Home / server / Questions / 146611
Accepted
Portman
Asked: 2010-05-30 18:01:13 +0800 CST

Can I subnet a subnet?

  • 772

Apologies in advance for the botched terminology. I have read the Server Fault Subnet Wiki but this is more of an ISP question.

I currently have a /27 block of public IPs. I use give my router the first address in this pool and then use 1-to-1 NAT for all the servers behind the firewall, so that they each get their own public IP.

The router/firewall is currently using (actual addresses removed to protect the guilty):

IP Address:  XXX.XXX.XXX.164
Subnet mask: 255.255.255.224
Gateway:     XXX.XXX.XXX.161

What I would like to do is break out my subnet into two separate /28 subnets. And do this in a way that is transparent to the ISP (i.e., they see me as continuing to operate a single /27).

Currently, my topology looks like:

     ISP
      |
[Router/Firewall]
      |
  [Managed Ethernet Switch]
  /       \         \
[Server1] [Server2] [Server3] (etc)

Instead, I would like it to look like:

       ISP
        |
    [Switch]
    /      \
[Router1] [Router2]
  |    |    |   |
[S1] [S2] [S3] [S4] (etc)

As you can see, this would partition me into two separate networks.

I'm struggling with what the correct IP settings would be on Router1 and Router2.

Here's what I have right now:

              Router1              Router2
IP Address:   XXX.XXX.XXX.164      XXX.XXX.XXX.180
Subnet mask:  255.255.255.240      255.255.255.240
Gateway:      XXX.XXX.XXX.161      XXX.XXX.XXX.161

Note that normally you would expect Router2 to have a gateway of .177, but I'm trying to get them both to use the gateway originally given to me by the ISP.

Is subnetting like this in fact possible, or am I completely botching the most basic concepts?

--

Edit

Several people have asked "Why". There are a couple of specific reasons why I want to do this:

  1. My router/firewall locks up every 6-8 weeks. I've gone through a litany of devices: NetGear FVS318, Linksys RV042, Watchguard Firebox Edge X20e, and a Cisco ASA 5505. The same thing has happened with all devices, and it's apparently due to the dozen or so IPSec VPN tunnels that the device manages. Whenever it locks up, a network engineer needs to physically power-cycle the device.

  2. I have one large client and about 1/2 the servers in the cabinet are theirs. I would like that client to be able to manage the firewall and VPN rules themselves instead of going through me. This way, I would give them root access to Router2 and they could manage everything themselves without causing any problems to Router1.

networking ip subnet

7 Answers

  1. That all looks perfectly correct. Note that the servers will use the .240 netmask and either .164 or .180 as the gateway. However, are you sure you want to waste two IPs on the subnetting? You have to reserve .160 and .176 as network addresses, and .175 and .191 as broadcast addresses. If you don't subnet, you don't have to do this, so .175 and .176 can be hosts.

    • 3
  2. Best Answer

    If you're not using NAT, i.e. if you want to actually do routing and put real servers on those IP address, then you can't subnet your network in a way that is transparent to your provider; they will need to modify their router configuration and their routing tables to account for your new network setup, possibly giving you two gateway addresses and/or two routers (or by setting up a new route if you put one subnet "behind" the other and your firewall in the middle).

    Howewer, if you keep using NAT and simply give half of the addresses to a firewall and half of them to another, then their external IPs will appear to your ISP as still belonging to a single subnet, and everything will keep working fine.

    • 2 
  3.        ISP
        |
        |
        | assumes that this link is not part
        | of x.x.x.160 /27
        |
        |
    [Router]  This router will need three routed ports
   /.161   \ .177
  /         \
 [Switch] [Switch]
  |    |    |   |
[S1] [S2] [S3] [S4] (etc)
    • 1

  4. It won't make any difference to your ISP if you break up that /27 block into smaller blocks, from their perspective, all they know is that they must deliver that /27 block to the external interface of your router.

    You will need a router that either has 3 separate interfaces (one WAN, two LAN) or a router that is capable of supporting multiple ranges on it's interfaces.

    you can then split the block into two separate blocks x.x.x.160/28 and x.x.x.176/28

    in your example though, you had your default gateways wrong. Each of those blocks would have it's own default gateway because each of the new /28 blocks will need to be set up on an interface on the router, and whatever IP is setup on that interface will be the gateway for the rest of the block.

    • 1

  5. Yes, you should be able to take your c.x.x.160/27 and split it into x.x.x.160/28 and x.x.x.176/28. You MAY have to make your Router2 use Router1 as the next hop, possibly by having a point-to-point link between them and use a /30 out of a private range as the link.

    Also, by splitting the /27 into two /28s, you end up with fewer usable IP addresses.

    If you can tell us why you want to break it up, it may be that there is another option to accomplish what you want done.

    • 0

  6. Using a fictitious address ending in .160 

    Network*          Net Broadcast     CIDR Mask              UsableHosts 
192.168.254.160   192.168.254.175   28   255.255.255.240   14          REQ 14  
192.168.254.176   192.168.254.191   28   255.255.255.240   14          REQ 14

    *From my Subnet Calculator / Planner

    • 0

  7. Ofc you can do this, you have to make it into /27 that means 30 hosts (plus 2 network and broadcast) your network will be 192.168.254.161 - 192.168.254.190 (i mean hosts) with 255.255.255.224

    • -1