Two Dedicated IP addresses, how to route

E

esogs

Hello, my ISP has given me a slash 4 (2 dedicated IP addresses that are internet routable) . I used to have 1 IP address that ran as a "router"/firewall/webserver. I'd like to add a second webserver/mail server into the mix, but can't figure out how to route this using freebsd (I'm sure I could buy a switch, ask for a slash 8, and get enough IP addresses to work, but wondering if I can do this instead with just two IP addresses and freebsd).

Today I have:

Code: 
           204.228.x.22
ISP --> FreeBSD Router via PPPoE (Tun0) --> 172.16. NAT
I'd like to do:
Code: 
           204.228.x.22
ISP --> FreeBSD Router via PPPoE --> 172.16. NAT 
              |
              |
            Webserver  (204.228.x.23

The FreeBSD router has 3 Nic cards in it, one for the external gateway, one for the internal NAT, and the third for "routing" to the new Webserver.

What I'd "like" to do is just be able to plug an ethernet cable into the 3rd NIC on the router, and connect to the NIC on the webserver, but I'm having problem figuring out the routing.

If I alias the new IP address 204.228.x.23 to the gateways NIC, I can ping it externally. If I add the 204.228.x.23 to the third nic (also on the gateway server) I can ping it externally too. I just don't know how to make the next jump of moving that IP address off the gateway server onto a webserver, and what do I assign that third nic on the gateway machine? I want it to act as a "switch" and just pass the connection through w/out tying it to an IP address. Do I bridge the gateway NIC to the third NIC, or do I have to do something different like maybe assign the third nic the external IP address, give the webserver a new 172.16. network and do and IPF redirect out to the webserver?

I'd like to keep traffic ideally off my current intranet. I think/hope this is easy and I just need to be pointed in the right direction.

thanks
 
If you put 204.228.x.23 on your "router" server, it becomes "internal" address so your "router" is easy to know where is .23
Now, if you put .23 any other place, the "router" have no idea where to find it, except one: the subnet route to 204.228.x.0/24 (or which mask you have). He trying to find .23 in ISP side, which is not right.
If i where you, ill try to add some internal address to you "webserver", for example 172.17.1.2 (and 172.17.1.1 on "router"). Now its possible to add static route on "router":
route add 204.228.x.23/32 172.17.1.2
Click to expand...
Note that "webserver" must have "inet" address on iface as .23, and alias "172.17.1.2".
Note2: actually, this must not work without `special` actions on ISP side. They must know where .23 route to. But, if you say .23 works when it aliased on 3rd nic.....

I think it must help. The "long" way is to use "ipfw fwd" or other not so easy way.
 
esogs said:
Hello, my ISP has given me a slash 4 (2 dedicated IP addresses that are internet routable) .... ask for a slash 8, and get enough IP addresses to work
Click to expand...

A "slash 4" or "/4" network and a "slash 8" or "/8" network are not exactly how you describe them .. If you get 4 IP addresses, it is a /30 network, if you get 8 IP addresses, it is a /29 network.

Simple rule of thumb:

Code: 
/32 = 2^(32-32) = 2^0 = 1
/31 = 2^(32-31) = 2^1 = 2
/30 = 2^(32-30) = 2^2 = 4
/29 = 2^(32-29) = 2^3 = 8

etc.

Try calculating how big a /4 or a /8 network actually is, and try to imagine the ISP bill associated with that kind of netspace. Be careful what you order next ;)
 
<laugh> yes, this is true. It is a subnet 4, slash /30. the 1st and last octets are used for broadcast and network. The middle two IP addresses are usable by me, and I can confirm they are correctly routing to me and ping-able if I enable an interface on the router for them, either directly using the gateway interface as an alias, or indirectly using the third NIC on the gateway.

With regard to the routing issue itself, the solution by ALT is a purely layer 3 solution I think, it was one way I had thought of this early and I could pursue it if it is the best way to approach this.

Before I go down this path though, I want to confirm that there is no layer "two" solution where I can essentially bridge to the third interface like a "switch" would do. Ideally I'd like to bridge the 1st interface and 3rd interface on the "router", plug an ethernet cable into the 3rd interface, plug the other end into my webserver, then configure the webserver with the "2nd" external routable IP, and get service.

For ALTs solution, I think I can see that I would:

configure my "router" to accept connections on its external interface for the 204.228.x.22, this is the gateway/router IP.

Configure the third interface on that same router for 172.16.2.1 (a new 172.16.2 class c). Add a route on the router to 204.228.x.23 pointing to that third interface (172.16.2.1).

On the webserver, configure a 172.16.2.2 class C address. Add routing for 172.16.2.0/24 back to the router over that 172.16.2.2 interface.

Then, alias that same 172.16.2.2 interface to the external 204.228.x.23. Configure routing for 204.228.x addresses back over the webserver interface/NIC to the directly connected "router".

On another note, it seems you might also be able to use IPNAT'ing on the router to achieve a similar result, essentially adding a "redirect" at the IPNAT configuration to route to 172.16.2.2 on the webserver.

So, before I go down the layer 3 route, there is no "layer 2" way to do this without the placeholder 172.16.2 subnet?

Thanks for help here, I'm pretty new to this.
 
I ended up just purchasing a /29 instead, this gave me enough IP addresses to assign one to the third nic, making a full routable subnet.

Thanks for the help.
 
The simple solution is to use NAT, and use two separate private subnets for the two internal networks. Then you add the second public IP to the public interface of the firewall as an alias, and write firewall rules to NAT the traffic to the specific internal IP.

The layout would look like so:
Code: 
Internet ----- Firewall ----- private subnet 1
                  |
                  \---------- private subnet 2
 
You must log in or register to reply here.
Back
Top