Maximum PC

It is currently Fri Apr 17, 2015 7:47 pm

All times are UTC - 8 hours

Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Get your LAN on the Internet
PostPosted: Mon Jul 26, 2004 3:54 pm 
I am not my computer's stats
I am not my computer's stats
User avatar

Joined: Mon Jun 14, 2004 1:33 pm
Posts: 566
Location: Phoenix, AZ, USA
Originally Posted by Logik!


Address translation will allow you to share one or more
IPs for all of your systems to connect to the Internet
(or another network). This can be done with hardware or
software, as appropriate.

According to RFC 1918, the following addresses are
available for private networks:

172.16.x.x - 172.31.x.x

For all of the scenarios in this document (including the
linked PDF file below), we'll work with the

The basic diagram of a network using Network Address
Translation (NAT) is as follows:

* http://www.ultratech-llc.com/KB/Diagrams/?File=NetBasics.PDF
* http://www.ultratech-llc.com/KB/Diagrams/?File=NetBasics-DMZ.PDF
* http://www.ultratech-llc.com/KB/Diagrams/?File=NetBasics-Visio.PDF

In the above scenario, the addresses can be statically
mapped, or assigned by DHCP (my preference), with the
gateway of the internal systems set to

The Gateway machine (GATE1), which contains two network
interfaces, should NOT have a Default Gateway configured
on the 192.168.99.x interface. There should only be a
single Default Gateway, and it should be configured on
the external network interface (provided by the ISP).

This is true whether the ISP-provided IP address is
statically, or DHCP-assigned.

NOTE: The Gateway machine (or device) listed above, can
be a server or desktop running NAT/Proxy/Firewall
software, or it can be a Broadband Router, or it
can be a Firewall/VPN applicance. In any event,
it will need to have at least two distinct network
interfaces, for proper security and operation.

In the event that a Windows-based machine is being used
to provide Internet gateway services, NetBIOS should be
unbound from the public NIC (see the SECURITY section
for more details) and a firewall should be installed on
the gateway system (preferably with robust packet
filtering or stateful packet inspection, if possible).
TCP Ports 135-139 should be not be permitted to traverse
your router/firewall/gateway, unless you have some sort
of bizarre deathwish.

If you're running DNS on the gateway system, all of the
internal clients should point to it using the INTERNAL
address of the gateway system. The gateway system can
configure its DNS server as a forwarder to the ISP's
DNS servers, or any other legitimate DNS servers that
you have access to.

The systems in the diagram can be connected with a Hub
or a Switch, as you desire, but these days, the price
of a low-end, unmanaged Switch is far too low to pass
up, especially considering the performance advantage
you will gain over a Hub (reduced collisions). Also,
many broadband routers come with switch ports, thus
eliminating the need for a separate switch.

NOTE: NAT is only the first level of security. It should
not be the *only* level of security deployed on
your network.

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 8 hours

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

© 2014 Future US, Inc. All rights reserved.