Internet Related/Filtering/Firewall Thread, Change IP range, provide NAT for some old addresses. How? in Technical; I currently have a small IP range (192.168.100.0/24) that I need to expand. I was planning to use 172.16.0.0/23, doubling ...
Change IP range, provide NAT for some old addresses. How?
I currently have a small IP range (192.168.100.0/24) that I need to expand. I was planning to use 172.16.0.0/23, doubling my address space (which should be adequate for my network).
We have a VPN connection to our local council, and they have firewall rules for certain IPs in our existing (192) range. Upon approaching them regarding changing the configuration in favour of the new range I'd like to use, I've been told the 172 addresses I'm planning to use are already in use on their internal system, and I should NAT the required addresses back to their original 192 flavour, to avoid requiring any system changes to the VPN setup.
Given that my experience of NAT goes no further than my router at home (I do know what it is and what it is for), how might I go about achieving this?
(The router than maintains the VPN connection is a Draytek Vigor 2820 and a Windows server runs my DHCP.)
Please, no suggestions of "just change your new IP range to something the council don't use". I get the distinct impression they're in no rush to change the configuration of the VPN and thoroughly intend this is all handled at my end of the tunnel. It is my intention to be prepared if this is the case.
Fortunately, the county council have been able to make suitable NAT alterations to their equipment, so I don't have to do anything special at my end, other than make sure all the devices that are to connect over the VPN to their network have IPs in the first 172.16.0.x block. So that's DHCP reservations for the 25 machines that need them, then. Done.
It turned out there was no way I could have done this in-house without having another router or gateway in place to NAT all my traffic back to 192 addresses before it left the building. All I needed to do was switch off and think about it again the next morning and it all suddenly became so clear!
The way it's been done (yesterday, using the above mentioned 172 range) required just as much work to implement and still required the local council to change their NAT settings. So would a class A range.
Yeah, we have a limitation of 254 clients that can use the VPN tunnel, but in all seriousness, we only need 20 and I would imagine the council are better off using the smaller subnet anyway. If I'd used a class A range, the same situation could occur further down the line for someone else, because I'm using a bigger range than is required for my needs.
Anyway, it's done now, and after a lot of fallout this morning that I didn't expect, everything is working.
I'm quite pleased with myself, considering all the roadblocks that got in my way when changing my internal IP range: Broken VMware hosts, unmountable NFS shares, corrupt VMware machine configurations...