Complex Subnetting help

Discussion in 'Network Routers' started by Edog, Aug 15, 2004.

  1. Edog

    Edog Guest

    Hello all,

    I was issued 5 sequential IPs by my ISP (24.XXX.XXX.234-238) with a
    gateway set on my cable modem. (24.XXX.XXX.233).

    In order to achieve what we want to do with our ISA server and DMZ, we
    need to have two different subnets of public IP addresses. So I
    subnetted the 5 IPs into 2 seperate subnets. So now I have
    24.XXX.XXX.234 and 235 that use 24.XXX.XXX.233 as a gateway. I then have
    24.XXX.XXX.237 and 238. My ISA box uses .234 as the interface connecting
    to the internet, and has a default gateway assigned as 24.XXX.XXX.233.
    The other NIC is using 24.XXX.XXX.237 as it's IP with no default gateway
    set. (ISA reequirement) I also have an internal network in this machine
    assigned a 10 net range. That is set on the third NIC. (also no default

    Finally the problem. The host I have on the DMZ is a Redhat box hosting
    my email and websites for my customers. I use the ISA box for my own
    internal mail. The problem is browsing the internet from the DMZ box. I
    am now almost certain it is due to the fact that I subnet my original IP
    block and the cable modem doesn't contain any routing information for
    that second IP range that I created by subnetting. Fine. I contacted the
    ISP and they want to charge me to get a second range of IPs and I don't
    want to do that.

    My thoughts are to stick another Redhat box in between my Cable Modem
    and my ISA box and let THAT figure out the two subnets. So then my
    questions is how am I going to do that? With three nics? One assigned as
    the gateway for the two seperate subnets and the external using what? I
    only have 5 IPs to work here, so I am a little bit limited. Limited and
    confused as to what direction to head from here.

    Edog, Aug 15, 2004
    1. Advertisements

  2. Edog

    Somebody Guest

    Well that "subnetting" doesn't really make sense. A subnet consists of a
    network address, useable addresses, and a broadcast address. Rather often
    the gateway device is set at the first available address above the network
    address. The width of the subnet is defined by the mask. = /32 = 1 host, no network. Defines a single computer, not
    a network. = /31 = 2 nodes, no available IP's. Useless. = /30 = 4 nodes, 2 available IP's = /29 = 8 nodes, 6 available IP's.

    This last one is what you have. 24.x.x.232/29 where the 8 nodes are defined

    1: 24.x.x.232 is the network address
    2: 24.x.x.233 is the first available IP, being used as the default gateway
    to your ISP.
    3: 24.x.x.234 is an available IP which you have used for the ISA box
    4: 24.x.x.235 is an available IP
    5: 24.x.x.236 is an available IP
    6: 24.x.x.237 is a second interface of the ISA box (uh oh)
    7: 24.x.x.238 is the last available IP
    8: 24.x.x.239 is the broadcast Address.

    Now, having a single box with two interfaces on the same network (almost)
    never makes sense. If you try to follow the routing table you'll see why.
    There will be a route for 24.x.x.232/29 (the directly connected network) out
    two separate interfaces on that machine, even though you have only 1 default
    route for non-directly connected networks. Which does it take? You could
    set weights, but then what is the point of the second interface?

    Any actual subnetting of this cloud would require that the ISP understood it
    too, because his subnet is still set to /29.

    What you really want to do is put a firewall in front of your network. It
    could have an IP such as 24.x.x.238. Then your DMZ could be for example and your trusted LAN The firewall would
    therefore have interfaces of and, in other words, one
    interface on each of these networks.

    All your other devices have adresses in one of those 2 clouds. If they need
    to be exposed to the Internet, you do it via a Mapped IP. So a MIP might
    translate 24.x.x.234 to your ISA server's trusted interface of
    wich has a gateway of, and 24.x.x.235 might MIP to your ISA
    server's DMZ interface which is having a default gateway of

    Your trusted workstations probably have the ISA's inteface as their default
    gateway, and the DMZ servers probably have the firewall's DMZ interface as
    theirs, but that all depends on what you're architecting and what the ISA
    and DMZ are doing for you.

    Key point in all this is that one firewall is in charge of the entire
    24.x.x.232/29 subnet, no matter what's behind it. So you have have as many
    networks as you want, that are as big as you want, behind each address. All
    outbound traffic goes through this firewall, even if it goes through
    something else first. If you run out of outside IP's for stuff that needs
    to be exposed you start doing Port Address Tranaslation, so for example all
    port 25 traffic showing up at 23.x.x.238 goes to your mail
    server, but all port 5900 traffic showing up at 23.x.x.238 goes to 192.168.1
    ..20 your VNC test box.

    Somebody, Aug 16, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.