Re: Routing with 2 Subnets on one NIC

From: David Efflandt (efflandt_at_xnet.com)
Date: 12/10/03 

Date: Wed, 10 Dec 2003 01:35:30 +0000 (UTC)

On Mon, 08 Dec 2003 22:53:52 -0500, Rusty Phillips <rustyp@freeshell.org> wrote:
> The internal interface has the same netmask as the public external one
> (which works). Actually, all the conditions you described are true -
> except the netmask of 255.255.255.255, which makes it impossible
> to reach the gateway from the external interface at all.

A netmask of 255.255.255.255 is not a problem for your public interface if
you have a -host route to its gateway. My ISP does that automatically for
my pppoe, and for dialup ppp, the gateway is usually not even in a related
network. Since the only IP you need to directly access on your public
interface is the gateway, the only routes necessary on that interface are
host route to your gateway and that gateway as default route.

> I actually guarantee that packets bound for those
> computers (or from them) get there by manipulating the routing table with
> "route." Or am I wrong? Isn't that what you do with that?

Scripted (or manual) route commands can work around conflicting
interfaces. But it is more automatic if interfaces have correct netmasks
for desired routing. For example it does not make sense to configure eth0
with netmask 255.255.255.248 if that block of IPs are on eth1 (or eth1:0).

> At the moment, I've gotten it working by removing the second subnet on the
> ethernet card and using NAT on the public as well as the private
> interfaces. This is not my ideal solution, since the public addresses
> have to experience all the disadvantages that come with NAT, but at least
> it works.

1 to 1 NAT is a possiblity (associate each public IP with a private IP),
which I think can be done with just iptables rules, but I have not done
that.

> To use Suse firewall, I'd have to give up all the advantages offered by
> Gentoo. I'll pass on that. Also, I don't want to DMZ my public
> computers; I'm using a computer for the awesome firewall - otherwise I'd
> use a cheap consumer router.

DMZ in Linux does not necessarily imply the same thing as DMZ on cheap
consumer routers (all ports to an IP). SuSEfirewall2 uses DMZ to refer to
public IPs, but you can still control what ports/protocols are allowed
to/from there, or between there and private LAN. But public/private
traffic is easier to control on different physical interfaces. I recently
downloaded Gentoo, but have not had a chance to install it yet.

> On Tue, 09 Dec 2003 01:57:43 +0000, David Efflandt wrote:
>
>> On Mon, 08 Dec 2003 12:51:03 -0500, Rusty Phillips <rustyp@freeshell.org> wrote:
>>> I have a computer that serves as a router for six other computers.
>>>
>>> It has it's own public IP address, and four of the six other
>>> computers also have their own public addresses (all on the same
>>> subnet).
>>>
>>> The other two computers have private addresses, and I use a
>>> firewall script called gShield to do the routing and NAT. Supposedly
>>> it also has support for public addresses, which I have enabled.
>>>
>>> I've also manually added routes (using route) to the public addresses to
>>> go through the internal interface.
>>>
>>> I have the internal interface set up with two addresses -
>>> the first address (normally the gateway) for both subnets.
>>> At the moment, the private addresses work completely, but while
>>> the publicly addressed computers are only able to ping all of the NICs on the
>>> internal network (and the external interface which connects to
>>> the net), and they cannot access anything beyond.
>>>
>>> Does anyone have any thoughts about what I'm doing wrong, or what I'm
>>> missing? 

-- 
David Efflandt - All spam ignored  http://www.de-srv.com/

Relevant Pages

  • Re: Specify member scope in Interface Classes
    ... class WebControl: IAttributeAccessor ... IAttributeAccessor accessor = ctl as IAttributeAccessor; ... > Have you ever noticed that when you look at an Interface Class ... > public/private, abstract/virtual, overridable, etc. ...
    (microsoft.public.dotnet.framework)
  • Re: Desired behaviour of "ifconfig -alias"
    ... > For a set of IPs in the same subnet on the same interface, ... > the primary IP be the one with the proper netmask, ... alias Establish an additional network address for this interface. ... inet 88.198.173.154 netmask 0xfffffff8 broadcast 88.198.173.159 ...
    (freebsd-stable)
  • Re: 2 Nics and default route
    ... >> kernel figures out which interface to use to get to it. ... >> If for some reason you want the cards addressed in the same subnet, ... >> be done by artificially restricting the netmask, ... All machines in the subnet should have the same netmask set and you ...
    (comp.unix.bsd.openbsd.misc)
  • netmask & defaultrout not set in Jumpstart
    ... It appears that it is not setting the netmask correctly. ... This is a portion of the JET/jumpstart config: ... Using RPC Bootparams for network configuration information. ... Attempting to configure interface bge3... ...
    (SunManagers)
  • nmap as user works, root doesnt
    ... Warning: Hostname google.ca resolves to 3 IPs. ... Unable to find appropriate interface for system route to 64.230.197.58 ... inet 192.168.2.100 netmask 0xffffff00 broadcast 192.168.2.255 ...
    (freebsd-questions)