Alias IP addresses - which subnet mask to use?

Question

I confess - I'm a tad lost.

Our ISP has provided us with several additional IP addresses for our ADSL2 account. The email they sent specified ip addresses with subnet 255.255.255.240:

203.214.69.1/28 to 203.214.69.14/28 gw: 203.206.182.192

I'm attempting to add them as aliases to the connection in our firewall configuration (so I can subsequently create some 1-1 NAT rules to expose our internal webservers).

When adding aliases in our firewall's connection configuration should I use 28 or 32 as the subnet mask?

How can an internet address have a subnet as 28? Perhaps I'm seriously mistaken, but i thought the Internet had the highest resolution when it came to addresses.

Ok - let me have it.

thanks everyone,

ashley

hmmm - perhaps this is just way off - but is the internet pretty much a 32bit address space? — chickeninabiscuit, Jul 10 '09 at 08:12
IPv4 addresses are indeed 32 bits in length. But I'm not sure of the relevance to your question. — Dan Carley, Jul 10 '09 at 08:31
well - a 32bit address space that excludes the private address ranges: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. — chickeninabiscuit, Jul 10 '09 at 08:31
@chickeninabiscuit: Just because some addresses are reserved, doesn't mean they're not IPv4 addresses. — womble, Jul 10 '09 at 11:57

score 1 · Answer 1 · answered Jul 10 '09 at 08:22

1

What the ISP is doing is routing those extra IP addresses over the standard connection. It doesn't actually matter what netmask you set, as long as it's not larger than what the ISP is expecting. I just specify them all as /32 extra addresses when I deal with them.

answered Jul 10 '09 at 08:22

womble

96,255
29
175
230

What if you choose to place one or more of those assigned addresses onto a different device? – Dan Carley Jul 10 '09 at 08:40
Then you do things differently, but since that isn't what the OP asked, it's irrelevant. – womble Jul 10 '09 at 09:12
There's never harm in future proofing. Just because you don't need it today doesn't mean you should make it tougher on yourself at a later date. – Dan Carley Jul 10 '09 at 09:27
Configuring things right now doesn't mean you can't change it later if your needs change. And overengineering is the cause of far more problems than gradual and well-planned change in face of changing circumstances. – womble Jul 10 '09 at 11:56
1

It doesn't seem over-engineering to setup them up as they come. Perhaps you could explain the benefit of not doing so. – Dan Carley Jul 10 '09 at 13:05

score 1 · Answer 2 · answered Jul 10 '09 at 08:22

Ashley,

I think you should define the aliases on your firewall with a /32 subnet mask. Your firewall might forward all requests for your public subnet to your (e.g.) webserver. You firewall's external interface will, of course, have a /28 netmask.

But that heavily depends on your firewall. What product are you using?

HTH, PEra

score 0 · Answer 3 · answered Jul 10 '09 at 08:03

0

The subnet will be the same for all of the addresses because they belong together.

The /28 is a CIDR notation that describes a subnet mask of 255.255.255.240.

answered Jul 10 '09 at 08:03

Dan Carley

25,617
5
53
70

radius · Answer 4 · 2009-07-10T08:27:29.613

You should add the /28 subnet mask. An IP has always a subnet, /32 would mean that the IP is alone in it's own subnet. In this case it would not be reacheable. /32 are used to add specific route to host or in firewalls.

Using a /28 subnet mask does't mean that you have a 'less resolution' of the address space. The IP is still a 32 bit value. The subnet mask only define in what network the address live.

I think that you have to read about what is a subnet mask : http://en.wikipedia.org/wiki/Subnetwork

Murali Suriar · Answer 5 · 2009-07-10T14:06:21.743

For the purposes of defining NATs, each of these IPs must be defined as a /32. If you define them as /28s, then traffic to all 16 IPs in that CIDR range will match the first NAT you have defined in your policy.

EDIT: Expanding on the above; this may vary dependent upon platform, but based on my experience on Checkpoint NAT, consider the following. (I'll write up Cisco as well, at a later stage; takes a bit more effort to express).

For the purposes of this example, Checkpoint NAT rules can be considered in the form:

|| Original         || Translated       ||
|| Src | Dst | Port || Src | Dst | Port ||

In this case, we are concerned with the 'Original Dst'. Let's assume that we're creating a rule for traffic destined for 203.214.69.1, which will be redirected to an internal web server.

Original
Source: Any
Destination: 203.214.69.1/28
Port: TCP/80. TCP/443

Destination:
Source: Original
Destination: 192.168.1.1/32
Port: Original

The problem with this rule is that 203.214.69.1/28 will match traffic destined to any IP in the range: [ 203.214.69.0 ... 203.214.69.15 ]

And any subsequent rules (for example, redirecting SMTP traffic to 203.214.69.2 to internal server 192.168.1.2) will never be hit.

The cases where this prefix will need to be defined as a /28 are:

When being used for routing. It sounds like you only have one ISP, so I would expect that you will have a static default route pointing to your ISP's default gateway, and your ISP will have a static route for your allocated /28 pointing to your internet facing device (firewall?). In this case, traffic for all these IPs will be routed to your internet gateway regardless of how you define the addresses in your firewall policy.
When you are using it as a true layer 3 subnet, where all hosts need to be in the same broadcast domain. As you have said these addresses will be used to NAT to internal webservers, this case also doesn't apply.

Could you explain "If you define them as /28s, then traffic to all 16 IPs in that CIDR range will match the first NAT you have defined in your policy". Is this an IPtables specific limitation? — Dan Carley, Jul 10 '09 at 13:51
Oh, I see. You're not saying that the IPs turned up on the host have to be /32 - just the NAT rule? — Dan Carley, Jul 10 '09 at 14:11
Correct - although in this case, these IPs are not being used to create an L3 subnet; they are a pool of addresses that will be used only for NAT. There should be no need to configure them as interface addresses, even on the firewall? The ISP will route all traffic to any IP within the /28 to the firewall; the firewall will then NAT traffic as per the policy defined before forwarding it to the internal network. Traffic to the internal servers will be received with a destination IP address of the internal server IP, not the public 203.214.69.x address. — Murali Suriar, Jul 10 '09 at 14:26

Zoredache · Answer 6 · 2009-07-10T08:10:28.273

-1

When adding aliases in our firewall's connection configuration should I use 28 or 32 as the subnet mask?

If I where in your shoes I would start by using the /28 exactly like your ISP told you. They know how the router on their end is configured.

203.214.69.1/28 to 203.214.69.14/28 gw: 203.206.182.192

Something does seem a bit odd. That gateway isn't on the same network as the IP addresses you where provided. Are you sure that address space should be placed on the outside of your firewall? Where they expecting you to place that on a network behind your firewall and to route it perhaps?

edited Jul 10 '09 at 08:10

answered Jul 10 '09 at 08:04

Zoredache

130,897
41
276
420

1

I imagine their existing connection is turned up by PPP on 203.206.182.xxx and the new addresses are to be used the other side of the router. – Dan Carley Jul 10 '09 at 08:24

Alias IP addresses - which subnet mask to use?

6 Answers6