Settle a bet! 3

[artbbs]

My friend & I disagree and a simple answer to the following will settle it:

Can an INFINITE number of additional computers be gain access to the internet by chaining routers behind a cable modem (given that the computers on different subnets don't need to see each other)?

For example if you connect a router to a cable modem that creates a class A subnet (providing about 16 million unique IP addresses for computers), can you connect a router at each of those 16 million addresses to create about 16 million more subnets?

 

[Crowtalks]

I don't think this will work.

I believe if you set up your scenario as described, you will have routers assigned addesses from 0.0.0.1 to 254.254.254.223.

I think if a computer behind any router tries to browse to Google at say, 216.200.25.100, it will find that address belongs to one of the other routers and direct the traffic to one of those and go nowhere.

I also think that any router or switch that tries to remember 16 million MAC address in it's ARP and/or routing table will soon shut down from overload.

 

[artbbs]

are you sure about that? The netmask would be 255.0.0.0 and I believe the first octet of all ip's assigned would be 10 (10.x.x.x). And if another router is connected then all of those ip's assigned would also start with 10, right?

 

[GunnarD]

Not working as both side of the router has the same network (10.x.x.x) so the router does not forward packets.

 

[Crowtalks]

No I'm not sure about that at all, I answered your ponderance on Sunday afternoon while drinking a bloody mary...

I guess you are correct about the addressing following the first octet which would remain 10.xxx.xxx.xxx

I still stand behind my router and switch overload though, of course there is still then factor of the Bloody Marys...

 

[artbbs]

I agree with the router overload issue, but all I really needed to know is if the same ip address can exist on more than one computer on separate subnets behind a cable modem, and both be able to access the internet. So the answer is no?

 

[Lienori]

Theoretically I think it would probably work. I cannot, off the top of my head, see why it would not.

Theoretically, of course.

 

[lgarner]

I think it work. I think you could even re-use subnets in different layers since you'd only be dealing with default routes and connected neighbors.

 

[lhuegele]

I don't know about INFINATE number of routers, but a couple of them I think would work. I have 2 old routers at home that I will test this on and see if it works.

My gut says to me that it will NOT work though. I think that the 2nd router in the chain would end up confused because the subnet information would be the same for the LAN side and the WAN side.

I'll let you know what happens from the test though.

 

[gdvissch]

first things first, infinite will not work (the energy of the sun would not be enough to power them all, even the energy of the universe would not be neough ;-)

Yes you could do it, but it will not work.

Your solution is only pushing the problem further away, but you are not really dealing with it. The actual problem is that if the addresses are not unique, routing will not work.

Someone a while ago, predicted addresses were going to become scarce so they tried to find a solution to push the problem away. They came up with what we now call public (192.168.x.x , 172.16-32.x.x, 10.x.x.x) and private address ranges. They said, well let us *NOT* route the public ranges on the Internet. But this makes them useless! Yes, in order to "win" some addresses, let's first loose some!

In fact, how many addresses are there? 2^32 =~ 4,2 billion

And how many do we loose by not routing the public ones on Internet?
That would be: 2^16+16*2^16+2^24=~18 million (around 0.5% of complete address space)

But when we use NAT routers, we can have 18 million addresses behind every private address! That makes 4,2 billion * 18 million addresses in total.
You see by using this method we have won, many, many addresses, but unfortunately, still far from infinite ;-)
As far as I can tell, this is the (first) theoretical maximum you will be able to use but keep on reading ...

So why would this be the maximum?
Well, the first problem was/is: in an address space, we can only route if every address is used just once.
The solution was to devide the address space in two *SMALLER* ones, the public space and the private space and make sure that we only use the private addresses just once on the Internet. So now we have no more routing problem on the Internet, but we still have to make routing work inside every public address space!

Let's look at what happens behind every cable modem with connected NAT router?

Well, in this smaller address space of 18 million addresses, the original problem has remainded the same: i.e. in order for routing to work, you can only use every address once...

Let's try the old Roman principle of devide and conquer again! If we devide the public address space in two *SMALLER* ones again, a public one (again let's take 0.5% of addresses) and a private one (with the remaining 99.5%). Let's call these public/public and public/private (to show we are one level below the Internet) We can now use an extra level of NAT routers (NAT-L2), just as we did on the Internet level (L1) but then smaller. Let's NOT route the public/public addresses in the Public space and use public/private addresses only once.
This is the same thing as we did before but on a smaller scale!
So we have already more possible addresses as the first theoretical maximum described above!
So lets continue this indefinately, we'll end up with infinte IP's, right? Well No :-(

If you are still with me, you notice that with every iteration, the number of public addresses goes down!
NAT-L3 would have public/public/public(0,5%) and public/public/private (99,5%) and so on and so on.
In a way you are always repeating the same trick, but your address space becomes smaller and smaller (the theoretical maximum at this stage is still going up!) ...
However, at your last iteration, you will end up with less than one address in the public/public/.../.../public space and there it will end (because 1/2 an IP address is of no use)

And there you have it, for me, it will not work!

I hope at least someone agrees with my theory, as it took a while to write it all down!

CU
G.

 

[artbbs]

gdvissch, hats off for an excellent response!

Really I am not concerned with whether the number of extra computers possible is actually INFINITE...

Rather, I just wanted to establish whether it is possible to significantly exceed the ~18 million extra assignable ip addresses behind a single public (er, "private" in your terminology) ip address assigned by my ISP, by chaining routers.

So do I understand correctly that the answer is yes, I CAN? If 2 computers can have the same private ip address (e.g. 192.168.x.x) then I assume the answer is yes?

 

[gdvissch]

I will answer to your question later today but for now sorry for the mix-up, you are absoulutely right public is routable, private is not (I keep making the same mistake) from RFC 1918:

<rfc>
Category 1:
hosts that do not require access to hosts in other enterprises or the Internet at large; hosts within this category may use IP addresses that are unambiguous within an enterprise, but may be ambiguous between enterprises.

Category 2:
hosts that need access to a limited set of outside services (e.g., E-mail, FTP, netnews, remote login) which can be handled by mediating gateways (e.g., application layer gateways). For many hosts in this category an unrestricted external access (provided via IP connectivity) may be unnecessary and even undesirable for privacy/security reasons. Just like hosts within the first category, such hosts may use IP addresses that are unambiguous within an enterprise, but may be ambiguous between enterprises.

Category 3:
hosts that need network layer access outside the enterprise (provided via IP connectivity); hosts in the last category require IP addresses that are globally unambiguous.

We will refer to the hosts in the first and second categories as "private". We will refer to the hosts in the third category as "public".
</rfc>

 

[gdvissch]

Some figures:
4.200.000.000 =~ total addresses 2^32
17.997.000 =~ private addresses (sum of the 3 ranges)
4.182.003.000 =~ public addresses (=total - private)

With one level of NAT we could have:
public addresses x private addresses
4.182.003.000 x 17.997.000 = 7,5E+16

This will work because:
no routing issue on Internet (unique public addresses)
no routing issue inside every "enterprise networks" as in each one of them every private address is used only once. Inside one enterprise you need to make sure you can route traffic to and from the gateway. For traffic between both "worlds" the gateway will do address translation. For this to work, you will need to set up routing protocols inside every enterprise (18 million hosts, that's a big network which I guess you can't handle with static routing!)

Using our nifty little technique we extended the number of possible hosts on the Internet from 4,2 billion to 7,5E+16
without routing problems

Every network admin in every enterprise, has to manage routing inside his/her network. Looking at the previous example of turning 4,2 billion in much more, why not do the same?
In fact nobody on the Internet sees what I'm doing internally, as long as when my gateway sends a packet to the Internet it uses a public addres, valid/unique on Internet. Also there is no collission possible between public and private addresses as they are mutually exclusive subsets of the complete address space.

If I decide to manage my enterprise network as is done on a bigger scale for the Internet I could take 0,5% of the address space and call them public (not routable).
Let's use 192.168.x.x as my new "private" addresses (2^16/18 million = 0,36% but that's close enough)...
The other two ranges (10.x.x.x and 172.16-32.x.x) become the new "public" addresses in my enterprise.

Out of my 18 million I use (18 million - 65000) directly and 65000 behind every L2 NAT router. I have now extended my 18 million to (18 000 000 - 65 000) x 65 000 = 1.165.775.000.000 !!!

etc... etc...

Starting from 32 bits addresses and always taking +/- 0,5% we find (approximately):
4.200.000.000
18.000.000 L1
65.000 L2
450 L3
2,25 L4
0,01 L5

But looking at the previous table you see we need to stop at L3 as for L4 only 2 hosts are possible behind the router which would be needed as network and broadcast address anyway... (Which I did not discuss before, but it has no impact on the global reasoning, it only means that we loose some extra addresses from every space for management reasons...)

Do you think this will convince your buddy?
CU
G.

 

[artbbs]

Wow! Good info there! Ok let me ask another question for clarification... is it possible to chain networks of the same class... for example to put another class C network (192.168.x.x) behind a class C network? Thanks!

 

[gdvissch]

I don't see a problem... The next example will work just fine:

Internet
|
|
207.46.225.60 (public address)
RTR1
192.168.1.1
|
192.168.1.x A bunch of PC's here
|
192.168.1.254
RTR2
192.168.2.1
|
192.168.2.x
|
Another bunch of PC's here
There could even be a RTR3 here!


a) This will work if RTR1 does NAT and has a (static) route added defining that in order to reach network 192.168.2.x it needs to forward to RTR2 at 192.168.1.254 (standard routing used internally). In this scenario, RTR does NO NAT! (Without this extra route, traffic for 192.168.2.x would be sent to the default route of the router, i.e. the Internet, where it would be dropped at your provider's first router!)

b) When both RTR1 and RTR2 do NAT, you don't even need to add a static route for the second network (192.168.2.x). (RTR2 could even obtain an external address via DHCP (DHCP could be running on RTR1). Traffic originating from a PC in 192.168.2.x would first be NATed to whatever the external address of RTR2 has become (192.168.1.254 in the example), on RTR1 it would be NATed to 207.46.225.60.

If this looks far fetched, it happens all the time! Where I live, I know some ISP's (not mine fortunately) are doing this to prevent customers having servers installed. The addresses you get from them are generally in the range 10.x.x.x (This means they must be NATed on their last router connecting them to the Internet). If a customer installs a router it would obtain such a 10.x.x.x on the outside, but internally would typically be serving 192.168.1.x or something via DHCP. It just adds an extra layer of NAT, but it does work (however no servers for you as from the Internet, no one can talk to 10.x.x.x, as it is not routed there)
You could have class B behind class C, or Class C behind Class B, or A/B, B/A every combination would work...

Another example is what I've already done at home i.e. to separate my wireless from my wired network. The wired network is 192.168.1.x, the WIFI network is 192.168.2.x
(depending on what you want to achieve you can go scenario a. or b. above)

Just give it a try, you only need two 50$ NAT enabled routers and some time. If you decide to give it a go, and it doesn't work out, let me know. I'll try to help you where I can ...

CU
G.

 

[artbbs]

[tt]
Well more specifically, will this work?

Internet
|
|
207.46.225.60 (public address)
RTR1
192.168.1.2
/ \
/ \
| \
192.168.1.3 192.168.1.4
RTR2 RTR3
/ \ / \
/ \ / \
| \ | \
192.168.1.5 192.168.1.6 192.168.1.5 192.168.1.6

Or if not, what about this?

Internet
|
|
207.46.225.60 (public address)
RTR1
192.168.1.2
/ \
/ \
| \
192.168.2.3 192.168.3.4
RTR2 RTR3
/ \ / \
/ \ / \
| \ | \
192.168.1.2 192.168.1.4 192.168.1.2 192.168.1.3



[/tt]

 

[lgarner]

The first won't work because the same network exists on both sides of the router. The router won't, or shouldn't, forward anything for 192.168.1.2 since it ought to be on the inside.

The second is what I was thinking, just changing the first inside network to all the same subnet:
RTR1: 192.168.2.1
RTR2: 192.168.2.2
RTR3: 192.168.2.3

Since none of the 192.168.1.x hosts need to communicate with anything except the Internet, default and connected routes should cover it. I would think that you could make this extremely deep, alternating subnets at each level.

 

[lgarner]

I should point out that a packet has a time-to-live, so infinity is still not quite reachable.

 

[gdvissch]

neither of your setups will work :-(

in fact a router separates networks e.g. between 192.168.1.x and 192.168.2.x you need a router. When both interfaces of the router are in the same network you don't need a router, even worse it will not work! if at both sides of the router you have a PC 192.168.1.x how would the router know where to find 192.168.1.123?
It would not be able to decide via which interface the packet has to be sent out (a switch or bridge would is what you need in this case, working at layer 2, so no IP addresses needed. It would decide in function of mac address)
On the other hand if at one side ot the router you have 192.168.1.x and on other 192.168.2.x, when someone asks to talk to 192.168.2.123, the router would know where to send it...

The only thing a routers does is based on the destination address, send a packet out via one or another interface. This decision is made by looking at its routing table.
(nowadays, routers can do more, but this is not part of this discussion, filtering rules, QoS, etc...)

OK, what's wrong with your scenario 1?
RTR2 and RTR3 are not routing (both interfaces in same subnet)
what's wrong with your scenario 2?
the "top" interface of RTR2 and RTR3 are not in the correct subnet. The link between two routers has to be in the same subnet!
Also be careful, there are some hubs/switches needed too. You should not think of a home router where the switch is combined with the router function. It makes the picture misleading. let's think of a simple router with 2 interfaces (one in every connected network)


what will work is this (all routers do NAT):

207.46.225.60 (public address)
|
RTR1 (see,router has only 2 interfaces)
|
192.168.1.2
|
------------ (this is the switch if you want one with 5 ports...see them?
| | | | only 3 ports are used, all 3 belong to same subnet!)
| |
192.168.1.3 192.168.1.4
| |
RTR2 RTR3
| |
192.168.2.1 192.168.2.1
| |
/---------\ /---------\
| | | |
192.168.2.5 192.168.2.6 192.168.2.5 192.168.2.6

You spot the difference? every router has its two interfaces in another network (essential, or otherways there is no need for a router). Links between routers are in the same subnet (or else the router will not see the inbound traffic...)
Below RTR2 and RTR3 I use the subnet 192.168.2.x twice, but they could also be different. They can be every possible combination of the 192.168.2-255.x space (but they can NOT be 192.168.1.x because both interfaces of the router would be in same subnet again)!

I hope this makes it clearer. Other questions are welcome, however answer will be for tomorrow as now, I'm of to bed!
(past midnight...)

CU
G.

 

[lhuegele]

Sorry I didn't respond sooner.

My testing confirms this does NOT work.

As illistrated above, you end up with confused routers because the subnets are the same on both the WAN side and the LAN side.

The only way for this to work is for the secondary routers to have a different subnet on the LAN side than the primary routers has on it's LAN side.

This set-up worked for me during my testing:

207.46.225.60 (public IP)
|
mainRTR
|
192.168.0.1 (gateway)
|
/-------mainLAN-----------\
| |
192.168.0.2 192.168.0.3
| |
subRTR1 subRTR2
| |
192.168.1.1 (gateways) 192.168.2.1
| |
/--subLAN1--\ /--subLAN2--\
| | | |
192.168.1.2 192.168.1.3 192.168.2.2 192.168.2.3