I need to extend my school's network beyond the 254 IP numbers I'm using - based on 172.19.50.x This network includes a router which links through an ISDN line to an LEA proxy server. Is the best way to achieve this to split the network into 2 segment and use a Linux machine and Masquerading to link them together. ie.- leave the bulk of the machines on 172.19.50.x use 192.168.0.x for the others use two NICs in the Linux machine, 1 for each subnet Install masquerading Will this allow the machines on 192.168.0.x to access *all* the services on the main network? Dave Williams
Dave Williams wrote, On Sat, 15 Jul 2000
I need to extend my school's network beyond the 254 IP numbers I'm using - based on 172.19.50.x
This network includes a router which links through an ISDN line to an LEA proxy server.
Is the best way to achieve this to split the network into 2 segment and use a Linux machine and Masquerading to link them together.
ie.- leave the bulk of the machines on 172.19.50.x use 192.168.0.x for the others use two NICs in the Linux machine, 1 for each subnet Install masquerading
Will this allow the machines on 192.168.0.x to access *all* the services on the main network?
Dave Williams --
Um, couldn't you cheat a bit and drop down a couple of digits for the mask? ie 255.255.255.0 becomes 255.255.250.0 I've seen it done once before, a while a go mind. Please feel free to tell me off. paul I've tried to give them up. But I'm back on the sigs again.
Hi, On Sat, 15 Jul 2000, Dave Williams wrote:
I need to extend my school's network beyond the 254 IP numbers I'm using - based on 172.19.50.x
This network includes a router which links through an ISDN line to an LEA proxy server.
Is the best way to achieve this to split the network into 2 segment and use a Linux machine and Masquerading to link them together.
Will the routing at the LEA not allow you to simply have an extra 254 addresses? Change your allocation from 172.19.50/24 to 172.19.50/23, which will give you 172.19.50.0 -> 172.19.51.255 ( worked out, in my head, with a cold, so I may be right about the theory but wrong about the ranges ).
ie.- leave the bulk of the machines on 172.19.50.x use 192.168.0.x for the others use two NICs in the Linux machine, 1 for each subnet Install masquerading
Will this allow the machines on 192.168.0.x to access *all* the services on the main network?
Depends on the services used, but if you're going to use masquerading only but no firewalling there probably won't be any problems. I would have thought there's a more elegant solution though - you may be reconfiguring a lot of TCP/IP stacks over the summer holiday....... -- Nick Drage, helping fill up the internet since 1993. "On the other hand, O'Reilly's book about running Win95 has a toad as the cover animal. Makes sense; both have lots of warts and croak all the time." -- Michael Kagalenki http://www.arkane.demon.co.uk/avatar/quotes.html
On 15 Jul, Nick Drage
Will the routing at the LEA not allow you to simply have an extra 254 addresses? Change your allocation from 172.19.50/24 to 172.19.50/23, which will give you 172.19.50.0 -> 172.19.51.255 ( worked out, in my head, with a cold, so I may be right about the theory but wrong about the ranges ).
I'm afraid the LEA are not the easiest people to negotiate with. They allocated us the range 172.19.50.x and setup/provided the router. I have not looked at reconfiguring the router but I don't think the LEA would like this. This means (I think) that I'm stuck with 255.255.255.0 as a netmask. I'm pretty sure all the other similar ranges are allocated to local schools so changing netmask could also hit other problems. Thanks for *all* the help. Dave
ie.- leave the bulk of the machines on 172.19.50.x use 192.168.0.x for the others use two NICs in the Linux machine, 1 for each subnet Install masquerading
Will this allow the machines on 192.168.0.x to access *all* the services on the main network?
Yes, if you get the config all right, but you don't necessarily need two NICs, you can run multiple subnets on one cable with one NIC by aliasing multiple numbers onto the same card, we have three different numbering systems on a single NIC! You also don't need masquerading if you have local proxying, but this would limit what the local-number machines can do to what is proxied by the proxy. In our case the limitations are welcome - the internal machines can't be seen directly by external ones, and that protects them from nasties and prevents them doing lots of non-academic things like ICQ, Napster, making money by browsing, bypassing the external filtered proxy, etc. -- Christopher Dawkins, Felsted School, Dunmow, Essex CM6 3JG 01371-820527 or 07798 636725 cchd@felsted.essex.sch.uk
On 15 Jul, Christopher Dawkins
Yes, if you get the config all right, but you don't necessarily need two NICs, you can run multiple subnets on one cable with one NIC by aliasing multiple numbers onto the same card, we have three different numbering systems on a single NIC! You also don't need masquerading if you have local proxying, but this would limit what the local-number machines can do to what is proxied by the proxy. In our case the limitations are welcome - the internal machines can't be seen directly by external ones, and that protects them from nasties and prevents them doing lots of non-academic things like ICQ, Napster, making money by browsing, bypassing the external filtered proxy, etc.
Well that sounds ideal but how do I perform aliasing? Dave
Yes, if you get the config all right, but you don't necessarily need two NICs, you can run multiple subnets on one cable with one NIC by aliasing multiple numbers onto the same card, we have three different numbering systems on a single NIC! You also don't need masquerading if you have local proxying, but this would limit what the local-number machines can do to what is proxied by the proxy. In our case the limitations are welcome - the internal machines can't be seen directly by external ones, and that protects them from nasties and prevents them doing lots of non-academic things like ICQ, Napster, making money by browsing, bypassing the external filtered proxy, etc.
Well that sounds ideal but how do I perform aliasing?
Depends on your system, probably, but on our FreeBSD it's by the use of
ifconfig_<interface>_alias=" ... "
entries in the rc.conf file: ours are for example:
ifconfig_fxp0="inet 10.10.128.254 netmask 0xffff0000"
ifconfig_fxp0_alias0="inet 194.238.175.254 netmask 0xffffffc0"
ifconfig_fxp0_alias1="inet 10.0.128.254 netmask 0xffffff00"
[beware, on our system extra spaces, eg either side of the =,
will mess things up]
and the result from an "ifconfig -a" command is
fxp0: flags=8943
Well that sounds ideal but how do I perform aliasing?
Depends on your system, probably, but on our FreeBSD it's by the use of
ifconfig_<interface>_alias=" ... "
entries in the rc.conf file: ours are for example:
ifconfig_fxp0="inet 10.10.128.254 netmask 0xffff0000" ifconfig_fxp0_alias0="inet 194.238.175.254 netmask 0xffffffc0" ifconfig_fxp0_alias1="inet 10.0.128.254 netmask 0xffffff00"
[beware, on our system extra spaces, eg either side of the =, will mess things up]
and the result from an "ifconfig -a" command is
fxp0: flags=8943
mtu 1500 inet 10.10.128.254 netmask 0xffff0000 broadcast 10.10.255.255 inet 194.238.175.254 netmask 0xffffffc0 broadcast 194.238.175.255 inet 10.0.128.254 netmask 0xffffff00 broadcast 10.0.128.255 atalk 1280.185 range 1280-1289 phase 2 broadcast 0.255 ether 00:a0:c9:45:b9:14
[the machine runs the appletalk daemon as well]
and it's probably a good idea to set "gateway_enable" to YES as well.
Thanks Chris - I'm using SuSE - anyone know the equivalent commands to the ones above? On the man page for ifconfig the only mention of alias addressing refers to ipchains? Dave
On Sun, 16 Jul 2000, Dave Williams wrote:
Thanks Chris - I'm using SuSE - anyone know the equivalent commands to the ones above? On the man page for ifconfig the only mention of alias addressing refers to ipchains?
ifconfig eth0:0 192.168.x.y netmask 255.255.255.0
ifconfig eth0:1 192.168.x.z netmask 255.255.255.0
would set you up two more ethernet addresses on eth0.
They'll show up as new interfaces if you run ifconfig.
For this to work you need IP aliasing support enabled in your kernel.
--
___ _ In a world without fences - who needs Gates?
| (_' M1CHW
._|on ._)tockill
The simplest way would be to extend the range by using a different netmask - I assume you are currently using 255.255.255.0 . The default for 172.19.0.0 under the old class B system would be a netmask of 255.255.0.0 which would give you up to 65533 possible hosts. A lot of schools in my area are set up with netmask 255.255.252.0 with 10 bits for the host giving a total of up to 1022 hosts. If you are running DHCP then it is very easy to change to suit whatever netmask you decide you need. If you can't or don't want to change the netmasks then you can use a linux box to route between the subnets. You don't need to use masquerading, though, as presumably your router is doing the address translation to the internet for you. If you are using SuSE linux all you need to do is use the modify configuration file option in Yast to set ip_forward to yes. You will have to check the router setup to be sure it matches. _____________________________________ Giles Nunn - Network Manager Carms Schools ICT Development Centre Tel: +44 01239 710662 Fax: 710985 ____________________________________ On Sat, 15 Jul 2000, Dave Williams wrote:
I need to extend my school's network beyond the 254 IP numbers I'm using - based on 172.19.50.x
This network includes a router which links through an ISDN line to an LEA proxy server.
Is the best way to achieve this to split the network into 2 segment and use a Linux machine and Masquerading to link them together.
ie.- leave the bulk of the machines on 172.19.50.x use 192.168.0.x for the others use two NICs in the Linux machine, 1 for each subnet Install masquerading
Will this allow the machines on 192.168.0.x to access *all* the services on the main network?
Dave Williams
If you are using SuSE linux all you need to do is use the modify configuration file option in Yast to set ip_forward to yes. You will have to check the router setup to be sure it matches.
Or echo 1 > /proc/sys/net/ipv4/ip_forward you might want to put this in a startup script. You also need to check that the firewall is allowing such forwarding. By default the firewall won't allow routing between the 192.168 and 172.19.50 networks. ipchains -b -A forward -s 192.168.0.0/16 -d 172.19.50.0/24 -j ACCEPT hope this helps.
is the best way to do this not just to give the new computers ip's in the 172.19.51.x if all you machines have the netmask of 255.255.0.0 then they'll all be able to communicate. Or is there a problem with security? ie you dont want computers in the 172.19.50 subnet to see the new computers? if this is the case give the 172.19.50.x a netmask of 255.255.255.0 and the 172.19.51.x a netmask of 255.255.0.0 now 172.19.51.x can see 172.19.50.x but not vice versa. maybe i've misundestood the problem, but i cant see how masquerading would help. with your suggestion, the router does not need to perform masquerading, it can route packets between 172.19.50.x with 192.168.x.x as it has an ip address on both subnets. hope this helps.
I need to extend my school's network beyond the 254 IP numbers I'm using - based on 172.19.50.x
This network includes a router which links through an ISDN line to an LEA proxy server.
Is the best way to achieve this to split the network into 2 segment and use a Linux machine and Masquerading to link them together.
ie.- leave the bulk of the machines on 172.19.50.x use 192.168.0.x for the others use two NICs in the Linux machine, 1 for each subnet Install masquerading
Will this allow the machines on 192.168.0.x to access *all* the services on the main network?
Dave Williams
participants (7)
-
Christopher Dawkins
-
Dave Williams
-
Giles Nunn
-
Jon Stockill
-
Nick Drage
-
Paul Hornshaw
-
Richard Naylor