From: Glynn Clements <glynn@gclements.plus.com>
To: Beginner <dermot@sciencephoto.com>
Cc: linux-admin@vger.kernel.org
Subject: Re: IP subnetting
Date: Mon, 14 Jul 2008 11:55:40 +0100 [thread overview]
Message-ID: <18555.12460.355339.149345@cerise.gclements.plus.com> (raw)
In-Reply-To: <487B3757.6329.37A4346B@dermot.sciencephoto.com>
Beginner wrote:
> I have a 126 IP addresses on a single subnet all routing through the
> same gateway. I have upgraded my router so I now have 2 interfaces. I
> want to put an SMTP and HTTP server on the 2nd interface and keep the
> internal hosts on the original interface. I think this is basically a
> DMZ configuration.
>
> My current IP address assignment is sporadic, with some static hosts
> at one end or the other on the IP block and DHCP given a pool from
> the middle.
>
> I want to assign a /29 block of address from within my range to the
> 2nd interface giving me 5 addresses to use. I am a little unsure what
> the impact of this change will be on other network services, in
> particular DHCP.
>
> Will I be turning my simple single subnet into 3 different subnets?
The number of addresses in A subnet will always be a power of two; you
can't make a subnet with e.g. 128 - 8 = 120 addresses. If your network
is a /25, and you want to carve out a /29, you would end up with at
least 5 subnets:
/29 + /29 + /28 + /27 + /26
8 8 16 32 64
That isn't a problem for the router, but configuring the hosts'
routing tables is likely to be a nuisance (assuming that the DMZ hosts
and non-DMZ host might occasionally want to talk to each other).
If you configure the hosts to believe that they're on a /25 subnet,
they will assume that they can talk directly to the DMZ hosts, without
needing to use a gateway. That will require proxy ARP.
OTOH, if you split the /25 into 5 subnets as shown above, either each
host will require routes to all of the other subnets, or hosts on
different subnets will have to route their traffic through the
gateway, which will significantly increase its load.
I suspect that you would be better off sticking to a single /25
network, and adding host routes and proxy-ARP entries for the DMZ
hosts.
On the router, you would add a route for your entire /25 network
through the first interface, and host routes for the individual DMZ
hosts through the second interface. You would also add proxy-ARP
entries for the DMZ hosts to the first interface, so that the non-DMZ
hosts can act as if the DMZ hosts are on the same network segment.
Or you could just use private (192.168.* etc) addresses for the
non-DMZ hosts and have the router perform NAT.
--
Glynn Clements <glynn@gclements.plus.com>
next prev parent reply other threads:[~2008-07-14 10:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-14 10:24 IP subnetting Beginner
2008-07-14 10:55 ` Glynn Clements [this message]
2008-07-14 16:10 ` Beginner
2008-07-14 20:18 ` Kevin J. Cummings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=18555.12460.355339.149345@cerise.gclements.plus.com \
--to=glynn@gclements.plus.com \
--cc=dermot@sciencephoto.com \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).