Hi,

Consider such a situation:

ISP sets up OmniStack switch in which the first port has for example 20 external IP's.
I have HP ProCurve 2650 switch. Cable goes from OmniStack first port to ProCurve, from ProCurve cable goes to FreeBSD routers first NIC. FreeBSD router has two NIC's. First NIC has for example "ext1" IP address, in natural situation for second NIC I would give one of the LAN IP's, and the servers which connects to the ProCurve switch could have LAN IP and EXT IP. But what to do if I don't want to give LAN IP to FreeBSD router second NIC? I don't want LAN IP's at all, I just want to make FreeBSD router to act like external IP's router. In such situation, what should I set for the second NIC of FreeBSD router?

Assign the external NIC of the FreeBSD router all 20 addresses. First address as normal, the other 19 as alias.

Use a RFC 1918 address from 10/8 or 192.168/16 for the internal NIC and your LAN.

On the same FBSD router configure a packet filter like pf which has Network Address Translation capabilities.

Outgoing connections, initiated by your LAN clients, will now use one of the 20 external IP addresses,

See http://www.openbsd.org/faq/pf/nat.html

*------------------------*
* ISP's OmniStack *
*------------------------*
|Port 1 ; Port 2 ... |
*******************

*---------------------*
* ProCurve *
*---------------------*
|Port 1 ; Port 2 ... |
*****************

*---------------------*
*FreeBSD router *
*---------------------*
|NIC 1 ; NIC 2 |
*****************

OmniStack Port 1 has 20 external IP's, OmniStack's Port 1 connects to NIC 1, ProCurve connects to NIC 2. NIC 1 takes one external IP (left 19 ext IP's). Server1, Server2, ..., Server19 connects to ProCurve too and they need to have external IP's. What should I set for FreeBSD router NIC 2 and how the rules should look like, to allow Server1-19 to have external IP's? Or I should forget NIC2, and just connect everything to ProCurve, without the ability to manage the servers through FreeBSD router?

You can assign 1on1 internal to external IP addresses with PF's BINAT capability.

http://www.openbsd.org/faq/pf/nat.html#binat

I am only accustomed to a simple analog,ISDN modems or ADSL setups. I wonder whether a switch can have 20 IP addresses assigned to it;)

It's fibre channel ;) Ok, I'm done, everything runs fine for now, in love with ProCurve switches.

does your isp provides you only with 20ips from same network, or you have additional ip only for your freebsd router to connect to your isp gateway ?

i am asking because i have similar situation - from the isp I have 16ips (mask /16), but i have additional ip for connecting to his gw...
write me if you need see how i did it in my case

Working with this stuff all the time... if I may make a few suggestions-

- Have your ISP configure a /30 connection to NIC1 of your FreeBSD router. That means the ISP gets the first usable host, and the FreeBSD router gets the second usable host. It is now your router gateway on your network.

- Have them route the /28 (assuming this, as that's the closest subnet to 20 addresses (it's 16 total, 14 usable, 13 for your servers, 2 for subnet boundaries) across the /30 connection. The first usable address in that /28 is the address of NIC2 as it connects to the Procurve, and by definition, the rest of your servers.

- The servers take usable hosts 2-13 for their public addressing, using usable host 1 that's assigned to NIC2 of your FreeBSD router as their default gateway.

- This completely eliminates the need for your FreeBSD router to do any kind of NAT, and let's the servers themselves use the actual public addressing within their individual systems (and application configurations.) This, IMHO, makes life MUCH easier on a variety of fronts.

I can diagram this if my explanation isn't clear.

does your isp provides you only with 20ips from same network, or you have additional ip only for your freebsd router to connect to your isp gateway ?

i am asking because i have similar situation - from the isp I have 16ips (mask /16), but i have additional ip for connecting to his gw...
write me if you need see how i did it in my case

Not to nitpick, but the way you are describing your subnet is not correct- 16 addresses is a /28 (255.255.255.240 subnetmask)

/16 is actually 256 Class C blocks- aka a Class B.

I make mention of this because a few years back a client I consulted for decided to make this same reference to his ISP and BGP peer session. The ISP didn't vet this properly, propagated the erroneous /16, and as a result blackholed Microsoft for a short period of time (probably not a bad thing in hindsight lol.) It really highlighted the client's naivete... as you wouldn't announce anything smaller than a /24 over BGP in the first place, but that's another story.

When in doubt about subnetting and CIDR, Wikipedia has a decent reference. (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing)

Not to nitpick, but the way you are describing your subnet is not correct- 16 addresses is a /28 (255.255.255.240 subnetmask)


oops type mystake mask is really 28 :)

I make mention of this because a few years back a client I consulted for decided to make this same reference to his ISP and BGP peer session. The ISP didn't vet this properly, propagated the erroneous /16, and as a result blackholed Microsoft for a short period of time (probably not a bad thing in hindsight lol.) It really highlighted the client's naivete... as you wouldn't announce anything smaller than a /24 over BGP in the first place, but that's another story.

:)))) ... so far I am not using BGP


And yes i have done it like you described ... but anyway i have nat because, not all internal machines are with real ips (actually many of them doesnt need to be with real ips - it is more secure)

ai-danno may I ask a questions about the /30 mask...
bichumo sorry for ... "stealing" your threat

Does the /30 network has to be with real addresses??
the reason I ask is because first my isp gave /30 network from private ips - 10.10.11.0/30 (10.10.11.2 for me and 10.10.11.1 for gw). And I didnt have internet (I tried different tactics with adding routes and /32 ip addresses but didnt have much luck). Later he gave me real ips for the /30 network and everything were fine :)

The /30 when used as a gateway to a network does not need to be public. You won't be able to reach those specific interfaces from the general internet (so things like traceroutes will look odd), but that's not really an issue.

Now in regards to your comment about NAT being more secure... unless it's many-to-one, it's not any more secure. NAT is meant to emulate the behavior of publicly-addressed networking, so the security still comes down to the firewalling you employ to protect those assets. A poorly firewalled NAT translation is less secure than a well-firewalled public address.

The only time a NAT translation is desirable from a security standpoint is when it's a many-to-one NAT situation where one public gateway address handles translations for everything behind it. This is the typical case for residential Internet connections. Even then, a well-crafted firewall rule set will accomplish the same level of security. Normally NAT in non-residential setups (specifically one-to-one NAT) just adds a layer of complexity, not necessarily security.