FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 10-14-2011, 03:02 PM
Tim
 
Default doc question on private network IP allocation

On Fri, 2011-10-14 at 00:59 -0700, Paul Allen Newell wrote:

> A long time ago when I first struggled and figured out how to set up a
> LAN network, I got some advice about how I should alloc the numbers. 1)
> start static address at *.*.*.10, 2) put WAPs at *.*.*.245, and 3) for a
> gateway of 192.168.1.1, assign your router that connects to the 3rd
> party (Verizon) to be 192.168.2.2.
>
> I have never really found documentation to support such, but my network
> behaves nicely so I don't argue.

Out of the various IP ranges [1] that are available for private use,
because they are not, and will not, be used as public IPs on the
internet, there are really only two addresses in each block with special
meanings: The ones that *END* with 0 or 255. You should not try to use
those addresses *for* equipment, they used for things like broadcasting
(e.g. sending traffic to that IP will be sent to all IPs on the LAN),
and wildcarding (e.g. firewall rules will be applied to all IPs in that
range).

1. 10.0.0.0 to 10.255.255.255
169.254.0.0 to 169.254.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

See http://en.wikipedia.org/wiki/Private_network
and http://en.wikipedia.org/wiki/Link-local_address
for some details about those ranges

It's common practice to use an address ending with 254 for routers and
gateway, but it's purely customary. The address is not treated
differently by any equipment, than any other address. Before home
routers became commonplace, it was customary for the first computer on
the network to be the gateway, and it's address usually ended with 1.
It's merely handy for people who might have to type addresses in, to
pick one of the ones at the end of the range, rather than try to
remember which other address was used.

As for how to allocate IPs within a LAN, that's up to you. Some people
have all IPs in the range, that they're using, available for use. Some
people just use a small section of the range. They may let IPs ending
in 1 to 100 be used for dynamic addresses (e.g. DHCP clients), and leave
the rest for static addresses (e.g. network servers). Some people put
clients into the network starting from the 1 end of the range, with
incrementing numbers, and servers into the network from the 254 end of
the range, using decrementing numbers.

If the users aren't doing machine to machine stuff, then they probably
don't care what the IPs are, at all. If they're doing file sharing
between Windows boxes, they're probably going to use machine names, with
SMB handling the IP/name resolution for them. Again, not caring what
the IPs are.

> I am helping my niece set up her network for her apartment / roommates
> and find that I don't want to give her the advice I was given as I can't
> prove its worth. Plus, she and the roommates are all living on wireless
> DCHP and I never dealt with that (translation is the one laptop I do
> have I just let it do its thing and turn a blind eye).
>
> They are all Windows-centric so I am trying to find best practice
> regardless of opSys.

Probably best to let something handle it automatically, if none of them
will be able to manage it for themselves. Which usually means having a
modem/router running all the time, and it handling address allocation.
Most home modem/router devices are set up that way, by default.


--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 06:07 PM
Joe Zeff
 
Default doc question on private network IP allocation

On 10/14/2011 12:59 AM, Paul Allen Newell wrote:
> Can anyone point me to a website that gives good advice on how one
> should alloc one's local ip addresses?

Unless you need to have static IPs for port forwarding or some other
specific use, just let the DHCP do it and save yourself a lot of
pointless trouble.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-14-2011, 07:26 PM
Dave Ihnat
 
Default doc question on private network IP allocation

On Sat, Oct 15, 2011 at 01:32:47AM +1030, Tim wrote:
> Out of the various IP ranges [1] that are available for private use,
> because they are not, and will not, be used as public IPs on the
> internet, ...

Very specifically, look up RFC1918, where these ranges were defined.

> It's common practice to use an address ending with 254 for routers and
> gateway, but it's purely customary.

Actually, in my experience it's much more customary to use the .1 adress as
the main gateway in the network, especially for Class 'C' networks. I
really only started seeing .254 when some of the manufacturers of retail
router/firewalls picked it. But, as you say, it's a matter of convention.
Probably the most important item to pick up on is to put the main gateway
at one end or the other of the subnet address range.

> As for how to allocate IPs within a LAN, that's up to you. Some people
> have ...

It is extremely useful to have conventions for IP address assignment, since
you, as the administrator, can look at an address and *know* what that
piece of equipment should be, or can *know* where to start assigning static
IP addresses if necessary (e.g., for printers, VOIP phone systems, etc.)

A common convention I've used for (literally) decades now is:

Low addresses: Network Equipment (gateway, routers, terminal servers, etc.)
Next range: Servers
Next range: Printers & end-user equipment w/static addresses
DHCP Range
Top Addresses: VPN addresses, experimental/temporary equipment

Just what these values are depends on how big your subnet is. For
instance, most people use what we called a Class 'C' subnet--netmask is 24
bits (255.255.255.0)--allowing a max of 254 devices; let's use
192.168.100.0 as an example subnet:

192.168.100.0 - Entire Network
192.168.100.1-254 - Usable device range
192.168.100.255 - Broadcast Address

For this small network, a usable convention would be:

192.168.100.1-9 - Network Equipment. Gateway at 192.168.100.1
192.168.100.10-20 - Servers
192.168.100.21-99 - Printers & End-User Equipment w/static addresses
192.168.100.100-199 - DHCP-assigned addresses
192.168.100.200-254 - VPN addresses, experimental/temporary equipment

As a further convention, if you're using a VPN scheme that requires address
assignment, start from 254 and work down; that lets you know that if you
want to temporarily assign ad-hoc static addresses, you can start at 200
and work your way up.

Obviously, you can shift the boundaries to meet your local needs; and if
any of these ranges are too small, you can pick one of the Class 'A' or
Class 'B' (yeah, I know, old terms) address/netmask combinations.

Cheers,
--
Dave Ihnat
dihnat@dminet.com
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-15-2011, 01:06 AM
Paul Allen Newell
 
Default doc question on private network IP allocation

Tim, Joe, and Dave:

Thanks for the email replies. The take I come away with from your three
emails is 1) assume *.0 and *.255 are reserved, 2) there is no standard,
just personal conventions -- and that a group using a router should have
a convention, and 3) let DHCP handle it if possible. If I missed
something, please flag me about it.

Sounds good to me and will pass that advice along.

The important thing to me is that they are on WPA2 and have both a rich
key and admin password. All I have to do is convince them to do MAC
access filter list and I'll be happy.

Best,
Paul
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-15-2011, 01:29 AM
Dave Ihnat
 
Default doc question on private network IP allocation

On Fri, Oct 14, 2011 at 06:06:38PM -0700, Paul Allen Newell wrote:
> Thanks for the email replies.

Thanks, always try to help.

> The take I come away with from your three
> emails is:
> 1) assume *.0 and *.255 are reserved,

Not just reserved--absolutely committed to their definition.

> 2) there is no standard, just personal conventions -- ...

Pretty much, yes.

> ...and that a group using a router should have a convention,

Well--the router address isn't just convention; if everyone doesn't use the
assigned address, it won't work.

If you're talking about any organization, or even private network, should
have an addressing convention, I'd say yes, definitely.

> and 3) let DHCP handle it if possible.

That's definitely true for dynamically assigned devices--generally,
workstations.

> The important thing to me is that they are on WPA2 and have both a rich
> key and admin password.

Now that's a totally different can'o'worms--you're talking wireless
requirements, which is layered on top of the network conventions.

> All I have to do is convince them to do MAC access filter list and
> I'll be happy.

There's some disagreement on this issue--essentially, just how useful are
MAC access filters? Given that the MAC addresses can be sussed out by
sniffers, and it's trivial to assign arbitrary MAC addresses on most, if
not all, wireless devices, there are those--myself included--that think
it's a bit of security by obfuscation. Others argue that even that makes
the crackers lives a bit harder, so it's worth it.

I suppose it depends on the size of your organization. For a home network,
or a small business network with few wireless users, it can't hurt and may
help a bit to use MAC access filters. For any organization that has a
significant wireless population, the administrative headaches will probably
quickly outweigh any advantage MAC filtering offers. This is definitely
$0.02, YMMV territory.

Cheers,
--
Dave Ihnat
dihnat@dminet.com
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-15-2011, 06:29 AM
Paul Allen Newell
 
Default doc question on private network IP allocation

Dave:

inline comments ....

On 10/14/2011 06:29 PM, Dave Ihnat wrote:
>
>> The important thing to me is that they are on WPA2 and have both a rich
>> key and admin password.
> Now that's a totally different can'o'worms--you're talking wireless
> requirements, which is layered on top of the network conventions.

Yes, totally different can ... but in the case of these 20 year olds,
the fact that they are aware of such without my having to say anything
is far more important than how they dice up their network's ips.
>> All I have to do is convince them to do MAC access filter list and
>> I'll be happy.
> There's some disagreement on this issue--essentially, just how useful are
> MAC access filters?
Yeah, I already have read enough to understand this. My take for them is
its the principle of the matter in which any place they can "do
something" is good until they are educated enough to decide what is big
gain versus small gain.

I use it on my network on the grounds that I have yet to read that using
it will make it easier for hackers, even if it is only two cents of YMMV.

I'm looking forward to going back home to deal with my issues from prior
posts (smile)

Thanks,
Paul
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-15-2011, 11:11 AM
Tim
 
Default doc question on private network IP allocation

On Fri, 2011-10-14 at 18:06 -0700, Paul Allen Newell wrote:
> All I have to do is convince them to do MAC access filter list and
> I'll be happy.

MAC filtering is utterly pointless. It *cannot* stop someone who wants
to connect, it's completely impossible, because they can easily change
their MAC to be the same as one that you've already allowed. There is
just no way for it to be able to enforce what you think it will do.

MAC filtering can cause users a lot of grief, because they expect to be
able to connect and only have to supply a password. So, if they bring
in another computer, they don't understand why they can't connect, and
they're faced with having to reconfigure a device that they don't
understand. In the meantime, they'll probably do a factory reset on the
router, trying to resolve the problem, and end up turning off *all*
security (the default settings of most home modem/routers; and it's
commonly the default action of a clueless user trying to allow
something, to go ahead and allow everything, and leave it that way).

Broken networking does not equal more secure networking. And it's a
trivial matter for someone only slightly clueful to configure their
computer to connect to a network (i.e. an untrustworthy person), there
are hacking tools designed for the idiot hacker to play with. It may
not be a trivial matter for someone who just doesn't understand anything
to do with networking (i.e. the normal users of the network) to figure
out what to do with it, who aren't going to try to research how to hack
their network.

It's a waste of time to set up a MAC filter, and it's a further waste of
time to have to fiddle with things to let a new computer connect up.

The only use I'll make of the MAC addresses is for programming a DHCP
server, so that particular computers always gets given the same IPs. It
makes various networking things, particularly Windows SMB, much easier
to cope with when their IPs are always the same.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-15-2011, 03:14 PM
Greg Woods
 
Default doc question on private network IP allocation

On Sat, 2011-10-15 at 21:41 +1030, Tim wrote:

> MAC filtering is utterly pointless.

We use it on *wired* networks, primarily to prevent visitors whose
laptops have not been properly vetted (and may be crawling with malware)
from connecting to our internal network. It is not expected to keep out
serious bad guys. Like most security measures, the effectiveness is
measured against what you are trying to accomplish, not against whether
it succeeds in giving you unbreakable security.

--Greg


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-15-2011, 03:58 PM
Paul Allen Newell
 
Default doc question on private network IP allocation

On 10/15/2011 04:11 AM, Tim wrote:
> On Fri, 2011-10-14 at 18:06 -0700, Paul Allen Newell wrote:
>> All I have to do is convince them to do MAC access filter list and
>> I'll be happy.
> MAC filtering is utterly pointless. [...]

Tim:

Thanks for the comments. I have let my niece and roommates know about
the arguments for and against MAC filtering.

Paul



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-15-2011, 04:02 PM
Paul Allen Newell
 
Default doc question on private network IP allocation

On 10/15/2011 08:14 AM, Greg Woods wrote:
> On Sat, 2011-10-15 at 21:41 +1030, Tim wrote:
>
>> MAC filtering is utterly pointless.
> We use it on *wired* networks, primarily to prevent visitors whose
> laptops have not been properly vetted (and may be crawling with malware)
> from connecting to our internal network. It is not expected to keep out
> serious bad guys. Like most security measures, the effectiveness is
> measured against what you are trying to accomplish, not against whether
> it succeeds in giving you unbreakable security.
>
> --Greg
>

Greg:

Awhile back I looked around to see if I could find any information about
whether MAC address filtering could be set up for wired on a "home
router" (as in Linksys or Netgear). I didn't see anything and assumed
that it was only for wireless.

In your usage, is it through the router(s) that you enforce wired MAC
access?

Not certain if I want to deal with it on a home network, but I am curious

Thanks,
Paul

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 10:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org