Re: Selective routing / how to separate 2 subnets

On Sat, 19 Apr 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <fucg8u$ak8$1@xxxxxxxxxxxxxxxxx>, Piotrek G. wrote:

I have problem to separate 2 subnets:
192.168.0.64/26
192.168.0.128/26

Normally they are working togheter and everything is ok (I mean hosts
from 192.168.0.64/26 cannot communicate with 192.168.0.128/26 hosts -
according to ip theory :) ), but now i want to provide them with
internet and i don't want them to see each other.

So, this is how it looks like:

1.host (192.168.0.66/26) eth0 \
\ router
== eth0 (192.168.0.65/26) | eth1 ==>
/ (192.168.0.129/26)|(80.0.0.2/30)
2.host (192.168.0.130/26) eth0/

They are physically connected - and you need to separate that. (Try
listening with a packet sniffer on 192.168.0.66, and you will see the
packets from 192.168.0.130.) Add a third network card to the router
so that 192.168.0.64/26 and 192.168.0.128/26 are on different NICs such
as eth0 and eth2.

Router configuration:

Look basically OK. The more important data - what is the output of
/sbin/route -a on all three systems?

ip a add 80.0.0.2/30 dev eth1 #(let's just assume that address)

Let's not. That address is real, and in use. See RFC3330 for other
addresses you can use for text examples - 192.0.2.12 would be nice.

Now I ping 192.168.0.130 from host 192.168.0.66 and it replies...
It looks like this:

/sbin/arp -a will show the "other" MAC address. This happens
because you have them on the same physical wire.

So without a router pings don't work - it's ok.

Because the 192.168.0.64/26 and 192.168.0.128/26 wires are not
connected together.

With router - hosts communicate :/

Because you connected both networks to the same single NIC.

How to prevent router from doing it - i suppose "Redirect Host(New
nexthop: 192.168.0.130)" is the key...

Separate them physically. The redirects occur when the router sees
that it's going to be sending the packet out of the same NIC it
received the original from - and it thinks "Why are these idiots
bothering me when they are on the same wire and can talk directly?".

What's wierd - host communicate directly, which means after first ping
reply, I can shut down the router and communication still works
(192.168.0.66 directly to 192.168.0.130 - where is ip theory now? :) ).
Why?

You've wired the Ethernets together. Don't do that.

Old guy
.

Relevant Pages

  • Re: Nmap questions concering my router
    ... where if you connected to the Internet address X.Y.Z.1, the router would ... >reply to an incoming connection by a remote host. ... >spoofing takes place rahter that just a little push of the packet from ... I mean that they are on the same wire. ...
    (comp.security.firewalls)
  • Re: Urgent! New router and big disaster
    ... NIC, you need to specify an external DNS server for DNS, instead of the ... Both NICs should point to his internal IP for DNS. ... forward ports to it reliably in the router. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... it's quite possible you misconnected the nics when you put the server ... just File and Printer Sharing and the Microsoft Client ... running the internet connection wizard, ... I wonder if I may have missed a firewall setting on the router as well. ...
    (microsoft.public.windows.server.sbs)
  • Re: UPNP/SSDP
    ... otherwise it's just a glorified packet filter with a set of rules. ... neither a NAT nor a router are referred to as packet filters. ... a NAT router for broadband internet does not do this, ... router to route traffic b/w two or more private networks and the internet. ...
    (microsoft.public.windowsxp.general)
  • Re: ConnectComputer Problem
    ... With a (2 NIC + router) network setup, ... you don't want server NICs to change their ... The router's private side + the SBS server external NIC ... Switch1 is connected to a free port on the router. ...
    (microsoft.public.windows.server.sbs)