Addressing

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

This article deals primarily with IP addressing; a fundamental but yet important matter. A network device, such as a computer or router, usually have one or more IP addresses, assigned to network interfaces. The interface can be physical (which is the most common case), or logical, which would be the case when for example creating a VLAN. Below are some important facts and constraints regarding IP addressing:

  • Addresses affect the routing table, which results in several constraints:
    • The netmask/prefix length needs to be specified with an address, in order to define how large the directly reachable (layer 2, normally Ethernet) network is, and on which interface.
    • As a consequence of the previous statement, the same IP address or subnet should not be assigned to two different interfaces because it is ambiguous (unless in different routing domains or with clearly defined priorities).
    • Similarly, in cases when several IP addresses are defined in the same subnet/prefix, all addresses (aliases) except one (the primary) should be specified with an all-ones mask (/32).
    • One special case regarding the previous two statements, is that the same subnet/prefix can be used on both an address redundancy (CARP) interface and a physical interface, preferably with the address on the CARP interface being the alias (all-ones mask).
  • We use almost exclusively the CIDR notation, with an IP address of 192.168.0.1 on a class C network (255.255.255.0) being specified as 192.168.0.1/24. Some pages in the web administration have a toolbox which can be used for netmask to CIDR conversions.

Examples

These examples mainly describes the configuration file format because they are simpler to document in text. Please note that the groups used in these examples has nothing to do with addressing; it's merely used to describe the function of the interface, as normally done in a real installation. There is a separate article dealing with addressing on routing domains.

Specifying that the second physical interface (em1) used as LAN should have an IP address of 192.168.0.1 with netmask 255.255.255.0 could be done with:

interface em1 {
   group "lan"
   address 192.168.0.1/24
}

Creating a logical VLAN interface with tag 100 on the physical interface em2 with an IPv6 address could be:

interface em2 {
   interface vlan100 {
       address 2a01:2b0:3030:1337::da7a/64
   }
}

Using three address (one primary and two aliases) on the physical WAN interface em0:

interface em0 {
   group "wan"
   address 212.37.18.193/27
   address 212.37.18.194/32
   address 212.37.18.195/32
}

Using address redundancy (CARP) on an interface, with an extra non-redundant address in the same subnet (note the different prefixes):

interface em0 {
   address 192.168.1.2/24
   interface carp0 {
      address 192.168.1.1/32
   }
}