In case you didn't know, if you get a block of IP addresses over and above your external interface's set you can use them at will in 1-1 NAT. That being said, ClearOS currently matches the subnet mask of the interface that it is bound to for any IP addresses created as a 1:1 NAT. This is fine if you want to assign addresses out of your default pool...no problem. But if you have a block of IP addresses that has a different subnet, it can stomp those addresses. If the subnet is too big, you end up with burned addresses that you cannot talk to in neighboring subnets. If your subnet is too small, you stop addresses in your subnet. That is kind of hard to explain so let me put this into a DMZ example.
Say for instance you have a block of 8 IPs from your ISP and a block of 64, 1.0.0.0/29 and 2.0.0.0/26 respectively. Your LAN is 10.1.1.0/24 You set up the first block for your external interface and your network looks like this:
1.0.0.0 - Network Reserved
1.0.0.1 - Your ISP's router
1.0.0.2 - Your ClearOS Server
1.0.0.7 - Broadcast
Your DMZ network looks like this:
2.0.0.0 - Network Reserved
2.0.0.1 - Your ClearOS Server
2.0.0.63 - Broadcast
ClearOS will deal fairly with all of your DMZ addresses provided that the hosts are assigned to the 2.0.0.0/26 network. However, if you want to use 2.0.0.12 as a 1-1 NAT address to your internal LAN server of 10.1.1.10 it will pull the subnet mask of your 1.0.0.0/29 network and essentially create 2.0.0.8 as a network address and 2.0.0.15 as a broadcast. This will burn these two addresses because you won't be able to ping then through ClearOS.
So, an elegant way to deal with this is to always assign 255.255.255.255 to ALL virtual IP addresses created by 1:1 NAT. With this the configured, routing defers to the normal interface in the case of any undefined virtual so routing is copacetic. I've seen lots of linux guides and questions that don't seem to understand the reasons and a few BSD articles that say 255.255.255.255 is always the best policy. The question then becomes, is there any downside in this? I've not been able to see one in the lab but I don't want to put a patch out there and break anyone without reviewing it first. Let me know if you have any insight.
Say for instance you have a block of 8 IPs from your ISP and a block of 64, 1.0.0.0/29 and 2.0.0.0/26 respectively. Your LAN is 10.1.1.0/24 You set up the first block for your external interface and your network looks like this:
1.0.0.0 - Network Reserved
1.0.0.1 - Your ISP's router
1.0.0.2 - Your ClearOS Server
1.0.0.7 - Broadcast
Your DMZ network looks like this:
2.0.0.0 - Network Reserved
2.0.0.1 - Your ClearOS Server
2.0.0.63 - Broadcast
ClearOS will deal fairly with all of your DMZ addresses provided that the hosts are assigned to the 2.0.0.0/26 network. However, if you want to use 2.0.0.12 as a 1-1 NAT address to your internal LAN server of 10.1.1.10 it will pull the subnet mask of your 1.0.0.0/29 network and essentially create 2.0.0.8 as a network address and 2.0.0.15 as a broadcast. This will burn these two addresses because you won't be able to ping then through ClearOS.
So, an elegant way to deal with this is to always assign 255.255.255.255 to ALL virtual IP addresses created by 1:1 NAT. With this the configured, routing defers to the normal interface in the case of any undefined virtual so routing is copacetic. I've seen lots of linux guides and questions that don't seem to understand the reasons and a few BSD articles that say 255.255.255.255 is always the best policy. The question then becomes, is there any downside in this? I've not been able to see one in the lab but I don't want to put a patch out there and break anyone without reviewing it first. Let me know if you have any insight.
In 1-to-1 NAT
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »