Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Utilising static IP's from ISP  (Read 291 times)

steveharriss

  • Just arrived
  • *
  • Posts: 4
Utilising static IP's from ISP
« on: September 27, 2018, 04:42:54 PM »

Hopefully someone can chime in with some assistance for me.

I am an A&A customer with a Firebrick 2900 which has the IPv4 and IPv6 address provided on initial setup. Everything has worked fine with remote access to my NAS storage over the single IPv4 address being dealt with by my firewall ruleset.

I have upgraded my NAS to one with two network cards and have had A&A supply me with a further allocation of fixed IPv4 addresses. I would now like to set this up in order to directly access the NAS using one of these IPv4 addresses. Not having done this before I'm struggling with what I need to alter on the FB and the NAS to allow me to do this.

I have setup a static IP on one of the network cards but am unsure what to use as the gateway IP, the static IP of the FB, or something else. I've no real idea where to start with the FB configuration itself and scanning the manual has proved fruitless.

Can anyone assist?
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Utilising static IPs from ISP
« Reply #1 on: September 27, 2018, 05:03:18 PM »

For starters, then in part 2 forthcoming we could possibly specify a fixed DHCP allocation for your device if using IPv4, or just set your device to take a static IPv4 address for itself:

<!-- change following to whichever physical port goes to your LAN -->
<port name="Port-LAN"  ports="1" comment="To main LAN switch"/>

<interface name="IF-LAN" port="Port-LAN" log-debug="Log-default" restrict-mac="true" comment="LAN"> <!-- !! 'source-filter' : stay away from it!! -->

   <!-- LAN range definition for RA, with default gateway IP=Firebrick -->
   <subnet ip="w.x.y.z/nn 2001:8b0:xxx::1/64" ra="true"/>
   
   <!--
   1. the above ip address w.x.y.z needs to be changed to suit you - it needs to be
   the IPv4 address of the lan-facing i/f of your firebrick.
   I use the highest interface in my range - 2, do not use highest address -1,
   or you could use the lowest address +1.
   
   2. the /nn needs to be changed according to the size of your IPv4 range
     /24 for 256 IPv4 addresses
     /26 for  64 IPv4 addresses (me)
     /27 for  32 IPv4 addresses
     /28 for  16 IPv4 addresses
     /29 for   8 IPv4 addresses
   3. same idea as (1) but for IPv6 - I use the lowest IPv6 address in my range for
   the lan-facing address of my Firebrick, so ::1,
   but you could pick anything with that 64-bit range instead of ::1. The prefix
   2001:8b0:xxx:0:: will have been given to you by AA.
   Always use a /64 for this - as it is one LAN. AA will have given you a /48 though,
   for 65535 different LANs/sites.
   -->
   
   <!-- IPv4 DHCP pool. w.x.y needs to match the above.
   It might be that you do not even need to bother with the following at all,
   as the defaults might just do something sensible, handing out every available IPv4
   address in the range.
   
   Try without this element maybe.
   
   aa - bb below are the lowest and highest IPv4 addresses that
   you choose to hand out in DHCP. aa might be base+2 or higher if your router's
   IPv4 LAN address is at w.x.y.z.base+1 say,
   or bb might be just short some way below your router if your router has a LAN
   address just below the top end of your range.

   My dhcp pool range is 235-244 here as my Firebrick is at a very hig address and
   some other boxes are just below the top.
   I allocate fixed IPv4 addresses for well-known devices at base+1, base+2 etc
   Some software does not like base+0 esp if base = 0, so best to start at base+1,
   and so best not to make aa = 0.
   
   It might be that you do nit even need to bither with the following at all, as the defaults
   might just do something sensible, handing every available IPv4 address in the range out.
    -->
   <dhcp ip="w.x.y.aa-bb" name="dhcp-pool" lease="15:00:00" />
« Last Edit: September 27, 2018, 05:23:36 PM by Weaver »
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Utilising static IPs from ISP
« Reply #2 on: September 27, 2018, 05:13:53 PM »

The following is unnecessary - you can just set the device to a hard coded IPv4 address on that device itself, which is better, but less flexible as there are more things to change should you ever have to. If hardcoved, the device cannot easily be moved to a different network.

But use this recipe if you want to fix a particular device at a certain IPv4 by DHCP, assuming that it is set up listen to DHCP, so everything is controlled from one place, right here. Or the alternative is to just forget this and configure the device on that device.
<subnet ... as above ... >
<dhcp ip="w.x.y.z.xxx" mac="CC5D4EEE2ED2" name="MydeviceName" lease="30:00:00" comment="Base + nn " />
</subnet>
Logged

steveharriss

  • Just arrived
  • *
  • Posts: 4
Re: Utilising static IP's from ISP
« Reply #3 on: September 27, 2018, 05:23:18 PM »

 ;D Brilliant. Just what I needed. I'll let you know how I get on. My allocation is a /29 so not enough spare IP addresses to cover all the hardware in my network. Looks like option 2 is the one to go for
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Utilising static IP's from ISP
« Reply #4 on: September 27, 2018, 05:42:24 PM »

Since it is a /29 then maybe use base+1 for the Firebrick or base+6. Do not use base+7.

If you can get away with using base+0 then do so but this is not generally recommended so expect problems with some software, not sure which. I asked about this in a previous thread.

But out of 8 eight that only leaves you six, and the Brick takes one, so only five left, but using base+0 would free up 1 more. If base + 0 is > 0 then I would not be at all surprised if you could get away with it but I have not tested this so, again not recommended and a possible hassle.

If you really have a genuine need more than five IPv4 addresses from AA and are going to use them at some point then just ask them. They will not give you the third degree at all. It is just that RIPE want assurance that they will get used in the next couple of years. Better to ask for more sooner rather than have to change everything when stuff is all set up and make a lot of bugs by moving.

Optional extra.

If you want to set up meaningful DNS names for these boxes then I can add something here describing how to publish these on the LAN via the Firebrick.

However, to do a much better job and make addresses of things on your LAN visible from the internet, so you can quote them anywhere, not just in the confines of your LAN only, you need to do that in clueless.aa.net.uk and there is a page on the AA support wiki - which I wrote - telling you how to do so. You need to have a domain name of your own for internet-wide recognition though, so eg nas-box.example.com could be defined. You then ask AA support to add the domain example.com to clueless for you if it is not listed there already, then you add a reverse DNS lookup entry defining say w.x.y.whatever as pointing to nas-box in domain in the page for your domain example.com

For example I have set up a DNS entry for weaver-ipad-pro.my-main-site.mydomain.com which is visible on the internet and maps to the IPv4 address of the wireless NIC of that machine on the LAN.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Utilising static IP's from ISP
« Reply #5 on: September 27, 2018, 05:44:54 PM »

I can send you my complete config, but it is huge, very heavily commented and probably very confusing. It has various firewall rules that are certainly over the top, and one that imo is questionable, plus an enormous amount of detail about individual machines, and it has the stuff form multiple modems too.
Logged

andyfitter

  • Reg Member
  • ***
  • Posts: 165
Re: Utilising static IP's from ISP
« Reply #6 on: September 27, 2018, 07:09:11 PM »

Personally Iíd be reluctant to do what youíre doing. Nas software often isnít kept up to date, and the multitude of extra packages you can install all carry security risks.

At the very least, Iíd hide it behind a reverse proxy such as Nginx for web based services, but in reality Iíd only open up real access via a VPN tunnel terminating on the Firebrick. Is there a specific reason to have it so unprotected and not hidden behind a vpn?

Putting the Nas on a routable address makes me shudder!
« Last Edit: September 27, 2018, 07:11:58 PM by andyfitter »
Logged

steveharriss

  • Just arrived
  • *
  • Posts: 4
Re: Utilising static IP's from ISP
« Reply #7 on: September 27, 2018, 08:11:04 PM »

Weaver your full config will probably tip me over the edge but your extra assistance in relation to using the FB for DNS resolution would be good.

Andyfitter, point taken. I'm certain I've locked down the services on the NAS to those I require but I'll certainly review my current plans before taking the leap
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Utilising static IPs from ISP
« Reply #8 on: September 27, 2018, 08:28:10 PM »

Andyfitter, there is no reason not to firewall off access. The default configuration is firewalled off from access from the outside anyway, so there is absolutely nothing at all to worry about.
« Last Edit: September 27, 2018, 08:52:09 PM by Weaver »
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Utilising static IPs from ISP
« Reply #9 on: September 27, 2018, 08:51:40 PM »

> your full config will probably tip me over the edge

Indeed, as I said. It might serve as a library of examples, and could suggest further questions.

Use the web UI to alter the config if that helps tho. There is nothing forcing you to edit XML. Using the web UI means that you can see all the options listed, thatís one benefit.

ó
DNS example, local only, would need to use a full domain name and set things up in clueless as mentioned before instead of doing this if you want internet-wide visibility of the name.

<services>
    <dns auto-dhcp="true" local-only="true">
      <host name="devicename1 devicename1-alias1" ip="ipv4_addr1 ipv6_addr_1" reverse="true" />
      <host name ... etc ... />
    </dns>
</services>


1. Actually the attribute called name should really be called names. In the double quoted string value of the name attribute, where it says devicename1 and so on, multiple alternative names can be listed for the one device if you wish. These can contain dots if you like. I use things like eg "firebrick lan.firebrick", with two alternatives, the second in the case where I am giving the LAN-facing address of the Firebrick and there is a second entry, wan.firebrick, for its outside, internet facing interface

2. You can give an IPv4 address and/or an IPv6 address for ip, and this too should be plural.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 6261
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Utilising static IP's from ISP
« Reply #10 on: September 27, 2018, 08:53:39 PM »

If the OP needs a firewalling check at some point kitizens will be happy to advise.
Logged

andyfitter

  • Reg Member
  • ***
  • Posts: 165
Re: Utilising static IP's from ISP
« Reply #11 on: September 28, 2018, 10:38:09 AM »

I agree, It can all be done in the Firewall.. but...I'd still go for a VPN solution every time if possible. Its a one stop solution that lets nobody in and is so simple to configure. Each time you add a new/reconfigured service to the NAS you have to poke around in a bunch of config files just to make it work, And each time you do that you risk letting something through. The scope for getting the firewall setup not quite right is obvious from the complexity of this discussion!

With a VPN t just works, no reconfiguring for new services etc.

Anyway... That's my last word... Hope you get it set up to your satisfaction.
Logged
 

anything