Re: help with obvious - how to route between two subnets?

On Mar 8, 5:41 pm, Sir Jackery <roeh...@xxxxxxxxxxxxxx> wrote:
On Thu, 8 Mar 2007, bailey86 wrote:
Hi,

To save me from making an obvious mistake could someone explain
something simple.

We have a range of IP addresses assigned by BT - 5 usable addresses.

The initial, ADSL connection is made with a D-Link router - its WAN
port picks up an address via DHCP - the LAN side is set up and the
subnet assigned by BT.

There are two Netgear ethernet routers which have their WAN ports
connected to the LAN ports of the D-Link. These Netgears have been
assigned an IP address from the 5 usable (external IP addresses)
assigned by BT. (Gateway is obviously the LAN port of the D-Link).

Each Netgear then has its own subnet on its LAN ports - one is
10.1.1.0/24 and the other is 10.1.2.0/24.

The question is - how do I route traffic between these subnets?

Do I set up static routes on the D-Link? Or do I set up static routes
on the Netgears?

Have tried both but not working yet - am currently upgrading firmware
but thought I'd ask for advice.

Thanks,

Kevin

Sounds like you have too much junk (-:. What are you doing with three
routers? Do you really have more than 250 systems running on a DSL link?
Why not just use one of those routers? Are any machines using those static
IPs? If not, why not just let your ISP dynamically assign them?

It sounds to me like you have a DSL router which connects to the WAN on
one end and two routers on the other end. Each of those routers has a
static public IP address with WAN access on one end and routes traffic to
the WAN from a private LAN subnet on the other end.


Correct.


You are posting to a Linux newsgroup so I will assume you are using Linux
on at least one machine on your LAN.


Two Debian boxes running Samba and Postfix have run the domains,
shared files, roaming profile, hot-desking, backups and email
virtually perfectly for 2.5 years - client has been very pleased with
the uptime and reliability.


Could you provide more detailed information about your networks/systems
and what you are trying to accomplish. A detailed description of the
topology would be nice.


ok - here goes!

The ISP has assigned x.x.x.232/29 subnet of internet IP's to this
connection.


(internet)
|
--------------------------------------------------------------------------------------------------------------------------------------
WAN port IP via DHCP
D-link router - NON-NAT, no firewall
LAN port on x.x.x.238
----------------------------------------------------------------------------------------------------------------------------------------

|
|

|
|
--------------------
---------------------------------
1 WAN port x.x.x.
233
WAN port x.x.x.234
Netgear 1 - NAT and
firewall
Netgear 2 - NAT and firewall
LAN ports on
10.1.1.0/24
LAN ports on 10.1.2.0/24
--------------------------------
------------------------------------

|
|
[Email server and admin
PC's]
[Student PC's]


(BTW The reason the first 10.x.x.x range is used is because this is
how it was originally set up),

This is for a large training college which has about 30 PC's in the
administration section and a training room which has about 12 PC's
which are used by students. Most courses are for machanics and other
non-IT skills.

The admin PC's log on to a Debian server using Samba - this server
also runs their email using Postfix - and these PC's have been working
well. Samba means we control them using very restrictive
configuration policies.

Initially the training PC's were on the same network - but when I
checked them they were very problematic and one of them was infected
with the gaelicium.a virus which tried to delete most of the companies
files.

The training PC's were then put on to their own subnet to protect the
admin PC's and servers. Since then they have all been re-installed
and now download a tight configuration policy file (NTConfig.pol) from
their own Samba server.

However, we would prefer to keep the students PC's on their own subnet
to keep them away from the admin PC's/servers - students can be very
curious!

There is another requirement...

The company has 5 static internet IP addresses assigned and email for
the company is MX'd to one of these IP addresses.

The admin subnet has the company's email server on it with a LAN IP
address 10.1.1.20. It sits behind that subnet's Netgear router and
SMTP traffic is port-forwarded by this router to the server. My view
is that port forwarding a single port keeps the server more secure.


Now, we use the D-link 524-T because it can connect to ADSL using
PPPoA which is used in the UK. It picks up its own WAN address via
DHCP. Traffic for the 5 static IP addresses is obviously sent down
the wire by the ISP to the router. On the D-Link we can turn off NAT
and the firewall - its LAN side is then configured to use the x.x.x.
232/29 subnet assigned by the ISP.

The LAN port of this router is set to x.x.x.238 and the Netgears WAN
ports are set to x.x.x.233 and x.x.x.234.

This means that the Netgear routers have been assigned static IP
addresses on their WAN ports and means that I can create VPN tunnels
to them from my home office. This in turn means I can (via ssh or
VNC) connect to any computer on either subnet.



Now, I was hoping to create a route between the subnets - this could
be tightly restricted and should allow the Debian server on one subnet
to rsync data across to the Debian server on the second subnet.

As Tauno pointed out the difficulty is that the Netgear's are NAT'ing
the traffic - I thought routing would still work but ??!?! ummmm....
errr.... not sure!

It may well be that the best answer is to put another Debian server on
to the mini subnet between the Netgears and the D-Link and give it one
of the 5 static IP addresses. This can then be used as a staging post
for the data. In fact, the Live data could be copied every night -
and the trainers could copy down this data to the training server when
required.

The other question then is - when is Etch going stable!!! cause I'd
rather not install Sarge only to have to install Etch afterwards!

So if there is a way to route the traffic between the subnets I would
be interested - but maybe it is just not possible?!?

On large installations how do companies keep blocks of computers on
separate subnets but still allow traffic to flow between them?

Thanks,

Kevin.

.

Relevant Pages

  • Re: Win32 The RPC server is unavailable
    ... I don't believe it is a firewall rule because the subnet I am using belong ... I have also used telnet to check the port the software is using on a couple ... WIN32 RPC server unavailable error. ...
    (microsoft.public.windows.server.networking)
  • Domain across Different subnets
    ... subnet 192.168.10.0/24 as our main office and 192.168.12.0/24 as a branch ... Cannot have the server in the branch office to join the domain of the main ... But when I run the portqry on 135 port I ... Querying Endpoint Mapper Database... ...
    (microsoft.public.windows.server.active_directory)
  • Re: Curious symlink problem with Apache -- FC12
    ... Juniper SSG5) on a subnet that has very limited outside access. ... subnets here have limited access to this subnet. ... rebuild my main repo server. ... is via the webserver software on port 80, ...
    (Fedora)
  • Re: Cant remote to SBS from certain WEB IP address
    ... my subnet is on the wan nic. ... >>>blocking certain port traffic within their networks. ... Since just about anyone can find the default RDP port number, ... Try doing so, reboot the server ...
    (microsoft.public.windows.server.sbs)
  • Re: DMZ and Intranet
    ... > unit's mgmt s/w and the LAN ports from a compromised DMZ server? ... Does the LinkSys unit support that? ... > My Netgear has strong packet filtering rules on the LAN port (and the WAN ...
    (comp.security.firewalls)