Pyro
@optonline.net
|  Networking Multiple WAN IPs in Office Network
I have a generic question regarding DSL lines with multiple leased IP addresses. We have a DSL line with 5 IP addresses leased. Every computer and the windows server is connected from the modem to a switch (no router) and has its own WAN IP address. The computers basically use a customized program and use the server's WAN IP address.
There is also an HP Laserjet printer connected with an external Jetdirect 300x print server. The computers print to the device directly to the IP via TCP/IP.
My question is, how is this possible? Can't any computer on the WAN (ie. Internet) print to this device. There is no firewall as far as I know. I have a feeling the answer is that they are connected since they are all on the same subnet. (I can't check since I won't be at the office any time soon). I know the IPs were sequential but didn't look at the subnet mask. If this guess is true, why can't any other external address on the WAN's subnet connect into this printer? Either way, I plan to make a regular LAN behind a router for all the workstations and printers and keep the servers on their own WAN IPs. Would this be the recommended network architecture?
(Note I posted this on another forum, but didn't get a good answer, so I'm trying this forum)
Thanks |
|
Lasko
@cox.net
| quote:
My question is, how is this possible? Can't any computer on the WAN (ie. Internet) print to this device.
Most likely anyone on the WAN can send packets to the printer. However if you did not configure a default route in the JetDirect then the printer is not able to respond. Without two way communication printing will not take place. The printer "knows" about the local LAN and uses that information to communicate with other devices on the same LAN so those devices are able to print.
On the other hand if there is a default route configured in the JetDirect then any host on the internet is able to print on the printer. |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| reply to Pyro
said by Pyro :
We have a DSL line with 5 IP addresses leased. Every computer and the windows server is connected from the modem to a switch (no router) and has its own WAN IP address. The computers basically use a customized program and use the server's WAN IP address.
There is also an HP Laserjet printer connected with an external Jetdirect 300x print server. The computers print to the device directly to the IP via TCP/IP.
My question is, how is this possible? Can't any computer on the WAN (ie. Internet) print to this device. There is no firewall as far as I know. I have a feeling the answer is that they are connected since they are all on the same subnet. (I can't check since I won't be at the office any time soon). I know the IPs were sequential but didn't look at the subnet mask. If this guess is true, why can't any other external address on the WAN's subnet connect into this printer? Either way, I plan to make a regular LAN behind a router for all the workstations and printers and keep the servers on their own WAN IPs. Would this be the recommended network architecture?
I've seen this question come up in other forums. My ISP has a similar plan (I have 4 sequential IP addresses, and the conclusion in a long discussion was that the 4 aren't a routed subnet).
When you go back to the office, please look up the addresses, and the subnet mask, and present them here. I think that the helpers here who are most familiar with IP networking will be able to give you a much more definitive answer, once the facts are known.
And when you post back, note that we can help you better if you will be so kind as to register here. Registration is free, and with a posting history, it's easier to provide consistent and reliable help.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network |
|
pyro2
join:2008-01-06
united state
| Intersting, I have spent quite a long time searching for similiar threads but didn't find anything similiar. My old college - every computer had a WAN IP. So it's not something I've never seen.
I can't give the real IPs and I won't be there for a while to check the subnet BUT they are sequential
ie. 62.23.83.50 - 62.23.82.56. So worst case the subnet is something like 255.255.255.0 then these are all in the same subnet. So since I can't check the subnet 100% for a few days, let's assume they are all within the same subnet.
Assuming there is no firewall, these computers should be able to join workgroups, print, do everything as if they were in the same LAN (which I'm familiar with)? I am guessing they have this setup since every workstation can act as a server for remote administration, and its easier than setting up different ports and port forwarding behind a router.
I'm hoping the ISP has some sort of firewall since there is no firewall that I can see (and why I didn't give the real IPs : )
Thanks |
|
caedmon
@cox.net
| quote:
I'm hoping the ISP has some sort of firewall
Very doubtful. The ISP may sell a service to provide a firewall but then they would usually provide a router and configure that router. In all likelihood the network is not protected and is therefore wide open. |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| reply to pyro2
said by pyro2  :I can't give the real IPs and I won't be there for a while to check the subnet BUT they are sequential ie. 62.23.83.50 - 62.23.82.56. So worst case the subnet is something like 255.255.255.0 then these are all in the same subnet. So since I can't check the subnet 100% for a few days, let's assume they are all within the same subnet.
If the subnet mask is 255.255.255.0, 62.23.83.50 will be in the same subnet as 62.23.82.56 (CIDR 62.23.82.0/24). But 62.23.83.50 will not be in the same subnet.
Note that this is hypothetical, as 62.n.n.n is part of a class A range, which is 62.0.0.0/8.
If you have 5 sequential IP addresses, you will not have a subnet. A subnet could have 4, 8, 16, etc, but 5 IP addresses can't be defined by a subnet mask. If you have 5 IP addresses, that's 5 sequential addresses, not a subnet. If you use a subnet mask, you'll (at a minumum) have 3 addresses not your own in your subnet, and you could have more.
An example. You can translate my example to your 5 addresses, if you like. If you have 5 addresses in 192.168.0.1, say 192.168.0.1,2,3,4,5, you'll have a subnet mask of 255.255.255.248. And 192.168.0.6 (not in your group) would be in the subnet. 192.168.0.7 is the broadcast address.
If your first address was 192.168.0.5, you would have 192.168.0.6,7,8,9 also. That wouldn't be a subnet either.
If you had 192.168.0.5 - 9, in subnet 192.168.0.0/24, then addresses 192.168.0.1 - 4, and 10 - 254 would also be in the subnet (.255 again is a broadcast address).
Are you absorbing the problem here?
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network |
|
pyro2
join:2008-01-06
united state
| MY MISTAKE! I have a giant typo there. Please disregard the IPs I gave before.
The third byte of the IP address is the SAME. In other words, lets use:
62.23.82.50
62.23.82.51
62.23.82.52
62.23.82.53
62.23.82.54
62.23.82.55
62.23.82.56
There are no 62.23.83.* IPs, that was a typo. I meant I have 5 sequential IP addresses, meaning the last byte is sequential. The first 3 bytes are identical.
I guess I'm looking for experience. When you order 6 IPs, I assume you will get 6 IPs that are all within the same subnet. Is this generally correct? Is it likely I can run Windows file sharing, printing, etc. through the workstations on the network? |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
1 edit | said by pyro2 :MY MISTAKE! I have a giant typo there. Please disregard the IPs I gave before. The third byte of the IP address is the SAME. In other words, lets use: 62.23.82.50 62.23.82.51 62.23.82.52 62.23.82.53 62.23.82.54 62.23.82.55 62.23.82.56 I guess I'm looking for experience. When you order 6 IPs, I assume you will get 6 IPs that are all within the same subnet. Is this generally correct? Is it likely I can run Windows file sharing, printing, etc. through the workstations on the network?
What's the subnet mask? Like I said above, 62.23.82.50 is a Class A address, which typically is 62.0.0.0/8, and has 16,777,214 addresses / subnet. It will be highly unlikely that you will want to run Windows Networking through that network. The broadcast traffic will be unreal, if any of the other 16,777,208 hosts are doing the same. The security risks alone would make this unacceptable.
Or maybe your ISP will have an "isolation mode" where each IP address is on its own broadcast domain. Mine did that, after they got tired of fielding complaints about broadcast trash traffic. Maybe your ISP does that, ask them. Maybe they will provide a VLAN for your consecutive addresses.
Don't make up your own subnet mask, though. The router that's the upstream gateway will have a subnet mask associated with your 62.23.82.50, and that will determine the size of the broadcast domain.
And BTW, a belated welcome to DSLR Forums! 
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network |
|
pyro2
join:2008-01-06
united state
| So I have spent some time learning subnet masks better. IF I can get through this question, I still have one more regarding that, but I need to concentrate on this.
Earlier, I quickly typed in numbers to make IPs in the above example that don't work. Forget that. Once I go and check the subnet mask I will know how to tell if the IPs are all within the subnet mask. If they're not, I know I have a problem with the ISP. If they are I still have my question:
Can I expect normal networking between these computers in the same subnet, all with public IPs from the same ISP. Assume no firewall, no giagantic networks with broadcasting problems, nothing fancy.
BTW, Chuck, your blog website has some great articles on it. Thanks! |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| said by pyro2 :So I have spent some time learning subnet masks better. IF I can get through this question, I still have one more regarding that, but I need to concentrate on this. Earlier, I quickly typed in numbers to make IPs in the above example that don't work. Forget that. Once I go and check the subnet mask I will know how to tell if the IPs are all within the subnet mask. If they're not, I know I have a problem with the ISP. If they are I still have my question: Can I expect normal networking between these computers in the same subnet, all with public IPs from the same ISP. Assume no firewall, no giagantic networks with broadcasting problems, nothing fancy. BTW, Chuck, your blog website has some great articles on it. Thanks!
If all of the computers are on a single subnet, and if the subnet is unique to those computers, then you should be able to get Windows Networking going.
Windows Networking, for a small LAN (which you appear to have) uses SMB broadcasts. SMB broadcasts work best in a defined area, which is why a private subnet is needed.
»nitecruzr.blogspot.com/2005/07/w···ing.html
SMB broadcasts leaking into the Internet would be a very bad idea. The latter would be like screamingHack me! Hack me!! Anyway, thanks for the feedback.
--
Cheers,
Chuck
MS-MVP 2005-2007 [Windows - Networking]
PChuck's Network |
|
pyro2
join:2008-01-06
united state
| reply to Pyro
I figured out this question, so I figured I would reply to post the answers for anyone else searching in the archive.
Besides the made up IPs and subnets not working out above, the real subnet was 255.255.255.240 meaing we had 12 public IP addresses. Each computer was set up with a static public ip. There was no firewall configured. They thought the DSL line had a firewall service enabled (they offer the service), but they didn't.
Windows networking works just as a private network would within the same subnet.
I ended up setting up a firewall and NAT and putting everything behind it. Therefore we're only really using one IP. Its fairly complex since a lot of computers are running similiar hosting services and needed to be distributed over seperate ports.
My next question to start figuring out is if I could have used an all-in-one router with firewall to just do firewall without NAT. In other words, allow the LAN side get a WAN IP but pass through the firewall. I'll keep researcing this, but if anyone has any suggestions, please reply! Perhaps adding in some fancy routing techniques? |
|
LLigetfa
join:2006-05-15
Fort Frances, ON | reply to Pyro
Why not do 1:1 NAT where warranted? |
|
pyro2
join:2008-01-06
united state | Not sure what you mean by 1:1 NAT.
There are multiple servers running similiar services. It would be easier to the outside users to use different public IPs instead of having to have them change ports depending on the server they need to use. |
|
LLigetfa
join:2006-05-15
Fort Frances, ON
| There are a lot of people that misuse the term NAT, so 1:1 NAT simply clarifies that there is a one to one relationship of a public IP NAT'd to a private IP as compared to PAT which is a N:1 (many to one) NAT.
From some of your other posts, I see you also throw these terms around loosely.
»en.wikipedia.org/wiki/Network_ad···nslation
--
Strange as it seems, no amount of learning can cure stupidity, and formal education positively fortifies it. -- Stephen Vizinczey |
|
pyro2
join:2008-01-06
united state
| Now I'm totally confused! I never heard of PAT, and I'm a little confused about it since I thought half the routers I buy advertise they do NAT. They're actually doing PAT? The routers I use don't allow for port translation though. They only allow 1:1 port forwarding. These are general netgear, linksys, etc routers that I'm familiar with.
Can you give me an example of a router that does 1:1 NAT? I've got some studying to do... |
|
LLigetfa
join:2006-05-15
Fort Frances, ON | Many routers will do 1:1 NAT. We do it on CheckPoint and m0n0wall. Did you read the Wiki? |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
4 edits | WHat the heck I will give it a shot\\
All of zyxels zynos based routers (home, SMB etc)are capable of 1:1 NAT. It is required when given a block (more than one useable) of public IP addresses by the ISP. More capable routers allow the admin to assign each public ISP IP to their own particular router IP (private) address. Normally one public IP, of the block of IPs, is used for the router (and its LAN).
PAT or SUA (single user address??) refers to a subset of FULL NAT (SUA/PAT + 1:1 mapping)?. In the PAT/SUA standard home router scenario, the WANIP is the only public IP given by the ISP to the user. This IP is not one to one mapped to anything but is used for the router. When one runs servers or needs to open up the router to unrequested inbound traffic (be if FTPing out one's server or being pinged by an allowed game website) one needs to open POrts. WIth the single public ISP IP, the user can forward the necessary ports for servers or other uses. The limitation of course is that a port can only be port forwarded to a single lanip/computer (OTHERWISE THE ROUTER WOULD BE CONFUSED ON WHERE TO SEND INBOUND UNSOLICITED TRAFFIC).
This is of course not useful to a business or user that for example that wants to provide multiple same server types (take FTP for example). By paying for more public IPs, and by using a full nat capable router, he can provide one of the FTP servers via the SUA/PAT scenario as described above and then any number of FTP servers mapping each server by using one public IP and associating it to a private assigned router IP. The limitation is, for the most part, how many public IPs one can get.
Thus, multiple IPs in a basic sense allows for more flexibility overall and move past the limitations of PAT/SUA.
There are of course variations on how blocks of public IP addresses are meted out and how they are used but not necessary for this discussion.
One other topic is port re-addressal, where for example incoming traffic is translated to a different port to the PC/server than what arrives at the router. A typical example may be an ISP that block inbound port 21 traffic. Some routers will provide the capability to accept traffic on port yy and reroute it to port 21 on a server behind the router, thus bypassing the ISP censorship. There are probably legitimate reasons for port re-addressal/translation but my practical business experience is limited.
Mapping can get more complicated. Most routers do have some limitations on the number of mapping rules they allow. To be more efficient some routers will allow the admin to delineate a concurrent sequence of public IPs to an associated concurrent sequence of private IPs as one rule.
Ie one gets public IPs xxx.1 thru xxx.5, and defines private IPs yy.1 thru yy.5 in a single rule. Other combo rules allow Private IPs to share public IPs and so forth.
Hope this helps.
PS Page 17 and beyond have a discourse on this subject.
»ftp://ftp.us.zyxel.com/ZyWALL_2_Plus/s···4.03.pdf
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
pyro2
join:2008-01-06
united state
| Thanks a lot for the zyxel recomendation. It helped me understand the wiki. I might buy one of these to play around with it to learn more about this. The zyxel's seem to have excellent reviews for stability. Much better than the netgear, trendnet, linksys junk I'm using now.
After understanding this better, I took a better look at a Trendnet router (TW100-BRV304v2) (junk - don't buy) I own which has a DMZ port. The manual mentions that I can route external address to internal addresses, essentially 1:1 NAT.
Any other popular brands found in small businesses, please suggest. Thanks for all the help so far! |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS | be leery of home routers claiming a dmz port. Most of the time its a half baked feature that one uses to forward all ports (not already forwarded) to one LANIP address. Garbage!! |
|
