Subnetting

[Lucas Peet]

Well, basically, I'm working on a triple-homed firewall.  The block of
'real' IP's will be for the DMZ, I'll use 10.0.0.x for the internal
network, but I still need 2 IP's (one for the external interface, and
one for the router) that are on a different network, so I can route
properly between the external interface, and the DMZ.

Maybe I'm confused here - I guess I'm just trying to apply what I
learned from my own dual homed firewall to a triple homed with a DMZ.

Maybe I just don't know enough about routing yet?  I guess I don't
understand how I would route from eth0 to eth2 properly, when they're on
the same network block.

Should I just ask the ISP for 2 other IP's on a different network block?
(I *know* they have subnets that are only 2 (useful) IP's long (total of
4) ).

-Lucas

-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net] On Behalf Of Charles
Steinkuehler
Sent: Wednesday, November 20, 2002 7:11 AM
To: kclug at kclug.org
Cc: Lucas Peet
Subject: Re: Subnetting

dt-kclug at xr7.org wrote:
> On Tue, 19 Nov 2002, Lucas Peet wrote:
>> My question is:  How can I split a Class C block of IP addresses like
so
>> - 
>> 
>> Network #1:
>> NetIP:		10.0.0.0
>> Usable IP's:	10.0.0.1-2
>> Broadcast:		10.0.0.3
>> 
>> Network #2:
>> NetIP:		10.0.0.4
>> Useable IP's:	10.0.0.5-254
>> Broadcast:		10.0.0.255
>> 
>> Is this even possible?  What other alternatives would I have besides
>> subnetting, if I want both the above networks separately routable on
>> different interface cards?
> 
> This is not possible.  Look at the addresses and masks in binary to
see
> why.  Netmasks are always 1's through the network part of the address,
and
> the /24 notation means that the netmask is 24 1's followed by 8 0's
> (255.255.255.0).  This is easier to describe with this notation...
> 
> There isn't anything that forces you to use the same netmask for the
whole 
> /24 (class C) block.  Following your example, you could have 2 /30 
> networks (0-3 and 4-7).  Since these two networks together make up a
/29, 
> you could then have another /29 (8-15) to fill out a /28.  This
repeats 
> until you fill up the /24; you would have a /25 (128-255) at the top.
> 
> I know this doesn't solve your problem, since you wind up with 7
subnets
> total, but it should at least explain why you can't get there from
here.

As mentioned, "real" subnets must come in sizes that are powers of two, 
and if you want to subnet your /24, there's no way to make a subnet 
bigger than a /25 (128 IPs).

Depending on exactly what you need the IPs for, however, you may be able

to use something like proxy arp, which can arbitrarily split subnets 
however you want (the IPs on seperate networks don't even have to be 
contiguous), or you can use private IPs, ip tunneling, or various other 
tricks to avoid consuming your public IPs, which are hard to come by.

A better description of what you're trying to do would help a lot with 
trying to suggest alternate solutions.

-- 
Charles Steinkuehler
charles at steinkuehler.net