiple interfaces active in the system. Or, if you turn on the
    firewall with a restricted set of access lists, same thing.

    > Obviously I'll need NAT'ing from the GW to H1 and H2 if I want packets
    > from other hosts on my private network to see the "public" servers.

    Incorrect. All you need is a route in the 10.20.30.1 router
    for 123.456.789.0/24 pointing back to 10.20.30.40. Since all the hosts
    on 123.456.789.0/24 know to use 123.456.789.1 as their default gateway,
    and that machine knows where 10.20.30.0/24 is, routing works normally.

    > What I can't figure out is how to tell my GW machine that packets
    > destined for the 123.456.789.0/24 network are to go through my other
    > NIC, not out through the GW's default router.
    >

    It is more useful to stand this question on it's head. As yourself, how
    can you PREVENT packets from just naturally going out the 123.456.789.1
    interface that have a destination prefix of 123.456.789 ?
     
    > I hope I've explained the situation clearly. Googling and reading the
    > friendly manuals has not revealed a solution to me.

    Well, what your trying to do is, as they say, pointless, which is why
    nobody does it, which is why it's not documented.

    Why don't you tell us what you REALLY are trying to accomplish? What
    exactly does a 'public space' have that you need to test on that a
    'private space' doesen't, and why are you under the impression that
    it will continue to remain a 'public space' the second you isolate it?

    Ted
    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Jon Drews: "Re: Xmms FreeBSD and buzzing or skipping sound"

    Relevant Pages