Blue Sky
join:2004-04-05
| Help needed with IP Alias...
I am using my Prestige 650HW-31 (Release 3.40(IS.4)C0) in a standard setup (one static IP address with NAT). After requesting it, my ISP have given me a 4 IP address block, with two useable IP address, this is in addition to my original IP address.
Anyways, I would like to use the new IP addresses to separate my network, so I can run P2P apps or anything else that requires me to open ports on the firewall on a separate network, to minimize the inherent security risks. Is this possible using the Prestige’s IP Alias feature?
If so, what’s the best way to proceed? From looking at the manual, I enable IP alias on menu 3.2, then under IP Alias 1, I would define the second IP address range I have been assigned. Does that sound about right? Also it looks like I can use the ip aliasdis command to disable routing.
If anyone could help or comment on this configuration, I would very much appreciate it.
Cheers
Cian |
|
john0099
@eol.ca
| I'm not sure about the Prestige, but for the ZyWall 10W that is how I setup my network. (With ip aliasing).
Only thing you still have to do, is turn on full feature nat and under sua/nat do the appropriate mappings. (either 1 to 1, or many to 1, depending on your setup)
John |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
 ·SureWest Internet
| First off, I think you only have 1 IP address:
- 1 for subnet
- 1 for router
- 1 is open for use
- 1 for broadcast
Second you'll need a /29 block which is 8 IP addresses and only 5 are usable.
Finally, IP Alias shouldn't be considered a security feature. |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
1 edit | Bbarrera on the security side, are you saying.
a. Ip alias is not full proof from one lan user getting to the LAN?
b. Ip alias is not full proof from a WAN user connecting to a LAN server and getting to the other LAN
c. both??\
Finally, other than spending big bucks on the Z70 or later Z35, while waiting for the cost effective Z5 in the summer, what is an alternate solution..
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner" |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | Start another thread. |
|
Blue Sky
join:2004-04-05 | Thanks for the feedback everyone. I'll just have to give it a try and see if it works. Regards, Cian. |
|
Infoman1
join:2001-03-21
Hubbard, OH
| reply to Anav
I use a similar setup using a LAN-LAN firewall rule blocking all traffic from one subnet to the other. IP alias is not a security feature, but short of adding another router and DMZ, whats not secure about this setup?
Specific WAN- LAN services passes and is forwarded to alias address.
Alias address cannot communicate at all with other internal subnet.
WAN - LAN traffic to primary subnet is blocked. |
|
Blue Sky
join:2004-04-05
| I don't know if is anyone is interested but I abandoned my idea to use IP alias. I configured my router yesterday with full feature nat to control how my 2 useable WAN IP addresses are used. Now I can lockdown the inside of my network with software firewalls along with the other normal security measures. I read the DMZ and IP Alias thread as well, which had a lot of good points. |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
| Good work Blue Sky, your thread has helped clear up issues that were outstanding (at least for me). IP alias is simply a routing protocol and nothing to do with preventing one LAN from accessing the other LAN, (ie no internal security) and nothing to do with preventing a hacker who has breached a public server on one LAN from accessing the private LAN (external to internal).
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner" |
|
