From: Ed Hintz (ehintz@natus.com)
Date: Tue Feb 12 2002 - 18:11:33 CST
netreg@southwestern.edu writes:
>I see what you are doing...You are giving classless IP addresses to the
>unknown, and then giving routeable IP addresses to those who are "known".
> What I was trying to do is to use all classless IP addresses. The
>problem I am running into is when I try to give the real DNS server
>(which is a routeable address) to the client, they can't see it (because
>they are still classless). Since I am trying to not use "real" IP
>addresses, I am thinking my only solution is to make another "real" DNS
>server on the classless side. The only problem there is how to do that.
>I am not sure that can even be done. I would really like to not use 400
>real IP addresses if I can get away with it.
I think maybe I've got a setup similar to what you're trying for. Here's
how I'm doing it. I'm using a single class c rfc1918 space for the entire
network; I make 10 dhcp addresses available for traveling salesguys,
consultants, etc. I have 20 ips set aside for dhcp (this could of course
scale but we don't really want to use dhcp sitewide for myriad off topic
reasons). So, I have netreg setup to spit out addresses from
192.168.200.90-99 to unregistered clients; once they register they get
192.168.200.80-89. Folks in the 90-99 range get netreg as the dns server,
and the firewall/nat box as the gateway, folks in 80-89 get the same
gateway but legit dns (happens to be local boxes but I don't see any
reason why it couldn't be external as long nat is working and the client
has a legit gateway-on my home lan I use rfc1918 space with my isp's
external dns servers just fine.) Lastly, I've got the firewall blocking
all traffic from 90-99, so the end result is that they can't get outside
of the LAN, and all dns points to netreg. Won't work against a determined
haxor but it's plenty sufficient for our endusers.
So, I don't see any reason why the registered clients wouldn't get past
the gateway, assuming nat is working. BTW-if you're unsure whether nat is
working you can bypass netreg/dhcp with simple static ips to test
functionality; if you still can't get out, it's not a netreg issue and
you'll need to concentrate on your NAT configuration. Of course, if for
some odd reason you really do need a local DNS box, perhaps an easier
solution would be some sort of port forwarding business-just accept
inbound traffic to some arbitrary box on the LAN and pass it off the the
external DNS. Hope all this helps...
Regards,
Ed Hintz
Network Systems Administrator
Natus Medical, Inc.
ehintz@natus.com
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:36 CDT