8 Replies Latest reply on Sep 28, 2016 2:45 PM by Jon Scholten

    Wildcard Subnet Mask Support in MWG???

    matthew.stokes

      Are there any plans to support wildcard subnet masks within IP lists in MWG? This would help me immensely as we have about 40 IP lists with over 1000 entries per list. We could cut this down to 40 different IP/wildcard entries instead if we had support for it.

       

      ex. subnet:10.0.0.25  mask: 0.63.248.0

        • 1. Re: Wildcard Subnet Mask Support in MWG???
          Jon Scholten

          Hey Matt!

           

          This is the first time I've seen that specific request. I would assume from the wildcard mask you gave this is not a normal netmask that is covered by CIDR or range notation.

           

          So you want to be able to check if an IP falls within a certain wildcard subnet mask?

           

          So 10.0.0.25/0.63.248.0 would include...

          • 10.0.0.25 (itself)
          • 10.0.1.25
          • 10.0.2.25
          • ...
          • 10.63.248.25

           

          If the above is correct, we could use a criteria of *.IP matches some sort of regex, but I'm guessing you started exploring that and the regex got really complicated.

           

          In the past I remember a customer using Math in the events to calculate the modulo for each of the octets in the IP. I feel like they needed to do that for similar reasons... (this was like 4 years ago -- so I'm struggling to remember it clearly). Based on the result they were able to compute a result which told us what wildcard subnet the IP came from.

           

          Best Regards,

          Jon

          • 2. Re: Wildcard Subnet Mask Support in MWG???
            matthew.stokes

            Hi Jon!

             

            It's sort of like that but a little more complex. It allows for some pretty specific matching on the various octets. Here is an example of how that example breaks out:

             

            www.Boson.com Wildcard mask checker

             

            IP Address:    10.0.0.25

            Wildcard mask: 0.63.248.0

             

            First Octet Match(es)

            10

             

            Second Octet Match(es)

            0- 63

             

            Third Octet Match(es)

            0

            8

            16

            24

            32

            40

            48

            56

            64

            72

            80

            88

            96

            104

            112

            120

            128

            136

            144

            152

            160

            168

            176

            184

            192

            200

            208

            216

            224

            232

            240

            248

             

            Fourth Octet Match(es)

            25

            • 3. Re: Wildcard Subnet Mask Support in MWG???
              Jon Scholten

              Hi Matt,

               

              For those that might read this later and I'm also curious, where does this need come from? Is this how the network team has things laid out (I'm guessing so)?

               

              I found the case I had with another customer. In each retail location machines were assigned a special IP based on the machine type (point of sale, kiosk, employee, or other). We could look at that IP and determine if it was assigned based on a certain modulo for the octets. In this case, we created one rule which looked at the 3rd octet and depending on the modulo output it was one of the four machine types. In our case, we took the 3rd octet and used the modulo against 4. So 68 modulo 4 would give us 0. 69 modulo 4 would give us 1.

               

              Here is what the rule looks like:

               

              I feel like I could be very wrong about this helping, or it could be another way to approach the problem. I also attached the ruleset which includes this rule. In the above example, to change which octet is evaluated we need to change the list pointer (the client IP is broken into a string list, then we pick what item in the list to look at), so 3rd octet is in the 0,1,2nd entry.

               

              To verbalize the event in the rule (start from the inner most component and work your way out):

              1. Convert IP to a string

              2. Convert IP string to a list of strings (using period as a separator)

              3. Pick an element in the IP string list (192,168,1,1 -- each number is an element in the list, in this case we picked the 3rd element/octet which is 2)

              4. Convert that string to a number

              5. Modulo that number against another number, in this case 4

              6. Profit! Or.. store the value for later use.

               

              This does seem to help with your 3rd octet (you'd be evaluating 3rd octet modulo 8, looking for 0), but I'm not sure how to tackle the second octet.

               

              Had to brush up on my math skillz for this one...

               

              Best Regards,

              Jon

               

              edit: clarification, spelling

              • 4. Re: Wildcard Subnet Mask Support in MWG???
                Jon Scholten

                Here is what I came up with for that specific example you gave, this would cover it (I'm pretty sure).

                 

                Is that the only one you have or do you have 40 wildcard subnet masks?

                 

                Best Regards,

                Jon

                 

                Edit, needed to change ORs to ANDs

                • 5. Re: Wildcard Subnet Mask Support in MWG???
                  matthew.stokes

                  Jon,

                   

                  You're exactly correct on where this need comes from. We have a little over 1200 retail stores and each store is given a /21 network. That /21 network is chopped up a certain way into multiple smaller subnets. Within each subnet specific machine types (POS, kiosks, customer service PCs, etc) have specific last octets. So we can tell what type of system it is by the IP address consistently across stores. The problem is that we may have a subnet with 10 PCs in it but only 2 (not contiguous IPs) need access to the Internet. So we end up having to make an IP list with over 2400 /32 entries to cover just these 2 machines in each store. We would be able to do it with 2 entries if we had the wildcard subnet flexibility.

                   

                  I'm still trying to decode your solution but it will likely work too. I really appreciate you devoting that much time and effort to it!

                   

                  Thanks!

                  MattS...

                  • 6. Re: Wildcard Subnet Mask Support in MWG???
                    matthew.stokes

                    Jon,

                     

                    Would it be possible to do a Range on that last octet check? In other words in this example could we look for 25-30 as the last octet instead of just 25?

                     

                    Thanks!

                    MattS...

                    • 7. Re: Wildcard Subnet Mask Support in MWG???
                      matthew.stokes

                      Jon,

                       

                      How would you do the modulo math on this one?

                       

                      IP Address:10.0.2.65

                      Wildcard mask: 0.63.248.0

                       

                      First Octet Match(es)

                      10

                       

                       

                      Second Octet Match(es)

                      0- 63

                       

                       

                      Third Octet Match(es)

                      2

                      10

                      18

                      26

                      34

                      42

                      50

                      58

                      66

                      74

                      82

                      90

                      98

                      106

                      114

                      122

                      130

                      138

                      146

                      154

                      162

                      170

                      178

                      186

                      194

                      202

                      210

                      218

                      226

                      234

                      242

                      250

                       

                       

                      Fourth Octet Match(es)

                      65

                      • 8. Re: Wildcard Subnet Mask Support in MWG???
                        Jon Scholten

                        Hey Matt,

                         

                        The above rule has an example of that exact thing for checking a range except I did it for the second octet.

                         

                        2nd octet >= 0 AND 2nd octet <= 63

                         

                        I remembered that previous scenario, so once I found the rules it was pretty easy to piece my memory back together. What would your two entries be if we had the wildcard subnet mask functionality? Or more directly, what would the rule look like with your desired end result?

                         

                        Client IP is in wildcard subnet list [0.63.248.0, x.x.x.x, y.y.y.y] ? What would x.x.x.x and y.y.y.y be? Would there be more?

                         

                        It almost seems like this problem might be solved by first determining the location, then the machine type, and then interrogate further to see if it needs internet access. I havent gotten to think this last part through though. Once you have all those variables you put them together to decide if they should have access or not.

                         

                        Best Regards,

                        Jon