IP Addressing Query

What does the following IP addressing mean:

81.xxx.xxx.xxx/29
WAN 81.nnn.nnn.nnn

Where a TBB Speedtest returns the IP address 81.xxx.xxx.6

I'm confused Give me a soldering iron any day...

Edited to add: nnn are different to xxx

Cheers!

Edited by Ancient_Mariner (Sat 22-Jan-22 15:04:39)

Who is your ISP, and where did you get the first two lines form?

In reply to a post by Ancient_Mariner:

What does the following IP addressing mean:
81.xxx.xxx.xxx/29
WAN 81.nnn.nnn.nnn

/29 is the CIDR notation for the number of bit set in the mask. /29 means a subnet mask of 255.255.255.248, which means the IP addresses from 81.x.x.1 to 81.x.x.6 are usable by your network.

The WAN IP quoted is the address you should assign to your router on the public interface that faces the ISP, typically that using PPPoE, IPoA or DHCP depending on your ISP.

I'm confused Give me a soldering iron any day...
Edited to add: nnn are different to xxx

They will be as one is the ISP network, and one is the IP network they are assigning to you. This is only required where you have more then ONE public IP from the ISP. The majority of domestic ISPs only support a single IP so the home user has no choice but to translate that IP to a private (RFC 1918) network inside the premises.

However some ISPs will sell you a range of addresses (for money) and then this information is supplied.

In reply to a post by Michael_Chare:

Who is your ISP, and where did you get the first two lines form?

Signature says AAISP whom often provide blocks of routable IPv4 and whole networks of IPv6 to their customers. Unlike the mass market ISPs of Virgin Media, BT Retail, TalkTalk, Sky, whom only supply a single IPv4 for the router/gateway itself.

In reply to a post by jchamier:

The WAN IP quoted is the address you should assign to your router on the public interface that faces the ISP, typically that using PPPoE, IPoA or DHCP depending on your ISP.

More likely to be IPoE than IPoA.

I don't think ATM is used much if at all, apart from on ADSL. Even then it's only the ADSL part of the circuit that uses ATM. The fixed 53 byte packets on ATM makes it a poor choice for carrying traffic.

A&A as per my sig.

My control panel gives those two lines. Normally when I do, say a TBB Speedtest I see the
81.nnn.nnn.nnn IP address.

However to aid a check into dropouts, A&A have sent me a loan router; normally I use my own DrayTek. Using the loan router, a TBB Speedtest shows 81.xxx.xxx.6 and not the usual 81.nnn.nnn.nnn IP Address.

Cheers!

As in my reply to Michael above, my control panel gives those two lines. Normally when I do, say a TBB Speedtest I see the 81.nnn.nnn.nnn IP address.

However to aid a check into dropouts, A&A have sent me a loan router; normally I use my own DrayTek. Using the loan router, a TBB Speedtest shows 81.xxx.xxx.6 and not the usual 81.nnn.nnn.nnn IP Address.

Does that suggest that with the 81.xxx.xxx.6 address being visible on a TBB Speedtest, that it has "escaped" from just being an address for my network?

Currently I cannot access the loan router's control panel.

Cheers!

As already answered, the xxx addresses are from your real allocated public IP subnet (a pool of up to 6* usable addresses).
The xxx address is correctly shown as the source of the traffic in the test.
It's not leakage (because it's already a public routable address and does not need NATting again).

The nnn address is merely the IP the router is using to route traffic to/from the ISP. It's not the source of the traffic.
When you have a routed subnet, you should think of that as being part of the first hop but just happens to be physically on premises.

I realise people find it counter-intuitive because they are so used to having only one address and think the WAN interface of the router being the only place where a public IPs should exist.

Even when you have a routed public subnet, you can still use private addressing within your network, it's just that you then have more then 1 real public IP available to NAT those to on the way out.

When you have been using your own Draytek, you haven't actually been making use of your allocated public IP range.

(*) Technically the router will use up 1 of those addresses to be the gateway for the rest of that subnet so you will have 5 public addresses left to assign either directly to specific services or for NAT mappings.

0 = network number (prefix address seen in the CIDR notation as prefix/size; for example /29 this will be 0, or any other multiple of 8 up to 248 and what follows will be relative to that)
+1 = router as gateway
+2 - 6 usable
+7 = broadcast

Edited by prlzx (Sun 23-Jan-22 01:41:14)

I suspect that, despite having a public /29 you have your own router set to NAT

A&A use PPPoE, so the PPP endpoint has it's own IP address which is in addition to your /29 range of addresses - mine is 81.187.nnn.nn7, yours will be the 81.nnn.nnn.nnn address that you mentioned.

As well as that you have your /29 - as others have said this gives 29 bits of network address and 3 bits of host address. The hosts with all bits zero and all bits one have special meanings (network and broadcast) so you have 6 routeable addresses - as you mentioned 81.xxx.xxx.6 being one of them you will have 81.xxx.xxx.1 through to 81.xxx.xxx.6

As you have NAT set on your router anytime you access the 'net - eg to do a speed test the other end will see the IP address associated with your PPP connection.

The loan router from A&A is clearly set up to not apply NAT - to be honest this is the correct way to do it if your 6 addresses covers all of your needs. this is why the "other end" is now seeing the actual address of the PC (or whatever) you are using.

In this case I would disable NAT - it is not doing anything useful, in particular it does not protect your hosts from rogue packets - anyone on the internet can send a packet to 81.xxx.xxx.6, Andrews and Arnold will send it down the PPP link for you and, unless it is firewalled, your router will forward it onto the local network. Your firewall settings are your protection, not NAT

Thanks for all the responses.

Like I said in my OP, give me a soldering iron any day....

I problem I have is terminology.

I have a /29 which despite the excellent replies still has me puzzled. It seems that a /29 gives me 6 addresses. But is 6 enough? At times I have 3 pcs, an iPad, 2 printers, a wi-fi access point, a smart phone plus a wireless hub for our EV charger, a couple of networked pieces of radio equipment and 3 TVs plus a TV dongle. Heck, that's more than I expected, but the DHCP list on the DrayTek seems to agree it. Now they all work OK with NAT so I am sure that they could with the /29 but how do I configure it all?

Is there a recommended guide for setting up home networks which covers this, or is it that a /29 suggests an office network and a network professional is required? Rather like buying a car, the handbook tells you what is where, but not necessarily how and when to use it, let alone how to drive.

Cheers!

Hi Clive. You don’t need a /29 subnet for any of that. Unless it’s issued/negotiated free then you may be paying your ISP for something you don’t actually need. It doesn’t appear your actually using any more than one public IP address on your setup.

The /29 is standard and inclusive from A&A.

My understanding is that for VoIP it is best not to use NAT, and using the /29 for VoIP would be better, problem is all the "hows".....

Cheers!

To be fair VoIP works perfectly fine for most folks on a simple NAT connection that don’t have a /29 or the like at their disposal or the wherewithal and networking to exploit it.

Unless of course you have dozens or hundreds of employees behind the router. It’s a different ball game. But for home meh you really don’t need it.

Actually it isn't an either or situation.

You could use some of the /29 addresses by having a network with direct assignments to specific hosts or services.
Logical choices are any services which inherently use either large ranges of port numbers or unpredictable port number and could benefit from not having the addresses or port numbers translated.

Examples can include VoIP PBX servers (operating multiple extensions on the internal network), legacy FTP servers, media servers, or games consoles as long as they are intended to be Internet facing.
They are still behind your firewall so it doesn't mean they have to be left wide open.

If there is a firewall policy between this network and both the Internet and your private address space then this can also be classed as a DMZ network (not a DMZ host).

At the same time you could assign (reserve) one of these public addresses to continue to use NAT from your private address space. The 81.xxx.xxx.6 address is as good a choice as any for that.

It's a type of source NAT, as is NAT masquerade though there are slight differences:

* "Masquerade" means source IP of traffic from your private addresses (e.g. 192.168.1.x) gets translated to an IP actually assigned to an interface on the router (i.e. the WAN interface IP). When stuff on the Internet replies to the WAN address, the router checks an outgoing table and translates it back to the original private IP.

* Your source NAT will work the same except the source IP of traffic from your private addresses now gets translated to 81.xxx.xxx.6.
When stuff on the Internet replies to this address, the router checks the outgoing table and translates it back to the original private IP, otherwise if it wasn't replying to .6 but say real .y, it just delivers (routes) it back to the 81.xxx.xxx.y address on the "DMZ" network.

Other differences: there is not actually a computer set with the 81.xxx.xxx.6 address so it's only used in the NAT mapping.
Also note that nothing is replying to the WAN address of the router unless the traffic originated from the router itself, say a DNS lookup or an update check). This is correct, its main job is now to link your router to your ISP rather than to pretend to be everything inside your network.

You'd need to look at the outbound or source NAT rules on the router to see this is the case.

In summary you would have 2 networks internally behind the router, one with private NATed addresses and one with public routed addresses, and ideally these should sit on separate interfaces of the router (so at least 3 independent interfaces including WAN).

The fact that you saw 81.xxx.xxx.6 addresses with the ISP supplied router may mean it was already setup somewhat similarly.

Edited by prlzx (Tue 25-Jan-22 01:06:07)

Sorry if that was a wall of text, much of what I wrote about the routed subnet without NAT applies likewise to IPv6.

The prevalence of NAT has become so embedded in how we think about consumer Internet access that people can find it jarring when thinking about being assigned a routed subnet of public addresses (a /64, a /56 or a /48) that are nontheless internal and behind your firewall, and different from the single IP that only exists for the router itself to talk to the ISP, compared with "faking it" to make that single IP act such that a bunch of private IPs seem to work.

Edited by prlzx (Tue 25-Jan-22 01:12:08)

In reply to a post by prlzx:

Actually it isn't an either or situation.

Indeed not - I have several RFC1918 ranges in use, some of which have internet access via NAT, as well as my 81.xxx.yyy.zzz/27 which is heavily firewalled. (it's a /27 in my case as I have been an AAISP customer for many years).

* Your source NAT will work the same except the source IP of traffic from your private addresses now gets translated to 81.xxx.xxx.6.
When stuff on the Internet replies to this address, the router checks the outgoing table and translates it back to the original private IP, otherwise if it wasn't replying to .6 but say real .y, it just delivers (routes) it back to the 81.xxx.xxx.y address on the "DMZ" network.

Other differences: there is not actually a computer set with the 81.xxx.xxx.6 address so it's only used in the NAT mapping.

The fact that you saw 81.xxx.xxx.6 addresses with the ISP supplied router may mean it was already setup somewhat similarly.

The opposite - 81.xxx.xxx.6 *will* be a real computer - there is a 7th IP in play which is the one associated with the PPP endpoint - that is the one which is most logical for NATed addresses to use as the egress address.

It is because the loan router is NOT set up for NAT that our seafaring friend is seeing it "out" on the internet.

I have to disagree; if I received a real /29 or larger allocation, I would not want to use the router's own WAN interface in NAT mappings, but would rather use an address in the routed subnet.

That way, if the (say) .6 address becomes targeted by scans or more unwanted traffic that doesn't necessarily pose a threat to the router itself nor its PPP connection to the ISP.

Plus that leaves me options to change the nature of the ISP connection or to decide whether I want to place a second router at .6 just to handle the private NAT without needing tell the outside world in either case.

As far as I am concerned the WAN interface IP will just be the PPP with a /32 and routing path to link with the ISP rather than acting as source of traffic from other hosts.

Oh and the Internet will only ever see routeable public IPs anyway* unless it uses Javascript or similar within a page to query the local IP.

(*) assuming the ISP employs anti-spoofing and blackholing traffic to/from RFC1918 as well as anything from the customer whose source doesn't matching their public assignments (which is good practice anyway).

Edited by prlzx (Tue 25-Jan-22 14:17:11)

In reply to a post by Ancient_Mariner:

My understanding is that for VoIP it is best not to use NAT, and using the /29 for VoIP would be better, problem is all the "hows".....

AAISP insist in saying this, but I've been using their VoIP for 2 years with my Virgin Media broadband (single dynamic IP v4) with NAT without issue. I would switch to AAISP for broadband, but I would take an 60% hit in download speed, and 90% hit in upload speed. So no chance

I have an elderly Cisco ATA plugged in to my Asus router, and my Virgin box is in modem mode. Then a basic landline handset plugged into the ATA. I migrated my old Openreach phone number to AAISP in mid 2019..

RE your Cisco ATA. I am using their ATA 191 currently for pre-porting test purposes with an AAISP VOIP number.

Is there any way that you can set up a divert/forwarding for incoming calls to another number if you are away in a similar manner to BT's dial: *21*(phone number you want to divert to)# to set up and #21# to cancel?

The ATA191 instructions suggest using #72nnnnnnnnnnn# to set up, but all I get is the beep-beep tone after I have keyed as far as #72

I guess that I could set it to ring my mobile at the same time. I will test that out to see if I get charged for that call if I don't answer it.

Cheers!

The Cisco ATA is incredibly complicated. I wouldn’t be surprised if one of the defaults is not sending the sequence to the server but interpreting it locally 🤨

I think there are two conversations here - one is why Ancient_mariner saw different IP addresses with the two routers - which I think is already answered fully.

The second is whether to use the "WAN" address or some address within the /29 as the NAT egress address for all traffic egressing from that subnet.

I suppose there's no reason not to do that but I really fail to see sufficient advantage over a properly configured firewall to be worth the head-scratching.

Just because you can NAT at that boundary does not mean that you should. Use it as a DMZ, if you wish to run 'net accessible servers and have your main network on RFC1918 addresses if you wish, that is perfectly sensible. But NAT is not a security device and should not be used as such.

Edited by mr_bean (Tue 25-Jan-22 20:43:30)

By the sound of it, I guess that you cannot divert incoming calls elsewhere for a period until you cancel it?

Cheers!

In reply to a post by Ancient_Mariner:

By the sound of it, I guess that you cannot divert incoming calls elsewhere for a period until you cancel it?

Cheers!

I think you could with a Cisco SPA 112. I think you could also do this with calls that are not answered after a length of time that you can specify.

In reply to a post by Ancient_Mariner:

By the sound of it, I guess that you cannot divert incoming calls elsewhere for a period until you cancel it?

I'd do that on the AAISP voip control pages.

Have now found that I can arrange my mobile (or any other phone(s) to ring at same time as an incoming call to my AAISP VoIP number.

I can then answer using either a home analogue phone via the ATA or answer on my mobile (I then pay the cost of the divert). If out of the house, can answer via the mobile. So best of both worlds.

Cheers!