Re: IP subnetting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Beginner wrote:

> I have a 126 IP addresses on a single subnet all routing through the 
> same gateway. I have upgraded my router so I now have 2 interfaces. I 
> want to put an SMTP and HTTP server on the 2nd interface and keep the 
> internal hosts on the original interface. I think this is basically a 
> DMZ configuration.
> 
> My current IP address assignment is sporadic, with some static hosts 
> at one end or the other on the IP block and DHCP given a pool from 
> the middle. 
> 
> I want to assign a /29 block of address from within my range to the 
> 2nd interface giving me 5 addresses to use. I am a little unsure what 
> the impact of this change will be on other network services, in 
> particular DHCP. 
> 
> Will I be turning my simple single subnet into 3 different subnets? 

The number of addresses in A subnet will always be a power of two; you
can't make a subnet with e.g. 128 - 8 = 120 addresses. If your network
is a /25, and you want to carve out a /29, you would end up with at
least 5 subnets:

	/29 + /29 + /28 + /27 + /26
	8     8     16    32    64

That isn't a problem for the router, but configuring the hosts'
routing tables is likely to be a nuisance (assuming that the DMZ hosts
and non-DMZ host might occasionally want to talk to each other).

If you configure the hosts to believe that they're on a /25 subnet,
they will assume that they can talk directly to the DMZ hosts, without
needing to use a gateway. That will require proxy ARP.

OTOH, if you split the /25 into 5 subnets as shown above, either each
host will require routes to all of the other subnets, or hosts on
different subnets will have to route their traffic through the
gateway, which will significantly increase its load.

I suspect that you would be better off sticking to a single /25
network, and adding host routes and proxy-ARP entries for the DMZ
hosts.

On the router, you would add a route for your entire /25 network
through the first interface, and host routes for the individual DMZ
hosts through the second interface. You would also add proxy-ARP
entries for the DMZ hosts to the first interface, so that the non-DMZ
hosts can act as if the DMZ hosts are on the same network segment.

Or you could just use private (192.168.* etc) addresses for the
non-DMZ hosts and have the router perform NAT.

-- 
Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux