Can gateway(network device) handle different protocols. I know that it is used to connect dissimilar networks. What type of dissimilarity does it include?
The term Gateway is a very broad term. In Networking a Gateway is typically a device that sits between two network domains or at the entrance to a domain and may handle protocol translations, perform address translations, filter traffic, terminate sessions and much more.
An IP Router for example in some cases is named as a Gateway as it connects the local subnet to the rest of the network - hence the term 'default gateway' you can see on every PC IP settings.
To answer your first Q - a gateway in many cases would handle different protocols.
Related
Well-known services usually use a pre-defined port number on the server-side.
However, I realized that that is not always the case. Some services and games for example seem to pick a random port from a pre-defined range.
when you connect to a pre-defined port number, you send a request first, so the client's port can be determined, but if the service's port is not predetermined, how does the client know to which port to send the request? Also, what is the reason for always using a different port and how does this happen?
how does the client know to which port to send the request?
This depends on the specific protocol. For example with protocols like SIP, H.323 or FTP there are predefined port numbers for the signaling channel. The actual data transfer though is done by new connections on dynamic ports. These ports are advertised within the signaling channel.
In other cases there is no such signaling channel on a predefined port number. This is typically the case for servers which have no IANA assigned port number. It also happens when multiple instances (with different configurations) of the server should run on the same system and these simply cannot use the same port number. In this case the relevant IP and port might be advertised for example through DNS SRV records. And of course there might be other ways, like publishing the information on some web site or similar.
Also, what is the reason for always using a different port ...
Again it depends on the specific protocol. With SIP, H.323 or FTP for example the data connection is specific to the client and it will simply use a port which is free on the system for this. And there can be multiple connections at the same time from the same or from different clients which all use different ports. Any restrictions regarding the range of the port are usually only done to work better with firewalls, so that these don't need to open a huge port range but can allow a smaller port range and thus lower the attack surface.
... and how does this happen?
Just let the system pick a random port by not giving a specific value. Or if a port should be used from a range then it will simply figure out which port is available by trying to bind to the port and continue with the next if the binding failed.
if the service's port is not predetermined, how does the client know to which port to send the request?
The port has to be known ahead of time, entered by the user, or advertised somewhere the client can find it.
what is the reason for always using a different port
Many reasons: security, network/firewall restrictions, etc.
I am facing a problem with IBM Datapower XG45.7.0.0.0.
When I am connecting to an external service using DP, the source IP of DP is being picked up randomly among the 3 available eth interfaces. I know this has performance and stability benefits. However, this is causing great deal of pain in the firewall config. As a tactical solution, is there a way to ensure that the traffic is send from any one fixed eth interface?
Sure, normally you should make sure only one NIC has a default gateway (and that would in most cases be the NIC facing the Internet).
The two other NIC's should only have static routes and set for the various subnets they should serve.
If you don't have a need for different IP addresses for outbound (egress) traffic you might want to use only one NIC and set two additional Secondary IP addresses instead.
That way you have three working IP address for ingress (inbound) traffic but only one IP will be used for egress.
I'm exploring alternate multiplicities between IP subnets and VLANs, outside the recommended 1-to-1 implementation. My understanding is as follows:
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), but would ignore traffic lacking an IP that targets them.
Question: Would I be able to communicate across subnets without a layer 3 device if I could manually insert a destination MAC address in the frame header? My understanding is that the layer 2 switch is oblivious to the differing subnets, and assuming it knows the location of the destination MAC address, would forward the packet in its direction. The destination PC, seeing its IP and MAC addresses, would accept the packet, effectively letting it cross subnets without ever being routed.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same subnet (but unknowingly in another VLAN) would send out an ARP request that would never be responded to.
This would effectively create separate, identical address pools for each of the VLANs, though I'm not sure how a router would differentiate between the two when interVLAN communication is attempted. I'm a little bit unsure about the pros/cons of this configuration..
Why would we ever want to do this?
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), > but would ignore traffic lacking an IP that targets them.
This actually has it's use case in modern DCs. Not in a way you suggest it (w/o a L3 device), but with a VEPA switch.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same subnet (but unknowingly in another VLAN) would send out an ARP request that would never be responded to. This would effectively create separate, identical address pools for each of the VLANs, though I'm not sure how a router would differentiate between the two when interVLAN communication is attempted. I'm a little bit unsure about the pros/cons of this configuration..
A single subnet across multiple VLANs, also called Transparent subnet gatewaying (RFC 1027) is a somehow archaic approach. It uses Proxy ARP, but proxy ARP has it's own set of problems.
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), but would ignore traffic lacking an IP that targets them.
Question: Would I be able to communicate across subnets without a
layer 3 device if I could manually insert a destination MAC address in
the frame header?
You will need to replace the MAC address, and need to recalculate FCS over the whole frame, else the switch will reject it as a damaged frame. This must happen after your ethernet driver does this.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same
subnet (but unknowingly in another VLAN) would send out an ARP
request that would never be responded to. This would effectively
create separate, identical address pools for each of the VLANs,
though I'm not sure how a router would differentiate between the two
when interVLAN communication is attempted. I'm a little bit unsure
about the pros/cons of this configuration..
Why would we ever want to do this?
Hosts in the same subnet would not be able to communicate with each other. Most routers will not let you assign the same network to multiple interfaces, unless they are bridged interfaces, in which case, you haven't accomplished anything except sending the traffic the long way around.
Some switches have something similar to this, called Private VLANs, where hosts can only communicate with a gateway. This is a security feature used in some situations.
I have an application that relies on IP addresses for communication (Domain names simply does not work. :(... )
Its function is to connect to its peer on the other machine and send data over after establishing trust. During the "trust establishing" phase they both exchange their IPs for future communication. They both are behind the two different firewalls and are NATted. One is in our NATted office network and other is in the cloud NATted behind their firewall. The applications knows their respective private IPs and exchange that (the 10.x.xxx.xxx range), when they try to connect back to each other (using the private IPs with range 10.x.xxx.xxx) for transferring data they fail. The connection is TCP and the port range is pretty varied.
I am curious if there is anyway I can hard code (for this one time) a rule (at may be firewall level or some place outside my application) that says if there is a connection being initiated for IP address 10.x.xxx.xxx then redirect it to 205.x.xxx.xxx?
Private IP address ranges like 10.x.y.z are, by their very nature, private.
You can't do any meaningful resolution unless each node in between the endpoints has rules in place to translate these.
Translation is tricky, all the main tools you would use cater for static translation (port forwarding, e.g. where a particular port is forwarded to a particular IP). This is one avenue, but it is a hacky one (it requires you to open lots of ports, procedurally update your router and probably have some sort of broker server to maintain mappings).
Alternatively, you could run the isolated networks over a VPN, which would give your endpoints mutual private IPs which you can use to connect to eachother. It would simply be a case of binding to this new address and communicating across the VPN. This would also potentially encrypt your communication over the internet.
Other possibilities are to use NAT/TCP punchthrough techniques which can allow traversal, but these are really a patch to a broken network topology (Read up on IPv6 to see how this can be alleviated).
Alternatively, you could route all the connections over a proxy, but this will complicate matters compared to a VPN.
To answer the question about hardcoding a rule, port forwarding is the solution here. It will obviously depend on your router configuration for the peer accepting the connection, but this client should have the port target port forwarded to the machine. This will obviously not scale very well and is really shifting to a server/client architecture for one connection!
Depending on your hardware, you may be able to forward a range of ports (if a single port cannot be established) and limit the port forwarding to certain incoming connections (the external IPs).
Information on port forwarding can be found at http://portforward.com/
This sounds a lot like what you'd want out of a VPN. Is there anyway that you could set one up? Basically the Site-To-Site VPN between you and the cloud would say 'oh hey, here is an ip located on the remote network, go ahead and connect through the link'. Would this kind of solution work in your case?
Something along these lines: http://i.msdn.microsoft.com/dynimg/IC589512.jpg
I know this is not programming directly, but it's regarding a development workstation I'm setting up.
I've got a Windows Server 2003 machine that needs to be on two LAN segments at the same time. One of them is a 10.17.x.x LAN and the other is 10.16.x.x
The problem is that I don't want to be using up the bandwidth on the 10.16.x.x network for internet traffic, etc (this network is basically only for internal stuff, though it does have internet access) so I would like the system to use the 10.17.x.x connection for anything that is external to the LAN (and for anything on 10.17.x.x of course, and to only use the 10.16.x.x connection for things that are on that specific LAN.
I've tried looking into the windows "route" command but it's fairly confusing and won't seem to let me delete routes tha tI believe are interfering with what I want it to do. Is there a better way of doing this? Any good software for segmenting your LAN access?
I'm no network expert but I have fiddled with the route command a number of times...
route add 0.0.0.0 MASK 0.0.0.0 <address of gateway on 10.17.x.x net>
Will route all default traffic through the 10.17.x.x gateway, if you find that it still routes through the other interface, you should make sure that the new rule has a lower metric than the existing routes. Do this by adding METRIC 1 for example to the end of the line above.
You could also adjust the metric in the Advanced TCP/IP Settings window of the 10.17.x.x interface, unticking the Automatic Metric checkbox and setting the value to something low, like 1 or 2.
If you don't move your network cables around and can assign yourself a static IP address on the 10.16.x.x network, you can refrain from assigning a gateway address on that network. If there is no gateway, internet packets will not be routed on that interface.
If you use DHCP, static record to recognize your MAC address and not provide a gateway IP address.
As for using advanced windows routing, the route you are looking for is the 0.0.0.0 route (default route). The important number is the metric value, which is the cost for the route, where the lower metric tends to be used first. You can set the metric at the interface level directly in the GUI.
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/i/tr/cms/contentPics/tcpip-F.gif
I believe if you set the interface metric to a high value on the 10.16.x.x interface, it will not be used as a gateway.
Personally I use the method where I refrain from defining a gateway IP.