Mailing List SIMS@mail.stalker.com Message #14892
From: Bill Cole <listbill@scconsult.com>
Subject: Re: WRT54G
Date: Thu, 2 Dec 2004 22:04:33 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 1:19 PM -0700 12/2/04, Warren Michelsen  imposed structure on a stream of electrons, yielding:
At 12:42 PM -0600 12/2/04, Mike Hebel issued a series of ones and zeros which decoded as:
[...]
I've found that most routers - even home ones - allow you to do
things like port forwarding which allows servers to be run behind
NAT.

I need more than that. I run twp web servers, so simply forwarding
port 80 to somewhere is not going to cut it. I need multiple, public
IPs to show.

NAT does not preclude that.

For example, I have a /29 and I use one of the 5 available external IP's for general shared NAT for all client machines and the others are mapped exclusively to specific internal IP addresses used for various services. As a result, any internal non-server machine (or rather, any machine using a non-server IP as its primary address...) talks to the Internet as the catch-all address. Any IP address that is used for any sort of server is mapped through my SpeedStream to a specific external IP address.

I prefer this way because it means that I can move stuff around internally with practically no visible external change. The address that DNS says is 'www.scconsult.com' can stay the same while I remap the router from one inside IP to another and move what machine actually gets the packets.

[...]
I have a /28 subnet. When configuring machines on my subnet, I use
xx.xx.xx.129 as the gateway address. If I have my own router, will
this be the address of the LAN port on it?

Yes. Probably.

If you go with a simple routed pass-through where the internal addresses all are  in your public /28, you would point the default gateway for them to the inside interface address of the router. Some devices can also act like bridges, in which case you'd still point at your upstream provider's gateway, but I am fairly sure that this would effectively eliminate any shot at filtering anything.

I recommend the approach of one-to-one NAT for the servers and many-to-one NAT (properly called NAPT, but almost no one really does...) for simple client machines. This gives you the ability to do whatever sort of internal expansion/reworking you like in 'private' (RFC1918) address space without having to worry much about how the world sees you, and assures that the non-servers simply cannot be reached by anything they don't try talking to first.

And on the original question: I couldn't stop myself from trying to answer your basic question with a little research. I think you probably want to look at the Siemens (formerly Efficient Networks) SpeedStream 5781 as an option. It is a dual-ethernet router and while the web interface is a bit weak, I have been a fan of that nameless CLI going back to its origins with the FlowPoint routers: rational, cleanly designed, and eminently explorable.
--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster