virtual interfaces (possibly??)

DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
I have never set this up correctly and am sure the various ways I have found work arounds are not the best (but they work ;) )

I have one main exteranl IP address (5.5.5.5) that is assigned by the ISP

and have 2 static ip address (10.10.10.5 and 10.10.10.6)

so on my router the dialer interface pick up the 5.5.5.5.

but what do i do with the other two? I have had them set up in various ways, from loop back interfaces, simply using them in nat pools and stuff. it wokrs but I do get asymetric routing and natting that is never nice.

but can I set up a virtual interface with these IP address, and bridge that interface to the dialer one? so I have one physical and two virtual interfaces pointing to the internet with three seperate address that can be filtered/managed seperatly?

Or what is the standard way of assiging extra public IP address to a internet facing router?

I cant use the secondry address as the dialer interface uses a negoiated address, and wont let me add the secondry ones?


Any thoughts would be nice, the more the merrier :)
  • If you can't explain it simply, you don't understand it well enough. Albert Einstein
  • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.

Comments

  • ConstantlyLearningConstantlyLearning Member Posts: 445
    What do you need the other two IP addresses for? Are they public IP addresses?
    "There are 3 types of people in this world, those who can count and those who can't"
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I'd just use a NAT pool and make sure the other side has a route back to you.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    problem with simply adding them as a nat pool. then the local router does not know about them (not attached to inter face or in a route) so if you ping from an external device the packet will bounce between the router and the isp. ok ways around this but not neat. currently i just have a loopback inter face they are assigned to. and have various nat rules set up and pools that use them. so i can easy get it all working. just wondered if there is a convential way to do it. maybe i should have them assigen to a null interface for more security.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You could use a null route to get around that if you aren't using static NATs. You should be dropping ICMP at the outside anyway if you don't have anything you need to ping in there.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    You could use a null route to get around that if you aren't using static NATs. You should be dropping ICMP at the outside anyway if you don't have anything you need to ping in there.

    dropping ping's is find, but you want to do that silently, which is not what happens. unless you set up access lists of filtering on the external interface, which need to be updated ever time you add a new static nat or route. using a null interface anything that is not nat's is going to get dropped silently.

    You also get an issue if an internal host tries to connect to another inside host via one of the nat'ed public IP address if you don't have it attached to an interface. Unless I missed some thing with router on a stick.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    DevilWAH wrote: »
    dropping ping's is find, but you want to do that silently, which is not what happens. unless you set up access lists of filtering on the external interface, which need to be updated ever time you add a new static nat or route. using a null interface anything that is not nat's is going to get dropped silently.

    You also get an issue if an internal host tries to connect to another inside host via one of the nat'ed public IP address if you don't have it attached to an interface. Unless I missed some thing with router on a stick.


    A route to Null will drop them silently. You also shouldn't have internal hosts accessing each other on their outside address. Thats what the internal addresses are for. If you use DNS to query them by name you will just need to have the internal hosts get the internal address in their response.

    You will need to update the ACL, but there really is no way around that if you want to secure the network.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    I have no control over the DNS name that clients resolve, the webserver is a mirror site so the FQDN is not a zone I control, and setting up a DNS server that controls that zone, then casue's issues with internal clients resolving address from the rest of that zone.

    So its simpler to set up NAT hairpinning, so internal clients loop through the router and back in using the external IP address. Much less hassle than playing about with DNS servers.

    like always many ways to skin a cat..

    But I was wondering if you can do like on a vmware server. where in effect I could have a virtual interfaces bridged to the physical port. Then you could in effect set up each virtual port to be in a seperate security zone for fire wall policies, ok logically you can achieve the same with one port and not assigning the separate address to an interface.
    But for tidy configs it would be nice to be able to treat them logicaly as seperate
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Screw all that. I'd just let the server guys worry about setting up the DNS :D

    You might be able to get something working with loopbacks, but I'm not really sure.
    An expert is a man who has made all the mistakes which can be made.
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    Read the comments in this article: Hairpin NAT on a Cisco IOS Router? - So Do You Want to be a CCIE? - 2bccie.com

    Essentially it says to add the public IPs as as secondaries on the servers and create static routes for each of the servers' public addresses pointing to their respective private addresses. Apparently the no-alias option is needed on the static NAT entries so that the router won't respond to the clients with a proxy arp.

    I haven't tested it but I believe this would cause the router to send an ICMP redirect telling the client to use the server as the gateway for that address, which is beneficial because the traffic wouldn't need to loop through the router, assuming the server and client are on the same subnet.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    Screw all that. I'd just let the server guys worry about setting up the DNS :D

    You might be able to get something working with loopbacks, but I'm not really sure.

    Dam it yer let them server guys do some bloody work...

    oh hold on bugger it.... I am the dam guy in charge of DNS... ;)
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    kalebksp wrote: »
    Read the comments in this article: Hairpin NAT on a Cisco IOS Router? - So Do You Want to be a CCIE? - 2bccie.com

    Essentially it says to add the public IPs as as secondaries on the servers and create static routes for each of the servers' public addresses pointing to their respective private addresses. Apparently the no-alias option is needed on the static NAT entries so that the router won't respond to the clients with a proxy arp.

    I haven't tested it but I believe this would cause the router to send an ICMP redirect telling the client to use the server as the gateway for that address, which is beneficial because the traffic wouldn't need to loop through the router, assuming the server and client are on the same subnet.

    Trouble is with this that one address is then used up by the server. If you use NAT the same IP address can be used for the HTTP serverice on one server, and the stmp on another. If you assign the IP to the server nic then thats it, you can't use it on another one.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • ColbyGColbyG Member Posts: 1,264
    DevilWAH wrote: »
    Dam it yer let them server guys do some bloody work...

    oh hold on bugger it.... I am the dam guy in charge of DNS... ;)

    So you'd rather do all this hacking instead of setting up DNS correctly?
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    Is setting up my DNS to responce to a request for a domain to which I have no authority any less hacking?

    Ie I want my DNS server to respond for

    server.otherdomain.com while all other requests to otherdomain.com go to the root servers.

    Again easy to set up but adds extra config to the DNS server, so either way I need extra config. And if as I expect we will be hosting more mirror sites allowing ineranl clients to access the webserves via there exteranl address will mean future config will be simpler..

    Any way that was not the origianal question, I was jsut intrested if people runnign small networks like his, assign extra public IP address to an interface. or simple use NAT mappings and routes to manage them.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.