Routing Question, Help!

M

mlager

I'm moving into a new data center. I don't consider myself a network engineer or anything but I do understand the basics. The new data center I am moving into routes my network to me a bit differently than my old data center, so I thought I'd post here and ask for some help. Here's what they are doing:

I am assigned a /29 block which they configure as the routing network, it looks like this:

Routing Network: A.A.A.0
Routing Network Subnet Mask: 255.255.255.248
Routing Network Def Gateway: A.A.A.1
Customer Usable Address: A.A.A.4

I've been assigned a /28 block which is B.B.B.240/28. They stated that in order for me to use my allocated blocks, I had to act as my own gateway, routing the traffic through the routing network. This goes just a bit beyond my networking knowledge, though I still understand it, I just don't know exactly how to execute. They said I could implement a Cisco or a Layer 3 switch to handle this, but I'd rather just put FreeBSD on it and make it a firewall / gateway. So this is what I think I'm supposed to do. I'm not officially in the new data center yet so I haven't had an opportunity to test this scenario:

The uplink from the data center plugs into interface 1 on my FreeBSD system. It gets assigned A.A.A.4 with a default gateway of A.A.A.1. Interface 2 on the same FreeBSD system gets assigned B.B.B.240. I then enable gateway routing in FreeBSD by setting
Code: 
gateway_enable="YES"
in /etc/rc.conf. Interface 2 would plug into a switch where all the other servers will plug into. The first server plugged into this switch would be assigned B.B.B.241 with a default gateway of B.B.B.240.

My assumption is that traffic will be routed through the gateway and then through the routing network. I'm also assuming that this traffic will show as from B.B.B.241, not any address on the gateway itself. I'm also assuming that inbound traffic to the data center will route to my gateway, and then through interface 2 on my firewall and then to the destination address.

Am I way off, and if so, can anyone offer advice or clarification? I really appreciate anyones help on this, I can't afford to be spending too much play around time on this once I'm actually in the new data center. My old data center simply gave my a block, and the gateway was on the same subnet, so they handled all the routing for me. It was a bit more plug and play, but I do understand the advantages to how this new data center is configuring my network.

Thanks again.

--Matt
 
If I understand correctly A.A.A.0/29 is your routing network. Which means that A.A.A.1/29 should be your default gateway leaving A.A.A.A.2 till A.A.A.A.6. You say that it is assigned with A.A.A.4/29. Therefore you route everything to A.A.A.1/29 and they route everything back to A.A.A.4/29.

Your second NIC should get an IP in the range of B.B.B.241/28 up to B.B.B.254/28. Don't forget that the first IP is your network and the last your broadcast therefor you don't assign them.

You will configure your box with the following in /etc/rc.conf assuming that em is you network controller.
Code: 
ifconfig_em0="inet A.A.A.4 netmask 255.255.255.248"
ifconfig_em1="inet B.B.B.241 netmask 255.255.255.240"
defaultrouter="A.A.A.1"
gateway_enable="YES"
Now, every machine that will be in the B.B.B.240/28 must have default gateway B.B.B.241 and with that configuration it will reach the internet and vice versa assuming that the data center has configured their own routing part. So, far with this scenario you are not doing any NAT or Packet Filtering therefore the real IP address will appear and all traffic incoming / outgoing is allowed.

Regards
George
 
Excellent, that helps a lot... It doesn't sound like I was too far off except for my mistake in utilizing the first ip on that subnet. The data center says they have all appropriate routing configured on their side and it is to the first customer usable ip address on the routing network with is a.a.a.4.

I appreciate your response. I'm actually looking forward to this configuration because being the gateway allows me to capture some good network information, and firewall my network centrally at the gateway.

They have also assigned me a /27 which is on a completely different subnet, would I just alias this on interface 2 of the gateway and keep everything on the same switch, or do I have to utilize a third interface and a third switch? Is there where VLANs come into play?
 
The routed daemon is necessary only if you decide to use dynamic routing. In your case you don't need to and generally speaking internet based firewalls should avoid it.
Regarding the other vlan I think that a 3rd NIC is more appropriate but you don't need a 3rd switch for this. You can create 2 vlans in your inside switch. Any managed cisco switch can do this.
Best Regards,
 
You must log in or register to reply here.
Back
Top