From owner-freebsd-questions Thu Oct 4 6:41:26 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id CF73737B408 for ; Thu, 4 Oct 2001 06:41:18 -0700 (PDT) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id PAA98094; Thu, 4 Oct 2001 15:41:10 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "Daniel Fairs" , "FreeBSD Question List" Subject: RE: Firewalling again Date: Thu, 4 Oct 2001 15:43:56 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Daniel, > It transpires that we in fact have allocated to us the 8 IPs > 213.2.28.63 to > 213.2.28.70 inclusive - on one subnet. So that's expressed as > 213.2.28.63/29, yes? (This whole thing is not helped by the fact that I'm > only just getting to grips with CIDR notation ;). That gives > 213.2.28.63 as > the subnet IP and 213.2.28.70 as the net broadcast address. (Guess I'd > better move the firewall off of .70 then.) No, something is amiss. A /29 subnet has 8 addresses, and these must begin on a multiple of 8 (like 56 or 64). A range from .63 to .70 does not make sense! You should have .56 thru .63, or .64 thru .71. > > I guess, then, that I need to talk to my ISP about splitting the /29 into > two /30s? Then I'd have: > .63 - subnet 1 IP > .64 - Firewall external IP > .65 - DSL Router IP > .66 - subnet 1 broadcast > > .67 - subnet 2 IP > .68 - Mailserver IP > .69 - unused > .70 - subnet 2 broadcast > > Does that make sense? Or am I getting the wrong end of the stick? > > Something I find a little concerning in my predecessor's docs is that our > ISP seems to have taken one of our IPs (currently .64) for 'internal use'. > Is this normal? Or do they just have a weird system? Yes, you can split a /29 to two /30s, see below. I'm thinking, reading between all these lines, that what you actually have is .64 thru .71, which could then be arranged as follows: subnet A: 213.2.28.64/30 .64 (reserved - 'cos its the subnet address) .65 (the DSL router device - also your f/w's default gateway) .66 (the ip you should have on the xl2 interface of the f/w) .67 (reserved - broadcast) subnet B: 213.2.28.68/30 .68 (subnet address) .69 (the f/w xl1 interface, also your mx's default router) .70 (the mail server's ip) .71 (reserved - broadcast) Unfortunately, this leaves you with no spare IPs. If you are certain that .63 is yours, then you want to verify what the subnet is, probably 213.2.28.60/30. But, this would render .63 unusable anyway as it is the broadcast address !?! I think you need to get hold of someone at your ISP who has more than a handful of grey cells to rub together (that can be difficult - trust me! :), and verify what exactly is allocated to you. > > T very much IA! > Cheers, > Dan > Pleasure to help - I'm usually the one doing the asking :) Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message