0 votes
In case you didn't know, if you get a block of IP addresses over and above your external interface's set you can use them at will in 1-1 NAT. That being said, ClearOS currently matches the subnet mask of the interface that it is bound to for any IP addresses created as a 1:1 NAT. This is fine if you want to assign addresses out of your default problem. But if you have a block of IP addresses that has a different subnet, it can stomp those addresses. If the subnet is too big, you end up with burned addresses that you cannot talk to in neighboring subnets. If your subnet is too small, you stop addresses in your subnet. That is kind of hard to explain so let me put this into a DMZ example.

Say for instance you have a block of 8 IPs from your ISP and a block of 64, and respectively. Your LAN is You set up the first block for your external interface and your network looks like this: - Network Reserved - Your ISP's router - Your ClearOS Server - Broadcast

Your DMZ network looks like this: - Network Reserved - Your ClearOS Server - Broadcast

ClearOS will deal fairly with all of your DMZ addresses provided that the hosts are assigned to the network. However, if you want to use as a 1-1 NAT address to your internal LAN server of it will pull the subnet mask of your network and essentially create as a network address and as a broadcast. This will burn these two addresses because you won't be able to ping then through ClearOS.

So, an elegant way to deal with this is to always assign to ALL virtual IP addresses created by 1:1 NAT. With this the configured, routing defers to the normal interface in the case of any undefined virtual so routing is copacetic. I've seen lots of linux guides and questions that don't seem to understand the reasons and a few BSD articles that say is always the best policy. The question then becomes, is there any downside in this? I've not been able to see one in the lab but I don't want to put a patch out there and break anyone without reviewing it first. Let me know if you have any insight.
Monday, April 29 2019, 06:24 AM
Share this post:
Responses (0)
  • There are no replies here yet.
Your Reply