Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


IP Addressing for
Growing SOHO Networks

By David Piscitello, President, Core Competence

Small-to-medium business (SMB) networks don't always stay simple and small. Many networks grow "organically." Servers are moved to a faster LAN for performance or security reasons. Wireless LANs are added for convenience. Perhaps you're simply the victim of success and have hired several dozen new employees! Regardless of the cause, any network can quickly turn into something that more closely resembles a forest inundated with kudzu than a properly pruned English garden.

IP address administration is an important aspect of network planning. If you apply a few rules and some common sense, you can keep the process simple and manage growth effectively. For administrators who expect their networks to grow, this article explores those rules. Users of WatchGuard's Firebox SOHO6 firewalls might be particularly interested.

Where and when
to use public IP addresses

Internet addressing is divided into public and private address domains. Hosts that have a public address can communicate with other hosts on the Internet. Internet Registries (ARIN, RIPE, APNIC...) delegate IP address assignments to Internet Service Providers. Most SMBs must therefore acquire public IP addresses from ISPs. ISPs are very careful to review the needs of an organization before they "lease" blocks of IP addresses, and charge monthly or annual fees according to the size of the block.

Many SMB networks only need one public IP address. Typically, this address is assigned to the external (or public) interface of a NAT-capable device (small office firewall or access router). To conserve public IP addresses, an ISP often dynamically assigns a public IP address to this device using DHCP or PPPoE. Organizations who want more control consider acquiring a permanent or static public IP address for their firewall and public-facing servers (e.g., Web, FTP).

If you have a static IP address, you can use static NAT to map a public IP address to a private IP address of the server. The server's domain name and IP then remain constant. If you have a dynamic IP address, you can still host a public Web server. By using a type of NAT called port forwarding, you can send HTTP traffic (port 80) to a Web server on the trusted network and use Dynamic DNS to maintain the relationship between the dynamic IP address and constant domain name. (To do so on a Watchguard SOHO 6, read this FAQ).

Administering public IP addresses for SMB networks is straightforward, largely because most of the decisions are beyond your control. Whether dynamic or static, your public IP address is always assigned to the external interface of a SOHO firewall. Don't be confused when you use SOHO 6's VPNforce Port upgrade: this rule still applies. The Optional port serves as a backup or redundant external interface, and uses the same policy definitions and public IP address as the external interface.

Private addresses for
SMB trusted networks

When you use a SOHO firewall, the IP addresses that you assign to hosts are private addresses on your trusted network. These private addresses are dynamically translated to the single public IP address assigned to your external interface (IP Masquerading). In theory, you can assign any IP network number and any subnet mask to your trusted network. In practice, you should use one of the IP addresses reserved by RFC 1918 for use as private addresses.

RFC 1918 reserves the following IP number space for private addresses:

Start Address

End Address

IP address prefix

10.0.0.0

10.255.255.255

10/8

172.16.0.0

172.31.255.255

172.16/12

192.168.0.0

192.168.255.255

192.168/16

Choosing IP network numbers

You may be familiar with IP addresses in the 192.168.0.0 - 192.168.255.255 range, because they often show up as "default" address spaces on SMB routers and firewalls, including the SOHO. But before you choose to use the default IP network, consider whether you'll ever want to create site-to-site IPSec VPNs. If so, you must avoid having hosts in multiple sites assigned the same IP address. The easiest way to avoid that is to make sure all the networks that will comprise your VPN use unique IP network numbers. When assigning multiple IP network numbers at one site or across many sites, choose a large block for each site, e.g., a /16. (If you don't know what that means, you can learn about subnets by reading "Understanding Subnetting," Part 1 and Part 2.) Then break this large block into smaller subnets, as ISPs do, to optimize routing. Adding this small bit of hierarchy in your addresses comes in handy when you are eyeballing traffic or log reports: "every 172.16/16 host is in New York; every 172.17/16 host is in Cleveland; every 172.17.100/24 host is in the Cleveland accounting department," and so on.

Sizing up your private addressing needs

How large or small an address space should you use for your trusted network? The /24 or Class C subnet mask is also a default setting on most SMB routers and firewalls. This mask specifies a 24-bit network number and allows assignment of up to 254 possible hosts. You can apply this /24 mask to any of the RFC 1918 private address ranges: whether you use 192.168.0.0/24, 172.16.39.0/24 or 10.11.12.0/24, you still get the same number of hosts. You can, of course, use other subnet masks, so what guideline should you apply when deciding how large a subnet you need for your trusted network?

My short answer is, "More than enough to assure that you never have to modify your subnet mask or re-number your initial trusted network." RFC 1918 addresses are never used in the public Internet. You don't have to consult an ISP or Internet Registry or pay a fee to use them. You can use as many as you like and carve them into subnets as small or large as you require. Use all you need and then some! If your trusted network has only 10 hosts, you don't have to break out a subnet calculator and whittle your 192.168.0 network to a /28. Chances are your network will grow. For your small office network, start with /24 (254 possible hosts in a single subnet) and if you have any doubts, err on the side of "large."

Growth and network segmentation,
or, when to subnet

Following my recommendation, you won't have to change addresses because you ran out of room. Instead, let performance, administration, or security policy dictate when you need to change or add addresses. Many small business trusted networks begin as a single, shared medium Ethernet. When you begin to see lots of collisions, packet loss, and increased delay, you may decide to use switched Ethernet and keep a single or flat LAN topology. I think this is often a temporary fix, but it will allow you to keep your simple IP addressing plan "as is."

You may, however, want to break your trusted network into subnets: multiple physical segments using a switch or router. If you choose to route at the IP level, you'll need a unique IP network and subnet mask for each segment you create. Figure 1 shows one way to address and define subnet masks when you segment a network. The original trusted network is denoted by 172.16.11/24: neither addressing nor subnet masking is changed. Addresses from 172.16.12/24 are assigned to a new segment.

A router is added to perform routing and forwarding between the old and new subnets (Trusted Network 1 and 2, respectively). In simple networks, use static routes. Failing to add these routes is the most common configuration error when segmenting networks.

Begin at the SOHO1. You've added Trusted Network 2, so you must tell the SOHO1 how to route traffic to that network, through the router. Let's assume that the SOHO1's trusted interface address is 172.16.11.1 and that the router's interface address on Trusted Network 1 is 172.16.11.254. Configure a static route at the SOHO1 to indicate, "To deliver packets to IP network 172.16.12/24, forward them to IP address 172.16.11.254."

By design, routers know how to forward traffic to directly connected networks, so our router knows how to forward packets between Trusted Networks 1 and 2. The next step is to tell the router how to route traffic to other destinations, including Internet hosts. Configure a static route at the router to indicate, "To deliver packets to all IP networks other than your directly connected networks, forward them to IP address 172.16.11.1."

Factors other than growth

Growing businesses often organize into departments or units. Some departments handle information that is not for general consumption (business plans, research, contracts); others may handle information that must be protected according to regulatory guidelines (e.g., medical records or financial data). If your organization falls into this category, security policies for authentication, access control (authorization), auditing, and accounting influence how you compartmentalize data, and may influence how you segment your trusted network.

In Figure 2, for example, I've separated a network containing regulated data from the rest of a small business's internal network using an interdepartmental firewall. Some businesses move all their servers into a separate and protected subnet or server farm and use this internal firewall as a policy enforcement point. From an IP addressing perspective, Trusted Network 3 in Figure 2 is just another subnet.

SOHO2 plays two roles in this scenario: router and server farm firewall. Always get the routing to work before you implement the security policy at (interdepartmental) firewalls. In this case, we'll add static routes at SOHO1, SOHO2, and the router so that they each have a complete forwarding table. SOHO1 and the router have the same IP addresses as Figure 1, and we'll use 172.16.11.253 for SOHO2's external interface. Add the following routes:

At SOHO1:

  • "To deliver packets to IP network 172.16.12/24, forward them to IP address 172.16.11.254".
  • "To deliver packets to IP network 172.16.13/24, forward them to IP address 172.16.11.253".

At router:

  • "To deliver packets to IP network 172.16.13/24, forward them to IP address 172.16.11.253".
  • "To deliver packets to all IP networks other than your directly connected networks, forward them to IP address 172.16.11.1".

At SOHO2:

  • "To deliver packets to IP network 172.16.12/24, forward them to IP address 172.16.11.254".
  • "To deliver packets to all IP networks other than your directly connected networks, forward them to IP address 172.16.11.1".

Note that SOHO1 is the default gateway for all Internet destinations.

Once you have confirmed you can forward packets between all your subnets and the Internet, use SOHO2 to protect the server farm (Trusted Network 3).

What's best for me?

These scenarios illustrate basic IP addressing and subnetting principles and practices. They are clearly not an exhaustive set, but should give you some insight into how other businesses plan and grow their SMB networks.

Many SMBs will run fine as one big happy subnet. The designs illustrated here may better satisfy some SMB performance and security requirements. These designs, and variations to these "themes," present new public and private IP addressing and subnetting considerations. Remember that when using private addresses, you have considerable addressing resources at your disposal. Apply them intelligently and generously, plan for unprecedented growth, and you can find a plan that works and scales for as long as you continue to use IP addresses. ##

Resources

Foundations: Understanding IP Addresses and Binary

Understanding Subnetting (Part 1)

Understanding Subnetting (Part 2)


Copyright© 2004, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.



Copyright © 1996 - 2004 WatchGuard Technologies, Inc. All rights reserved.