radarman
join:2005-06-01
Odenton, MD
| reply to nixen
Re: Duh!
Ok, lets start over. I took some liberties because I assumed we were talking about CONSUMER hardware - not commercial - and that we were talking about CONSUMER ISP's. Please keep that in mind.
Strictly speaking, you are correct - a pure router (like your standard Cisco) does nothing but move packets from one domain to another. You do not need a pure router if you simply lease IP addresses for each machine on your LAN - since you don't really have a LAN, just an extension of the WAN in your house. It is theoretically possible to lease a subnet from your ISP, in which case you MIGHT need a pure router, depending on the ISP's configuration, but you WOULD NOT need NAT (since you have a one to one mapping of addresses available).
As far as I know, no CONSUMER ISP does this. Even if they did, these are not safe networks for most CONSUMERS, as they expose every machine to the public Internet explicitly. Even if I only had one machine, I would still hide it behind NAT as a limited first line of defense.
Also, most consumers with multiple computers do not (or can not) lease a subnet, and few lease enough addresses for each machine - they get one IP address, and then masquerade behind it using NAT. This comprises the vast majority of "home networks"
These networks are, by definition, "multi-segment". You have a private network in their house, typically assigned a 192.168.x.x subnet, and an access point to the public network. Again, you are technically correct - the term for the required hardware is "NAT Proxy" - a "router" is NOT required for this configuration, as private address aren't routable anyway. However, it is still multi-segment in that you can't directly communicate from your LAN to the WAN without some added trickery.
To make things more interesting, most people incorrectly denote ALL "Internet Gateways" as "routers", even though not all Internet Gateways can route. (most can, but few actually use the ability) The vast majority of boxes, such as the Linksys and Netgear boxes, are NAT capable routers - but the vast majority of customers assign the LAN a non-routable address space - making them overgrown NAT proxies. Typically, these consumer "routers" will also support DHCP, limited local DNS (on some models), and a few other services. Many times, they will interfere with other internal machines offering the same services.
There are several things I do not like about my ISP having control of this machine.
One - they could enforce a NAT free network by simply turning off the ability remotely. I'm sure they would love the increased revenue of charging a fee for every box on their network - much the way they used to charge for every TV in your house. The problem isn't so much the fee, though; but the fact that now your network is exposed on the public Internet. At least with NAT, you have to do something stupid to get rooted.
Two - they could permanently enable or disable services which might be disruptive to my LAN. If I am depending on certain network services to be present - I want those services explicitly under MY control. I do not want my ISP futzing with them, or worse, locking me out.
Lastly, if the machine fails, all of the services it provided would be gone with it - for the duration of the time it takes the ISP to service or replace it. At least in my neck of the woods, that involves a trip to the Comcast service center during business hours, or an irritating, time-wasting service call.
Now, most of these concerns are related to ISP leased equipment - but there is still the fact that these machines are not user-serviceable. I cannot simply pull the flash memory out, and drop it in another machine quickly. Even if I owned the box outright, its failure would still entail the time it takes to ship a new one - and I would still have to recreate all of my configuration data, unless by some miracle, I had either backed it up (which is difficult on most consumer "routers") or the machine was busted in some way that still allowed access to the administrative console.
I dunno - at least for me, my LAN is equally as important as the WAN connection. I don't ever save to my local hard drive, instead using a network server; printing is done over the network, etc. I don't want all of that going down because of one box.
My current setup is a Motorola SB5100 cable modem, attached to a Pentium III based PC running FreeBSD & ipfilter/ipnat. While this machine is a single point of failure (it runs the NAT proxy/router, firewall, DHCP, internal DNS, NTP, HTTP proxy, etc) - the machine is entirely under my control. If it fails, I can drop the hard disk in another machine and be up and running in under 20 minutes. If the hard disk fails, I can recover from a backup file on another machine or from a CD-ROM.
THAT is why I would avoid these boxes like the plague. |
