3

I have a Linux NAT Firewall serving a virtual machine infrastructure. Right now all the VMs use NAT, but I'd like to have some of them to use a public IP that is not NATed. I have a range of IPs: 208.x.x.129-140, subnet 255.255.255.240. Right now these IP's sit on the WAN interface of the firewall. I'd like to move a few IP's behind the firewall.

Can I change the route on just a few of these IP's? Do I need to alter my subnet mask?

Antonius Bloch
  • 4,680
  • 6
  • 29
  • 41

2 Answers2

4

You can do this by making a smaller subnet. So for example, if you have a /24 network, you can carve out a small block from this subnet such as a /29 network.

For example if 8.8.8.0/24 was your public network. You could use a second interface with 8.8.8.240/29. You would then have 8.8.8.241 assigned to that interface and that would be the gateway for clients. You would then have 5 remaining ips you could use. 

[kbrandt@alpine: ~] ipcalc 8.8.8.240/29
Address:   8.8.8.240            00001000.00001000.00001000.11110 000
Netmask:   255.255.255.248 = 29 11111111.11111111.11111111.11111 000
Wildcard:  0.0.0.7              00000000.00000000.00000000.00000 111
=>
Network:   8.8.8.240/29         00001000.00001000.00001000.11110 000
HostMin:   8.8.8.241            00001000.00001000.00001000.11110 001
HostMax:   8.8.8.246            00001000.00001000.00001000.11110 110
Broadcast: 8.8.8.247            00001000.00001000.00001000.11110 111
Hosts/Net: 6                     Class A

Even though you might have the /24 network on a different interface that overlaps with the /29, that doesn't matter because the more specific (you might think of it as smaller) route always wins. Keep in mind that when you do this you lose 2 usable ip address, one for the network and one for the broadcast.

Learning to subnet is a worthwhile skill, we have our own sort of Mega answer on that at How does IPv4 Subnetting Work?.

The other option is to not do any NAT for IP blocks and only use NAT for specific IPs. This works fine because NAT rules will take precedence as they happen before routing.

Community
  • 1
Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
1

Assuming you have >1 IP you can do the simple thing of opening all ports to an internal IP(known as a 1to1 NAT) and use the server FW to filter. You could pass all IPs through the LAN but that requires us to know what router you have.

Jacob
  • 9,204
  • 4
  • 45
  • 56