User avatar
Gravesy
Posts: 78
Joined: Sat Feb 07, 2015 7:12 am
Location: The Netherlands

[solved] Public /29 subnet question

Fri Aug 19, 2016 6:36 pm

Ok, this one will take some explaining...

My ISP offers the option of a public IPv4 subnet (/29) which, after subtracting 3 adresses from it's range (1 for the network, 1 for the modem and one for broadcast) leaves me with 5 useable IPv4 IP's that should be assignable and reachable from the internet side of things.
So, i've hooked the pi up to the modem (cabled), assigned one of these adresses to a Raspberry Pi running a LAMP setup, it's visible in the modem, modem has been set to use the subnet, and Raspberry Pi's HTTP and HTTPS ports have been exposed in the modem's firewall.

Now, i can reach the Pi via SSH and through a browser from my LAN on the assigned adress...
But forget trying to reach it from the internet.
I've doublechecked the netmask and other settings in the modem, conferred with support at my ISP, they confirmed i have those settings done right, however they cannot offer support with any further issues (subnet service is offered 'as is' for more experienced customers).

The Pi is running Jessie Light, dhcpcd.conf has been set to use

Code: Select all

interface eth0

static ip_address=80.x.x.x/29 (anonymised the IP, it's the correct one, i've triple checked)
static routers=192.168.178.1 (proper adress for the router, and i can reach it from the Pi)
static domain_name_servers=192.168.178.1 (again, the router, and it seems to work)
So with all that in mind, unless i'm forgetting/missing something, i'm at a loss here.
I'm hoping someone here has a better idea of what i might be doing wrong, because at this point, my scriptkiddie and coding skills amount to absolutely bugger all :cry:
Last edited by Gravesy on Sat Aug 20, 2016 10:44 pm, edited 2 times in total.

drgeoff
Posts: 9743
Joined: Wed Jan 25, 2012 6:39 pm

Re: Public /29 subnet question

Fri Aug 19, 2016 9:57 pm

What router and what settings on it?

And can you provide a diagram showing how modem, router, RPi and your computer are connected together.

User avatar
Gravesy
Posts: 78
Joined: Sat Feb 07, 2015 7:12 am
Location: The Netherlands

Re: Public /29 subnet question

Sat Aug 20, 2016 12:31 am

Router is a Fritz!box 7360, as for what settings, you'll have to be more specific.
If you mean the settings for the subnet, the 7360 has a special category for subnetting that lets one fill out the subnet ip to be used by the modem, and the relevant netmask (since it's a /29 that would be 255.255.255.248).

Won't need a diagram to describe how it all connects, modem is the first in line, Raspberry Pi is connected directly to one of the modem's LAN ports via cable (simple Cat6 patch cable).
Desktop pc is on the modem's WLAN, which can communicate to any other device networked through the modem, be it wired or wireless.

Also, for clarification, the Pi can communicate in and out, it can download updates and software with apt-get, i can transfer data to and from it, but i cannot get it visible from the WWW, even if i DMZ it, or open all relevant ports.
It's really doing my head in, since i've run my website from the same Pi for ages, the only difference now is the subnet IP, and to my knowledge i've set it all up exactly as it should be.

skspurling
Posts: 194
Joined: Fri Jul 27, 2012 1:44 pm
Location: US. Right in the middle...

Re: Public /29 subnet question

Sat Aug 20, 2016 12:58 am

Problem is that it's a router, not a switch or a bridge. That /29 is on the outside of your router, so your router has to proxy for it, not route it.

It's probably on the inside of your providers router, but not yours. You have to do a 1:1 NAT. It's a bit better than a port forwarder, but you need private addresses on your stuff inside and the router translates the addresses still. If you want to use the addresses directly, then you need to run your devices directly behind the provider's edge device. Consider it as a DMZ for your network, and make sure to use sensible firewall rules on your providers edge device.

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: Public /29 subnet question

Sat Aug 20, 2016 1:57 am

Gravesy wrote:Ok, this one will take some explaining...

My ISP offers the option of a public IPv4 subnet (/29) which, after subtracting 3 adresses from it's range (1 for the network, 1 for the modem and one for broadcast) leaves me with 5 useable IPv4 IP's that should be assignable and reachable from the internet side of things.
So, i've hooked the pi up to the modem (cabled), assigned one of these adresses to a Raspberry Pi running a LAMP setup, it's visible in the modem, modem has been set to use the subnet, and Raspberry Pi's HTTP and HTTPS ports have been exposed in the modem's firewall.

Now, i can reach the Pi via SSH and through a browser from my LAN on the assigned adress...
But forget trying to reach it from the internet.
I've doublechecked the netmask and other settings in the modem, conferred with support at my ISP, they confirmed i have those settings done right, however they cannot offer support with any further issues (subnet service is offered 'as is' for more experienced customers).

The Pi is running Jessie Light, dhcpcd.conf has been set to use

Code: Select all

interface eth0

static ip_address=80.x.x.x/29 (anonymised the IP, it's the correct one, i've triple checked)
static routers=192.168.178.1 (proper adress for the router, and i can reach it from the Pi)
static domain_name_servers=192.168.178.1 (again, the router, and it seems to work)
So with all that in mind, unless i'm forgetting/missing something, i'm at a loss here.
I'm hoping someone here has a better idea of what i might be doing wrong, because at this point, my scriptkiddie and coding skills amount to absolutely bugger all :cry:
Those settings seem slightly odd, normally the router address should be in the same subnet as the ip address, without that you'll likely have various issues or need extra config. I've got a /29 from my ISP and the hosts on the external network use the routers public ip (in the same /29) as the router ip. Not all routers support having a public ip range and may do odd things with it (I've only had success with the original speedtouch router and various proper cisco routers).

when looking up addresses on the pi you may find "ip addr" is better than "ifconfig" as ifconfig often doesnt show all the assigned ips (you may find you also have a private ip on the pi that it's using). You may find "curl icanhazip.com" is useful, this will show you what your public IP is (which may help determine if your pi is actually talking out on it's public IP or if the router is getting in the way).

Finally before putting the Pi on a public IP you should ensure it's been suitably secured, as a minimum i'd suggest changing the Pi account to something else (or create a new account and lock/delete the pi account), change any passwords, ideally set to key based auth on ssh, move ssh to an alternate port, setup a host based firewall.

skspurling
Posts: 194
Joined: Fri Jul 27, 2012 1:44 pm
Location: US. Right in the middle...

Re: Public /29 subnet question

Sat Aug 20, 2016 3:41 am

Gravesy wrote:Router is a Fritz!box 7360, as for what settings, you'll have to be more specific.
If you mean the settings for the subnet, the 7360 has a special category for subnetting that lets one fill out the subnet ip to be used by the modem, and the relevant netmask (since it's a /29 that would be 255.255.255.248).

Won't need a diagram to describe how it all connects, modem is the first in line, Raspberry Pi is connected directly to one of the modem's LAN ports via cable (simple Cat6 patch cable).
Desktop pc is on the modem's WLAN, which can communicate to any other device networked through the modem, be it wired or wireless.

Also, for clarification, the Pi can communicate in and out, it can download updates and software with apt-get, i can transfer data to and from it, but i cannot get it visible from the WWW, even if i DMZ it, or open all relevant ports.
It's really doing my head in, since i've run my website from the same Pi for ages, the only difference now is the subnet IP, and to my knowledge i've set it all up exactly as it should be.
Okay, I reread your posts a third time, and I'm thinking something completely different...
Are those 192.168.178.1's the actual modem addresses you are using in your config? Just making sure those are standin's for the public IP address of the modem. Also, don't use DHCP.conf. If you are going static, use static configs in /etc/network/interfaces... right? Just checking, because you did mention that in one of your posts. You also don't have a mix of private and public IP's configured on the Pi, do you? They should all be in the same subnet, and you shouldn't mix them. Something might work, but it will be inconsistent.

User avatar
rpdom
Posts: 14987
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Public /29 subnet question

Sat Aug 20, 2016 4:16 am

skspurling wrote:Also, don't use DHCP.conf. If you are going static, use static configs in /etc/network/interfaces... right?
Wrong. ;)

With jessie, dhcpcd has taken over much of the network management roles. Generally, /etc/network/interfaces shouldn't be used for static IP assignments now.

User avatar
Cancelor
Posts: 757
Joined: Wed Aug 28, 2013 4:09 pm
Location: UK

Re: Public /29 subnet question

Sat Aug 20, 2016 6:02 am

Addresses in the range 192.168.x.x are private IPv4 network addresses, ping tests or any other connection from the Internet or other outside networks cannot be routed to it, they have to be port forwarded to it. I think packets to or from a private address range will be blocked by the internet.

Your RPi and it's default gateway both need to be in the 80.x.x.x/29 range.

N.B. The default gateway (router) 80.x.x.rrr is not on your premises. (it may or may not offer dhcp)

I don't know about the Fritz!box 7360 but most home boxes contain a modem, a router, a switch a dhcp server etc all in the same box.

If the ports on your Fritz!box 7360 are in the 192.168.x.x range then connecting to them will not do what what you want.

I think you have ISP --- Modem --- Router --- Switch --- RPi

What you need is ISP --- RPi
Can't find the thread you want? Try googling : YourSearchHere site:raspberrypi.org

fruit-uk
Posts: 609
Joined: Wed Aug 06, 2014 4:19 pm
Location: Suffolk, UK

Sat Aug 20, 2016 6:15 am

I'm running a public block on Smallwall(was m0n0wall) but the setup looks totally different to the way things are being described here :/
Not saying they are wrong of course, it's a different device.

Are any of the articles here any use? https://en.avm.de/service/fritzbox/frit ... edge-base/

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: Public /29 subnet question

Sat Aug 20, 2016 6:59 am

Cancelor wrote: N.B. The default gateway (router) 80.x.x.rrr is not on your premises. (it may or may not offer dhcp)

I don't know about the Fritz!box 7360 but most home boxes contain a modem, a router, a switch a dhcp server etc all in the same box.

If the ports on your Fritz!box 7360 are in the 192.168.x.x range then connecting to them will not do what what you want.

I think you have ISP --- Modem --- Router --- Switch --- RPi

What you need is ISP --- RPi
This is very dependant on the ISP and equipment. In my /29 the gateway address (.169/29) is on my network and other devices (.170-.174) use that as their router. From externally if you contact the router ip you get my router. The pppoa link back to the ISP is a ppp unnumbered interface.

My experience is that the configuration can be very hardware and ISP dependant so help for that level of setup dedicated forums / blogs are more likely to be of use.

User avatar
Gravesy
Posts: 78
Joined: Sat Feb 07, 2015 7:12 am
Location: The Netherlands

Re: Public /29 subnet question

Sat Aug 20, 2016 2:24 pm

Wow, i go to bed and wake up to a boatload of info, thanks for the help so far fellas!

Well, i guess i'll go post by post :o
skspurling wrote:Problem is that it's a router, not a switch or a bridge. That /29 is on the outside of your router, so your router has to proxy for it, not route it.
It's probably on the inside of your providers router, but not yours. You have to do a 1:1 NAT. It's a bit better than a port forwarder, but you need private addresses on your stuff inside and the router translates the addresses still. If you want to use the addresses directly, then you need to run your devices directly behind the provider's edge device. Consider it as a DMZ for your network, and make sure to use sensible firewall rules on your providers edge device.
This modem/router is the only (edge) device on my side of the network.
It is provided by the ISP.
mfa298 wrote:
Those settings seem slightly odd, normally the router address should be in the same subnet as the ip address, without that you'll likely have various issues or need extra config.
Correct, i realised i did that wrong as i read your post, i have amended the file, it now looks like this

Code: Select all

interface eth0

static ip_address=80.x.x.x/29
static routers=80.x.x.y
static domain_name_servers=80.x.x.y
Where the x.x.y is the address assigned to the modem.
Though i'm wondering if i shouldn't assign my ISP's DNS servers for the static DNS instead...
Thoughts/suggestions ?
Also, i'm wondering if i shouldn't specify the /29 on the static router...
I can reach the box without it specified, but that's no guarantee it's 100% correct.
mfa298 wrote:
when looking up addresses on the pi you may find "ip addr" is better than "ifconfig" as ifconfig often doesnt show all the assigned ips (you may find you also have a private ip on the pi that it's using). You may find "curl icanhazip.com" is useful, this will show you what your public IP is (which may help determine if your pi is actually talking out on it's public IP or if the router is getting in the way).
The router doesn't seem to be getting in the way, the Pi reports the assigned address is the one being used from both ip addr and the curl from icanhazip.com...
Very curious.
mfa298 wrote: Finally before putting the Pi on a public IP you should ensure it's been suitably secured, as a minimum i'd suggest changing the Pi account to something else (or create a new account and lock/delete the pi account),
Done, first thing i always do is remove the Pi account.
mfa298 wrote: change any passwords, ideally set to key based auth on ssh, move ssh to an alternate port, setup a host based firewall.
Already done, first order of business during setup was generating a keypair with Puttygen, SSH is on a rather obscure port, Fail2Ban is installed, and UFW has been setup to allow SSH and HTTP/HTTPS and nothing else for now.
rpdom wrote:
skspurling wrote:Also, don't use DHCP.conf. If you are going static, use static configs in /etc/network/interfaces... right?
Wrong. ;)

With jessie, dhcpcd has taken over much of the network management roles. Generally, /etc/network/interfaces shouldn't be used for static IP assignments now.
This was indeed the one thing the network tech from my ISP stressed, that Jessie uses dhcpcd.conf and that i shouldn't use /etc/network/interfaces.
mfa298 wrote:
Cancelor wrote: N.B. The default gateway (router) 80.x.x.rrr is not on your premises. (it may or may not offer dhcp)

I don't know about the Fritz!box 7360 but most home boxes contain a modem, a router, a switch a dhcp server etc all in the same box.

If the ports on your Fritz!box 7360 are in the 192.168.x.x range then connecting to them will not do what what you want.

I think you have ISP --- Modem --- Router --- Switch --- RPi

What you need is ISP --- RPi
This is very dependant on the ISP and equipment. In my /29 the gateway address (.169/29) is on my network and other devices (.170-.174) use that as their router. From externally if you contact the router ip you get my router. The pppoa link back to the ISP is a ppp unnumbered interface.

My experience is that the configuration can be very hardware and ISP dependant so help for that level of setup dedicated forums / blogs are more likely to be of use.
@ Cancelor : as can be seen from my reply to mfa298, i had the wrong address for the router/gateway indeed, this has now been rectified and set to the (hopefully) correct settings.

To sketch my setup in simple detail, we have the wall socket for the phone line (i'm on a VDSL connection), the Fritz!box (which is the modem/router/bridge), and then all my systems.
The Pi is directly connected to the Fritz!box.

My ISP specifies that it has to be ISP>Modem>Any machine i want to use, hence why the modem gets assigned it's own address in the subnet range.
Here's what the modem's page for the subnetting looks like : http://i23.photobucket.com/albums/b366/ ... 8mahdu.jpg (i'm linking rather than inserting because it's a rather large image).
Note that the netmask is correct, according to the technician from the ISP.
Here's the help page from my ISP (sadly, no English version exists, sorry about that) : https://www.xs4all.nl/service/diensten/ ... itzbox.htm
I've literally followed the steps there, assigned the modem it's address, so everything is now (technically) as it should be.

Hell, the way i understand it, my subnet setup should, in theory at least, work the same as yours mfa298.
In the meantime i'm still tinkering with all the settings, i think i may be getting close.

User avatar
Cancelor
Posts: 757
Joined: Wed Aug 28, 2013 4:09 pm
Location: UK

Re: Public /29 subnet question

Sat Aug 20, 2016 3:34 pm

If I understand this right the wire from your wall to the Fritz!box 7360 is in network 80.x.x.x/29 and the ports on the Fritz!box 7360 are in network 192.168.179.x/24

So the question is where are you plugging the RPi?
Can't find the thread you want? Try googling : YourSearchHere site:raspberrypi.org

User avatar
Gravesy
Posts: 78
Joined: Sat Feb 07, 2015 7:12 am
Location: The Netherlands

Re: Public /29 subnet question

Sat Aug 20, 2016 3:37 pm

Cancelor wrote:If I understand this right the wire from your wall to the Fritz!box 7360 is in network 80.x.x.x/29 and the ports on the Fritz!box 7360 are in network 192.168.179.x/24

So the question is where are you plugging the RPi?
The Fritz!box.
Relevant : https://en.avm.de/service/fritzbox/frit ... FRITZ-Box/

drgeoff
Posts: 9743
Joined: Wed Jan 25, 2012 6:39 pm

Re: Public /29 subnet question

Sat Aug 20, 2016 4:31 pm

Gravesy wrote:
Cancelor wrote:If I understand this right the wire from your wall to the Fritz!box 7360 is in network 80.x.x.x/29 and the ports on the Fritz!box 7360 are in network 192.168.179.x/24

So the question is where are you plugging the RPi?
The Fritz!box.
Relevant : https://en.avm.de/service/fritzbox/frit ... FRITZ-Box/
From section 2 of https://en.avm.de/service/fritzbox/frit ... FRITZ-Box/
"Configuring a network device
Configure all of the network devices that should be accessible at an IP address from the FRITZ!Box's public IPv4 subnet as follows:
Note:Network devices that are assigned a public IP address no longer obtain their IP settings from the FRITZ!Box. Therefore, they cannot access other devices in the FRITZ!Box home network or the FRITZ!Box user interface.
Adjust the IP settings for the network device (for example the network adapter of the computer connected to the FRITZ!Box) according to the Internet service provider's instructions:
IP address: an IP address from the public IPv4 network
Important:The IP address you select may not already be used by another device in the FRITZ!Box home network.

Subnet mask: the subnet mask that corresponds to the public IP address
Standard gateway: if necessary, one of the Internet service provider's standard gateways
Preferred and alternative DNS server: your Internet service provider's DNS server"


The RPi should be given a static 80.x.x.x/29 address. The ISP should tell you what addresses to give it for gateway (static routers) and DNS server (static domain_name_servers). Or you can use your preferred public DNS server such as Google's, OpenDNS etc.

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: Public /29 subnet question

Sat Aug 20, 2016 5:38 pm

Gravesy wrote: Correct, i realised i did that wrong as i read your post, i have amended the file, it now looks like this

Code: Select all

interface eth0

static ip_address=80.x.x.x/29
static routers=80.x.x.y
static domain_name_servers=80.x.x.y
Where the x.x.y is the address assigned to the modem.
Though i'm wondering if i shouldn't assign my ISP's DNS servers for the static DNS instead...
Thoughts/suggestions ?
Also, i'm wondering if i shouldn't specify the /29 on the static router...
I can reach the box without it specified, but that's no guarantee it's 100% correct.
That looks reasonable. The router doesn't need the subnet mask. It's just an IP on the network that knows how to get to other places.

As to what to use for DNS that's mostly down to setup. You router may know more about the local internal network so might help with that, the ISP servers might be faster as they'll likely have more stuff cached.
Gravesy wrote: The router doesn't seem to be getting in the way, the Pi reports the assigned address is the one being used from both ip addr and the curl from icanhazip.com...
Very curious.
that's a good sign
Gravesy wrote: My ISP specifies that it has to be ISP>Modem>Any machine i want to use, hence why the modem gets assigned it's own address in the subnet range.
Here's what the modem's page for the subnetting looks like : http://i23.photobucket.com/albums/b366/ ... 8mahdu.jpg (i'm linking rather than inserting because it's a rather large image).
Note that the netmask is correct, according to the technician from the ISP.
Without knowing that router the settings look reasonable. the 255.255.255.248 mask is correct for a /29

There might be another set of settings somewhere to specify if particular ports are on the wan or lan side, although with the Pi appearing to work that would suggest it's seeing the right network.

The test I'd probably try next is running a tcpdump session looking for relevant packets whilst trying to connect from somewhere externally.

User avatar
Gravesy
Posts: 78
Joined: Sat Feb 07, 2015 7:12 am
Location: The Netherlands

Re: Public /29 subnet question

Sat Aug 20, 2016 6:36 pm

drgeoff wrote: The RPi should be given a static 80.x.x.x/29 address.
It has one.
drgeoff wrote: The ISP should tell you what addresses to give it for gateway (static routers) and DNS server (static domain_name_servers). Or you can use your preferred public DNS server such as Google's, OpenDNS etc.
Well i've now assigned the ISP's DNS servers, which (also) seems to work, so that's good, i've double checked with the ISP, second IP in the range (which is used by the modem) is the gateway, so that's been set correctly, so i'm now going to tinker with the modem some more.
mfa298 wrote:
Gravesy wrote: Correct, i realised i did that wrong as i read your post, i have amended the file, it now looks like this

Code: Select all

interface eth0

static ip_address=80.x.x.x/29
static routers=80.x.x.y
static domain_name_servers=80.x.x.y
Where the x.x.y is the address assigned to the modem.
Though i'm wondering if i shouldn't assign my ISP's DNS servers for the static DNS instead...
Thoughts/suggestions ?
Also, i'm wondering if i shouldn't specify the /29 on the static router...
I can reach the box without it specified, but that's no guarantee it's 100% correct.
That looks reasonable. The router doesn't need the subnet mask. It's just an IP on the network that knows how to get to other places.

As to what to use for DNS that's mostly down to setup. You router may know more about the local internal network so might help with that, the ISP servers might be faster as they'll likely have more stuff cached.
Gravesy wrote: The router doesn't seem to be getting in the way, the Pi reports the assigned address is the one being used from both ip addr and the curl from icanhazip.com...
Very curious.
that's a good sign
Gravesy wrote: My ISP specifies that it has to be ISP>Modem>Any machine i want to use, hence why the modem gets assigned it's own address in the subnet range.
Here's what the modem's page for the subnetting looks like : http://i23.photobucket.com/albums/b366/ ... 8mahdu.jpg (i'm linking rather than inserting because it's a rather large image).
Note that the netmask is correct, according to the technician from the ISP.
Without knowing that router the settings look reasonable. the 255.255.255.248 mask is correct for a /29

There might be another set of settings somewhere to specify if particular ports are on the wan or lan side, although with the Pi appearing to work that would suggest it's seeing the right network.

The test I'd probably try next is running a tcpdump session looking for relevant packets whilst trying to connect from somewhere externally.
Hmm, i hadn't thought of trying a tcpdump.
It'll have to wait until tomorrow though, gotta run off to work.

To all who've replied, thanks for sticking with me so far, with a little luck i'll figure out the issue once i do the tcpdump ;)


User avatar
Gravesy
Posts: 78
Joined: Sat Feb 07, 2015 7:12 am
Location: The Netherlands

Re: Public /29 subnet question

Sat Aug 20, 2016 8:55 pm

If you mean the port sharing/port forwarding, that has been properly setup.

But in the meantime, i have solved the final issue, i called the ISP again and they pointed out i might have to turn off a filter setting in my account settings panel (aka on their end), then turn it on and off again, so i did as instructed and Presto chango : people can connect to the site.

Many thanks to all who helped me troubleshoot ;)

skspurling
Posts: 194
Joined: Fri Jul 27, 2012 1:44 pm
Location: US. Right in the middle...

Re: Public /29 subnet question

Mon Aug 22, 2016 3:40 am

rpdom wrote:
skspurling wrote:Also, don't use DHCP.conf. If you are going static, use static configs in /etc/network/interfaces... right?
Wrong. ;)

With jessie, dhcpcd has taken over much of the network management roles. Generally, /etc/network/interfaces shouldn't be used for static IP assignments now.
Okay, this is a pain. I guess I never failed to assign a static address, because I've not messed with setting a static IP since the Jessie upgrade. But, DANG! I never saw THIS in the upgrade announcement. The previous incarnation was a file that specifically says it's for dhcpcd, and now they say put it in the dhcpcd.conf file. You go turn your head for a second and they start messin' with stuff. :-)
Thanks for the update.

OP, Glad you got your stuff working.

Return to “Advanced users”