virtual interfaces (possibly??)

DevilWAH

I have never set this up correctly and am sure the various ways I have found work arounds are not the best (but they work )

I have one main exteranl IP address (5.5.5.5) that is assigned by the ISP

and have 2 static ip address (10.10.10.5 and 10.10.10.6)

so on my router the dialer interface pick up the 5.5.5.5.

but what do i do with the other two? I have had them set up in various ways, from loop back interfaces, simply using them in nat pools and stuff. it wokrs but I do get asymetric routing and natting that is never nice.

but can I set up a virtual interface with these IP address, and bridge that interface to the dialer one? so I have one physical and two virtual interfaces pointing to the internet with three seperate address that can be filtered/managed seperatly?

Or what is the standard way of assiging extra public IP address to a internet facing router?

I cant use the secondry address as the dialer interface uses a negoiated address, and wont let me add the secondry ones?


Any thoughts would be nice, the more the merrier

ConstantlyLearning

What do you need the other two IP addresses for? Are they public IP addresses?

networker050184

I'd just use a NAT pool and make sure the other side has a route back to you.

DevilWAH

problem with simply adding them as a nat pool. then the local router does not know about them (not attached to inter face or in a route) so if you ping from an external device the packet will bounce between the router and the isp. ok ways around this but not neat. currently i just have a loopback inter face they are assigned to. and have various nat rules set up and pools that use them. so i can easy get it all working. just wondered if there is a convential way to do it. maybe i should have them assigen to a null interface for more security.

networker050184

You could use a null route to get around that if you aren't using static NATs. You should be dropping ICMP at the outside anyway if you don't have anything you need to ping in there.

DevilWAH

networker050184 wrote: »

You could use a null route to get around that if you aren't using static NATs. You should be dropping ICMP at the outside anyway if you don't have anything you need to ping in there.

dropping ping's is find, but you want to do that silently, which is not what happens. unless you set up access lists of filtering on the external interface, which need to be updated ever time you add a new static nat or route. using a null interface anything that is not nat's is going to get dropped silently.

You also get an issue if an internal host tries to connect to another inside host via one of the nat'ed public IP address if you don't have it attached to an interface. Unless I missed some thing with router on a stick.

networker050184

DevilWAH wrote: »

dropping ping's is find, but you want to do that silently, which is not what happens. unless you set up access lists of filtering on the external interface, which need to be updated ever time you add a new static nat or route. using a null interface anything that is not nat's is going to get dropped silently.

You also get an issue if an internal host tries to connect to another inside host via one of the nat'ed public IP address if you don't have it attached to an interface. Unless I missed some thing with router on a stick.

A route to Null will drop them silently. You also shouldn't have internal hosts accessing each other on their outside address. Thats what the internal addresses are for. If you use DNS to query them by name you will just need to have the internal hosts get the internal address in their response.

You will need to update the ACL, but there really is no way around that if you want to secure the network.

DevilWAH

I have no control over the DNS name that clients resolve, the webserver is a mirror site so the FQDN is not a zone I control, and setting up a DNS server that controls that zone, then casue's issues with internal clients resolving address from the rest of that zone.

So its simpler to set up NAT hairpinning, so internal clients loop through the router and back in using the external IP address. Much less hassle than playing about with DNS servers.

like always many ways to skin a cat..

But I was wondering if you can do like on a vmware server. where in effect I could have a virtual interfaces bridged to the physical port. Then you could in effect set up each virtual port to be in a seperate security zone for fire wall policies, ok logically you can achieve the same with one port and not assigning the separate address to an interface.
But for tidy configs it would be nice to be able to treat them logicaly as seperate

networker050184

Screw all that. I'd just let the server guys worry about setting up the DNS

You might be able to get something working with loopbacks, but I'm not really sure.

kalebksp

Read the comments in this article: Hairpin NAT on a Cisco IOS Router? - So Do You Want to be a CCIE? - 2bccie.com

Essentially it says to add the public IPs as as secondaries on the servers and create static routes for each of the servers' public addresses pointing to their respective private addresses. Apparently the no-alias option is needed on the static NAT entries so that the router won't respond to the clients with a proxy arp.

I haven't tested it but I believe this would cause the router to send an ICMP redirect telling the client to use the server as the gateway for that address, which is beneficial because the traffic wouldn't need to loop through the router, assuming the server and client are on the same subnet.

DevilWAH

networker050184 wrote: »

Screw all that. I'd just let the server guys worry about setting up the DNS

You might be able to get something working with loopbacks, but I'm not really sure.

Dam it yer let them server guys do some bloody work...

oh hold on bugger it.... I am the dam guy in charge of DNS...

DevilWAH

kalebksp wrote: »

Read the comments in this article: Hairpin NAT on a Cisco IOS Router? - So Do You Want to be a CCIE? - 2bccie.com

Essentially it says to add the public IPs as as secondaries on the servers and create static routes for each of the servers' public addresses pointing to their respective private addresses. Apparently the no-alias option is needed on the static NAT entries so that the router won't respond to the clients with a proxy arp.

I haven't tested it but I believe this would cause the router to send an ICMP redirect telling the client to use the server as the gateway for that address, which is beneficial because the traffic wouldn't need to loop through the router, assuming the server and client are on the same subnet.

Trouble is with this that one address is then used up by the server. If you use NAT the same IP address can be used for the HTTP serverice on one server, and the stmp on another. If you assign the IP to the server nic then thats it, you can't use it on another one.

ColbyG

DevilWAH wrote: »

Dam it yer let them server guys do some bloody work...

oh hold on bugger it.... I am the dam guy in charge of DNS...

So you'd rather do all this hacking instead of setting up DNS correctly?

DevilWAH

Is setting up my DNS to responce to a request for a domain to which I have no authority any less hacking?

Ie I want my DNS server to respond for

server.otherdomain.com while all other requests to otherdomain.com go to the root servers.

Again easy to set up but adds extra config to the DNS server, so either way I need extra config. And if as I expect we will be hosting more mirror sites allowing ineranl clients to access the webserves via there exteranl address will mean future config will be simpler..

Any way that was not the origianal question, I was jsut intrested if people runnign small networks like his, assign extra public IP address to an interface. or simple use NAT mappings and routes to manage them.