Date: Sun, 09 Aug 2009 10:39:06 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: Nerius Landys <nlandys@gmail.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Building home router: 192.168.0.x to access internet Message-ID: <4A7E8B2A.30001@locolomo.org> In-Reply-To: <560f92640908081932s69ae225mb3c55fef47a4924b@mail.gmail.com> References: <560f92640908081932s69ae225mb3c55fef47a4924b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nerius Landys wrote: > First, my choise of internal network IP addresses is 192.168.0.x. My > router machine's IP address will be 192.168.0.254 (that's the > interface facing the internal network). The IP addresses of the > machines behind the router will start at 192.168.0.2 and go up. I'm > wondering if this choice of IP addresses is conventional or good. Is > this numbering scheme decent? This is the way I had it set up > earlier. I've seen a lot of networks using 192.168.1.x and the router > would be 192.168.1.1. Whichever works. I don't think there is reason to speculate in "best practices" as which gets to be number 1, however you may consider dividing the address space into ranges for different uses. You may like to group servers in a particular range and clients in another so that you can create firewall rules accordingly. My network is 172.16/23. The range 172.16.0/24 I use for statically configured nodes, servers, access points etc. The 172.16.1/24 I use for dynamically configured nodes, laptops. The reason is that I'm using dynamic dns on my LAN. The reverse map zones cannot be created for classless networks, you have to define reverse zone for a /16 or /24 network. So to ensure that my static servers reverse map cannot be modified I have split my range such that dynamic and static addresses can be separated. For my static range, I have divided it into two, 172.16.0.0/25 and 172.16.0.128/25, the first for production servers, the later for testing and development. This is just a convention I have established, I thought it might be a good idea, but it is not configured in any way. For my dynamic range, in my dhcpd configuration I have created two ranges, 172.16.1.0/25 and 172.16.1.128/25. The first I assign to known hosts, that is hosts I have registered the MAC address of and know the owner. I haven't statically assigned a particular ip to a particular MAC, I just created a host entry in the dhcpd.conf with the MAC. The later range I use for unknown hosts, so when somebody connects they are easy to identify as foreign. This also permits creating special rules in my firewall so that strangers do not get the same unlimited access as friends. Of course, this is very crude as anyone can just reconfigure their address to get unlimited access, but > So now to the problem of being able to connect from a 192.168.0.x > machine to an outside IP address. The way I did this before was by > adding 'gateway_enable="YES"' to /etc/rc.conf and then using the > OpenBSD packet filter (pf) to do a NAT thing. I'm wondering if this, > in your opinion, is the preferred way to do things in order to set up > an internal network which can access the outside internet directly. Yes, that's a great idea. > If so, can someone give me a really minimal yet secure packet filter > rule set that would do the job? (I'm prepared to read the pf docs, > which will take me a few hours.) The router will connect to the > outside via DHCP, and from what I remember I had to add a rule to not > drop packets that were DHCP-related. See the packet filter documentation, IIRC they have also sample filters for common setups such as yours. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A7E8B2A.30001>