We have a client who has a 192.170.130/24 subnet on their LAN, which is being NATed to the WAN IP address from their ISP. Is this a good idea or should they be using an RFC1918 addresses on their LAN?
Thanks
Asked
Active
Viewed 122 times
0
-
5`Is this a good idea?` No. – Greg Askew Feb 15 '20 at 17:24
3 Answers
8
It’s a bad practice. They should use a private class.
The why is that it will cause problem if your customer got server that answer WAN request, as the server will not route to the internet request that he think belong to its local LAN.
In your case your customer blocked himself from possible client from Texas with that IP range.
yagmoth555
- 16,300
- 4
- 26
- 48
-
we inherited the network that way. so the question is whether it's better to change the subnet or leave it as is. – user242114 Feb 15 '20 at 18:12
-
@user242114 If the customer dont do business in Texas, then it’s maybe not worth the change. In example I had a customer in the 198.162.x.x, a typo from the tech that did the network, but as it was a local business, and the remote range was like china, the customer stayed that way as he was in North America – yagmoth555 Feb 15 '20 at 22:25
1
It's unorthodox and uncommon, but it's not wrong. I've worked with several customers who were in this scenario.
Is it a good idea? That's a subjective question. Everyone will have their own opinion on whether or not it's a "good" idea. It's generally considered to not be a good idea.
Is there any technical reason to change? Maybe... but probably not. What would you want to accomplish? What would be the end goal? Increased security? RFC 1918 isn't about security.
Before RFC 1918 (yes, there was a time before RFC 1918) everyone used "public" ip addresses internally. See section 2 at the link below for the motivation and reasoning behind RFC 1918:
-
Right. the reason I'm asking all this is because the SEP firewall was blocking the internal hosts thinking they were external. I essentially understand that there is no point in doing this. Especially since the addresses aren't really globally accessible like in the cases you're talking about, but are being NATed I was trying to convince my IT director to change the subnet to a rfc1918 compliant one. But the client had bunch of printers and apps where the server's IP was hardcoded in config files. – user242114 Feb 15 '20 at 18:49
-
2
-
@djdomi best practice is to change to 192.168? Can you cite your source for this best practice from an authoritative source? – joeqwerty Feb 15 '20 at 19:16
-
you have here 2 options either you own a subnet with valid ips or you must use private ips. – djdomi Feb 16 '20 at 12:21
0
First off, I work in a place that uses large public ips range in their private network. However, they own the range. The only issue you will see aside from the firewall issue is that if they ever try to connect to an external dns name with the range they are using for their private they will have an issue. You can do a reverse ip up look with nslookup on a public dns server to determine if anything is mapped to any ip’s then determine your impact. You might want script the lookup because there is a lot. I have seen people, like a large university try to do this before and their private ip range overlapped with actually sites people were trying to connect to. To make it worse the range covered their AD infrastructure.
superbovine
- 61
- 2
-
I understand that per se, having public addresses on your LAN is completely kosher. The issue is that we don’t own that IP block. Some IT accidentally assigned it without even realizing that it belonged to some company in Texas. – user242114 Feb 17 '20 at 00:57
-
@user242114 - You might have mentioned that the ip block in use has been allocated to a different organization in your question. That information would have changed my answer. – joeqwerty Feb 19 '20 at 12:31