Different Broadcast IP and Public Block

Discussion in 'Networking Issues' started by buddhatown, Sep 29, 2008.

  1. buddhatown

    buddhatown Addicted to LI Member

    First, please forgive my ignorance. I am a lowly programmer, and I am quite confused in the networking arena.

    The below pertains to an older firewall that I have, but I have also purchased a RVS4000 in the hopes that it may help me. I need to be able to assign external ips to internal privately addressed machines...I'm not sure if the RVS4000 will be able to do this. I dont thing port forwarding will cut it here (ie I have multiple machines that will use port 80)

    So, here goes the story..We just recent switched providers. My new provider has given me 2 sets of ips and a 2 separate gateways.

    The first ip is my 'external facing' ip. If I configure my FW that
    ip, gateway, mask (.252) I am able to get out on the internet fine.

    The second set that they have given me are supposed to be my
    public ips - 24 of them. This block, .1 thru .25 is totally different
    from the first block(external facing ip). Its a different gateway and
    the netmask is .224 (only thing that makes sense).

    For example, First set.

    Public Broadcast IP 24.1.1.x
    Gateway 24.1.1.X

    Then they give me this other set, which are my 24 public ips that I purchased:
    block 24.1.30.xxx thru 24.1.30.xxx
    gateway 24.1.30.xxx

    With all the other providers that I have had, the external facing and
    my block of public ip's were all in the same, so when I put in my
    netmask of .224, the FW would know that I have 24 ips to work with.
    This new provider says (and I get lost here) that they route
    everything thru my single external ip and then my FW is supposed to be
    able to assign incoming traffic to my public block. Or something to
    that effect.

    Does anyone know what kind of setup this is? Is it a common practice? Will a RVS4000 handle this setup? Perhaps a RVL200? Right now, I have everything running thru the one broadcast ip, but that aint gonna cut it. Any help is greatly appreciated.

  2. ifican

    ifican Network Guru Member

    The setup you are describing is typical for a business setup. Now I have never used an RVS router so i cannot say how well it will suit you in "gateway" mode but it will do just fine as a router. However once you turn it into a router you will have to setup routing correctly, i.e. your current setup will not work. However back to your initial question, simply setup the wan (sounds like you already did) just like they ask you too, now setup your lan with the ip's they have given you for your public block. Since i do not know what the range is i cannot tell you what to make what, but just assign one of the ip's to the rvs lan and make it the default for your network. I know this sounds complicated but its not, i just dont believe you are going to make this work without making your RVS a router instead of a gateway. PM me is you walk to talk specifics, otherwise post here so others might find it useful down the road.
  3. buddhatown

    buddhatown Addicted to LI Member

    "now setup your lan with the ip's they have given you for your public block."

    My internal network is all private 192.168 addresses though..Does that above advice still apply?
  4. ifican

    ifican Network Guru Member

    Yes, the 192.168 is the default network, however you can make it whatever you wish. In your case the internal network will be 12.1.30.x. And you know the more i think about this and the fact that i am actually awake right now you will need to run your device as a router and not a gateway.
  5. HennieM

    HennieM Network Guru Member

    Assuming that you can do this on your RV, I would do this:

    Say your WAN/internet interface on the RV is eth1. Your "normal" public IP (24.1.1.x) would be assigned to this interface.

    Now manually assign your other IPs to pseudo interfaces of eth1. I use .1, .2, etc., but use whatever you have:

    ifconfig eth1:1 netmask
    ifconfig eth1:2 netmask
    ifconfig eth1:24 netmask

    What the above means is that the interface "eth1:2", which is a pseudo interface of the base interface "eth1", has IP address, etc.

    Now, in your firewall setup, you map traffic where the destination is, to, and dest. to, etc.

    This way you still use your RV as a NAT gateway.

    As mentioned, dunno if this is possible with an RV.
  6. ifican

    ifican Network Guru Member

    HennieM, great advice overall though i am not sure it is going to work for him. He will need to to have his internal machine public (internet) facing, with running the device as a gateway he will not have this functionality as the device will not route traffic as it need to for machines living on the inside. His ISP will forward all traffic destined for his internal network to his wan ip, but then his wan ip will drop the traffic as a gateway because it does not know what to do with it. Yes port forwarding will work for 1 ip, but i believe he want to run multiple web servers.
  7. buddhatown

    buddhatown Addicted to LI Member

    Ok, I am going to share this thread with my provider to see if they can assist. Thanks so much for everyone's help. I would really like to get this working on my older Firewall (dlink DFL 300)..it has served me well in the past, but I believe this setup may be beyond is capabilities. Would it be possible to set these up in together perhaps (DFL as Firewall and RVS as router)? Would that help or hurt?
  8. buddhatown

    buddhatown Addicted to LI Member


    reading into this a bit more. First, you are correct...I have multiple webservers (and other things running) that need their own external ip.

    If I read this correct, you are suggesting that I use that external block that my isp gave me and assign them to my internal machines? Doesn't that leave me wide open?

    Again, thanks so much for your help here.
  9. HennieM

    HennieM Network Guru Member

    @ifican: Having multiple WAN pseudo interfaces, and DNATting each interface (all ports) IP to an internal IP works just the same as having one WAN interface IP and DNATting different ports to different internal IPs. It's just normal port forwarding.

    However, reading the OP's post again,
    it should not be necessary to define the pseudo interfaces at all. All you need to do is some iptables stuff, like this:

    Say the "normal"/ public IP is, and the "other" public IPs are thru

    The ISP will route like this:
    route add -net netmask gw
    so all traffic for comes through, which is the router's WAN interface.

    When sees that it has traffic for say, it consults the iptables rules and then its routing table.
    You set up a rule like this to forward traffic destined for to internal IP
    iptables -t nat -A PREROUTING -s 0/0 -d -j DNAT --to
    This then effectively puts in the DMZ w.r.t. all traffic destined for, and the routing will then route it to the internal IP. The internal machine ( must just know to route back to the LAN interface of the router (usually, where netfilter/iptables will do the IP swap again (replace source IP with and send the packet back out over the internet through the WAN interface of the router.

    The only snag is usually a default rule that throws away everything that's not destined for the primary WAN IP, something like this usually (assuming the WAN interface is a PPP link):
    iptables -A PREROUTING -t nat -i ppp0 -d ! -j DROP
    that you have to augment and insert a rule with something like this before it:
    iptables -I PREROUTING -t nat -i ppp0 -d -j ACCEPT
    in order to allow traffic destined for 24.1.30.x to not be thrown away as soon as it arrives.

    All of this of course assumes that one can get to the "internals" of the RV to manipulate the iptables (and that the RV is running Linux....;)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice