NAT address from fully routed block to private subnet

tbbzac · December 5, 2020, 10:05pm

Hi there, I am struggling to wrap my head around this setup:

I have a fully routed /28 block of publics (Let’s call it 1.2.3.0/28). I broke a /29 from it and have a DHCP server giving out public addresses to clients (let’s say 1.2.3.0/29) So I have a /29’s worth of addresses left (1.2.3.8/29). I would like to create a private LAN (let’s call it a 192.168.100.0/24) and NAT one of the available public addresses to it. So I did the following:
-Added the address 192.168.100.1/24 to my LAN interface
-Ran DHCP Setup to give out .2-.254, with the gateway as .1 and included DNS addresses

(This is the part where I’m not so sure…) Created a new NAT rule: chain is src-nat, src address is 192.168.100.0/24, action is src-nat, to address: 1.2.3.9

I tried testing this setup with a couple of routers and some private blocks and it appears to work, but I haven’t actually done it on my actual network yet. Is it really that simple? Just one src-nat rule? The one public address that I assigned as the ‘to address’ isn’t even assigned to any interface.

What are the implications of this? I am assuming that I shouldn’t use that one address (1.2.3.9) or any subnet that includes it, for anything else. So I couldn’t use 1.2.3.8/29 without breaking it down further. I should be able to use the /30 of the remaining /29 that doesn’t overlap with that address though, right? (Example, I can so something with 1.2.3.12/30 but not 1.2.3.8/30) Can I do the same thing with a second LAN and the second address in the same /30 (1.2.3.10)?

Visual subnet breakdown for reference.

Thanks!
Screen Shot 2020-12-05 at 3.02.25 PM.png

Sob · December 10, 2020, 1:54am

If you have routed subnet, you can do all kind of (dirty) tricks. Every single address from /28 is (should be) routed to you, and you can use all 16 of them if you want, at least for communication with outside world.

For example, you could as well use 1.2.3.0 for your srcnat, even though it’s already network address in first /29. Outside world won’t mind, it’s valid public address like any other. Router won’t mind either, srcnat simply changes source address and doesn’t care what it is. And connection tracking makes sure that when response comes from internet to 1.2.3.0, srcnat will be properly undone and destination will be rewritten to whatever internal address sent the request. The only problem you can cause with this would be for yourself. For example, if you’d have some servers in 192.168.100.0/24 and you’d forward ports to them from 1.2.3.0, it would work fine from internet, but not from your other public addresses in first /29.

If you choose to use 1.2.3.8, then there’s still enough ways how to use .9-11. You can use them with NAT too, or you can give them to other devices as single addresses, either route the address(es) to them as /32, use point-to-point addressing, or PPPoE.