help with obvious - how to route between two subnets?

Hi,

To save me from making an obvious mistake could someone explain
something simple.

We have a range of IP addresses assigned by BT - 5 usable addresses.



The initial, ADSL connection is made with a D-Link router - its WAN
port picks up an address via DHCP - the LAN side is set up and the
subnet assigned by BT.

There are two Netgear ethernet routers which have their WAN ports
connected to the LAN ports of the D-Link. These Netgears have been
assigned an IP address from the 5 usable (external IP addresses)
assigned by BT. (Gateway is obviously the LAN port of the D-Link).

Each Netgear then has its own subnet on its LAN ports - one is
10.1.1.0/24 and the other is 10.1.2.0/24.

The question is - how do I route traffic between these subnets?

Do I set up static routes on the D-Link? Or do I set up static routes
on the Netgears?

Have tried both but not working yet - am currently upgrading firmware
but thought I'd ask for advice.

Thanks,

Kevin

bailey86 wrote:
> Hi,
>
> To save me from making an obvious mistake could someone explain
> something simple.
>
> We have a range of IP addresses assigned by BT - 5 usable addresses.
>
>
>
> The initial, ADSL connection is made with a D-Link router - its WAN
> port picks up an address via DHCP - the LAN side is set up and the
> subnet assigned by BT.
>
> There are two Netgear ethernet routers which have their WAN ports
> connected to the LAN ports of the D-Link. These Netgears have been
> assigned an IP address from the 5 usable (external IP addresses)
> assigned by BT. (Gateway is obviously the LAN port of the D-Link).
>
> Each Netgear then has its own subnet on its LAN ports - one is
> 10.1.1.0/24 and the other is 10.1.2.0/24.
>
> The question is - how do I route traffic between these subnets?
>
> Do I set up static routes on the D-Link? Or do I set up static routes
> on the Netgears?
>
> Have tried both but not working yet - am currently upgrading firmware
> but thought I'd ask for advice.
>
> Thanks,
>
> Kevin

So the physical route from 10.1.1.0 subnet to 10.1.2.0 subnet goes
10.1.1.0 client - 10.1.1.0 Netgear - D-Link - 10.1.2.0 Netgear -
10.1.2.0 client?

Do the Netgears perform NAT?

If you're using RFC 1918 subnets, you have to NAT them before
getting out to the public Internet.

If the Netgears are NAT'ing, your problem is in getting the packets
inward from the D-Link router, especially if the source address is
NAT'ed to the associated Netgear WAN address.

IMHO, it would be simpler to set up a larger subnet to the D-Link
LAN side and split it suitably for the Netgears. In this set-up,
the Netgears would be just routing, and the D-Link has to take
care of NAT toward the public Net.

An example would be 10.1.0.0/22 which covers well your both current
subnets.

--

Tauno Voipio
tauno voipio (at) iki fi

On Thu, 8 Mar 2007, bailey86 wrote:

> Hi,
>
> To save me from making an obvious mistake could someone explain
> something simple.
>
> We have a range of IP addresses assigned by BT - 5 usable addresses.
>
>
>
> The initial, ADSL connection is made with a D-Link router - its WAN
> port picks up an address via DHCP - the LAN side is set up and the
> subnet assigned by BT.
>
> There are two Netgear ethernet routers which have their WAN ports
> connected to the LAN ports of the D-Link. These Netgears have been
> assigned an IP address from the 5 usable (external IP addresses)
> assigned by BT. (Gateway is obviously the LAN port of the D-Link).
>
> Each Netgear then has its own subnet on its LAN ports - one is
> 10.1.1.0/24 and the other is 10.1.2.0/24.
>
> The question is - how do I route traffic between these subnets?
>
> Do I set up static routes on the D-Link? Or do I set up static routes
> on the Netgears?
>
> Have tried both but not working yet - am currently upgrading firmware
> but thought I'd ask for advice.
>
> Thanks,
>
> Kevin


Sounds like you have too much junk (-:. What are you doing with three
routers? Do you really have more than 250 systems running on a DSL link?
Why not just use one of those routers? Are any machines using those static
IPs? If not, why not just let your ISP dynamically assign them?

It sounds to me like you have a DSL router which connects to the WAN on
one end and two routers on the other end. Each of those routers has a
static public IP address with WAN access on one end and routes traffic to
the WAN from a private LAN subnet on the other end.

You are posting to a Linux newsgroup so I will assume you are using Linux
on at least one machine on your LAN.

Could you provide more detailed information about your networks/systems
and what you are trying to accomplish. A detailed description of the
topology would be nice.

bailey86 <(E-Mail Removed)> wrote:
> Hi,

> To save me from making an obvious mistake could someone explain
> something simple.

> We have a range of IP addresses assigned by BT - 5 usable addresses.



> The initial, ADSL connection is made with a D-Link router - its WAN
> port picks up an address via DHCP - the LAN side is set up and the
> subnet assigned by BT.

> There are two Netgear ethernet routers which have their WAN ports
> connected to the LAN ports of the D-Link. These Netgears have been
> assigned an IP address from the 5 usable (external IP addresses)
> assigned by BT. (Gateway is obviously the LAN port of the D-Link).

> Each Netgear then has its own subnet on its LAN ports - one is
> 10.1.1.0/24 and the other is 10.1.2.0/24.

> The question is - how do I route traffic between these subnets?

> Do I set up static routes on the D-Link? Or do I set up static routes
> on the Netgears?

Given that I've not done this, I think a start might be something like

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -d ! address/mask \
-j SNAT --to-source $INET_IP

on each Netgear, where address/mask is the other Netgear LAN CIDR
specification and the rest is, hopefully, obvious.

> Have tried both but not working yet - am currently upgrading firmware
> but thought I'd ask for advice.

> Thanks,

> Kevin


--
Clifford Kite
/* Microsoft is a great marketing organization.
* It _has_ to be */

On Mar 8, 5:41 pm, Sir Jackery <roeh...@cs.ucdavis.edu> wrote:
> On Thu, 8 Mar 2007, bailey86 wrote:
> > Hi,
>
> > To save me from making an obvious mistake could someone explain
> > something simple.
>
> > We have a range of IP addresses assigned by BT - 5 usable addresses.
>
> > The initial, ADSL connection is made with a D-Link router - its WAN
> > port picks up an address via DHCP - the LAN side is set up and the
> > subnet assigned by BT.
>
> > There are two Netgear ethernet routers which have their WAN ports
> > connected to the LAN ports of the D-Link. These Netgears have been
> > assigned an IP address from the 5 usable (external IP addresses)
> > assigned by BT. (Gateway is obviously the LAN port of the D-Link).
>
> > Each Netgear then has its own subnet on its LAN ports - one is
> > 10.1.1.0/24 and the other is 10.1.2.0/24.
>
> > The question is - how do I route traffic between these subnets?
>
> > Do I set up static routes on the D-Link? Or do I set up static routes
> > on the Netgears?
>
> > Have tried both but not working yet - am currently upgrading firmware
> > but thought I'd ask for advice.
>
> > Thanks,
>
> > Kevin
>
> Sounds like you have too much junk (-:. What are you doing with three
> routers? Do you really have more than 250 systems running on a DSL link?
> Why not just use one of those routers? Are any machines using those static
> IPs? If not, why not just let your ISP dynamically assign them?
>
> It sounds to me like you have a DSL router which connects to the WAN on
> one end and two routers on the other end. Each of those routers has a
> static public IP address with WAN access on one end and routes traffic to
> the WAN from a private LAN subnet on the other end.


Correct.

>
> You are posting to a Linux newsgroup so I will assume you are using Linux
> on at least one machine on your LAN.
>

Two Debian boxes running Samba and Postfix have run the domains,
shared files, roaming profile, hot-desking, backups and email
virtually perfectly for 2.5 years - client has been very pleased with
the uptime and reliability.


> Could you provide more detailed information about your networks/systems
> and what you are trying to accomplish. A detailed description of the
> topology would be nice.


ok - here goes!

The ISP has assigned x.x.x.232/29 subnet of internet IP's to this
connection.


(internet)
|
--------------------------------------------------------------------------------------------------------------------------------------
WAN port IP via DHCP
D-link router - NON-NAT, no firewall
LAN port on x.x.x.238
----------------------------------------------------------------------------------------------------------------------------------------

|
|

|
|
--------------------
---------------------------------
1 WAN port x.x.x.
233
WAN port x.x.x.234
Netgear 1 - NAT and
firewall
Netgear 2 - NAT and firewall
LAN ports on
10.1.1.0/24
LAN ports on 10.1.2.0/24
--------------------------------
------------------------------------

|
|
[Email server and admin
PC's]
[Student PC's]


(BTW The reason the first 10.x.x.x range is used is because this is
how it was originally set up),

This is for a large training college which has about 30 PC's in the
administration section and a training room which has about 12 PC's
which are used by students. Most courses are for machanics and other
non-IT skills.

The admin PC's log on to a Debian server using Samba - this server
also runs their email using Postfix - and these PC's have been working
well. Samba means we control them using very restrictive
configuration policies.

Initially the training PC's were on the same network - but when I
checked them they were very problematic and one of them was infected
with the gaelicium.a virus which tried to delete most of the companies
files.

The training PC's were then put on to their own subnet to protect the
admin PC's and servers. Since then they have all been re-installed
and now download a tight configuration policy file (NTConfig.pol) from
their own Samba server.

However, we would prefer to keep the students PC's on their own subnet
to keep them away from the admin PC's/servers - students can be very
curious!

There is another requirement...

The company has 5 static internet IP addresses assigned and email for
the company is MX'd to one of these IP addresses.

The admin subnet has the company's email server on it with a LAN IP
address 10.1.1.20. It sits behind that subnet's Netgear router and
SMTP traffic is port-forwarded by this router to the server. My view
is that port forwarding a single port keeps the server more secure.


Now, we use the D-link 524-T because it can connect to ADSL using
PPPoA which is used in the UK. It picks up its own WAN address via
DHCP. Traffic for the 5 static IP addresses is obviously sent down
the wire by the ISP to the router. On the D-Link we can turn off NAT
and the firewall - its LAN side is then configured to use the x.x.x.
232/29 subnet assigned by the ISP.

The LAN port of this router is set to x.x.x.238 and the Netgears WAN
ports are set to x.x.x.233 and x.x.x.234.

This means that the Netgear routers have been assigned static IP
addresses on their WAN ports and means that I can create VPN tunnels
to them from my home office. This in turn means I can (via ssh or
VNC) connect to any computer on either subnet.



Now, I was hoping to create a route between the subnets - this could
be tightly restricted and should allow the Debian server on one subnet
to rsync data across to the Debian server on the second subnet.

As Tauno pointed out the difficulty is that the Netgear's are NAT'ing
the traffic - I thought routing would still work but ??!?! ummmm....
errr.... not sure!

It may well be that the best answer is to put another Debian server on
to the mini subnet between the Netgears and the D-Link and give it one
of the 5 static IP addresses. This can then be used as a staging post
for the data. In fact, the Live data could be copied every night -
and the trainers could copy down this data to the training server when
required.

The other question then is - when is Etch going stable!!! cause I'd
rather not install Sarge only to have to install Etch afterwards!

So if there is a way to route the traffic between the subnets I would
be interested - but maybe it is just not possible?!?

On large installations how do companies keep blocks of computers on
separate subnets but still allow traffic to flow between them?

Thanks,

Kevin.

> It may well be that the best answer is to put another Debian server on
> to the mini subnet between the Netgears and the D-Link and give it one
> of the 5 static IP addresses. This can then be used as a staging post
> for the data. In fact, the Live data could be copied every night -
> and the trainers could copy down this data to the training server when
> required.

That would do it.

I'd originally wondered why you didn't just connect the two Netgear
routers together. Unless they are really dumb you could label the ports
10.0.3.1 and 3.2 and set up the appropriate static routes. Once you
mentioned students I stopped wondering - but you might be able to make
this work if the routers are flexible enough for you to implement
appropriate security policies.

Another alternative would be to connect a Linux PC between the two
10.0.* subnets and have it do the routing. This would require an extra
routing table entry everywhere, so it's maybe not what you want. (With
a little thought you might be able to do something fancy with proxy
arp.) The advantage of this is that you would have fine-grained control
over the traffic between the two subnets. The disadvantage is that you
would have to very careful about security.

On Thu, 08 Mar 2007 14:59:19 -0800, bailey86 wrote:

> Now, I was hoping to create a route between the subnets - this could be
> tightly restricted and should allow the Debian server on one subnet to
> rsync data across to the Debian server on the second subnet.

If the servers are located physically close together, you could drop a
second NIC in each and give them a direct link over a crossover cable on a
unique subnet. This would keep the rsync traffic off the LAN.


--


--
Posted via a free Usenet account from http://www.teranews.com

On Mar 9, 6:59 am, "bailey86" <baile...@gmail.com> wrote:

> The ISP has assigned x.x.x.232/29 subnet of internet IP's to this
> connection.
>
> (internet)
> |
> --------------------------------------------------------------------------------------------------------------------------------------
> WAN port IP via DHCP
> D-link router - NON-NAT, no firewall
> LAN port on x.x.x.238
> ----------------------------------------------------------------------------------------------------------------------------------------
>
> |
> |
>
> |
> |
> --------------------
> ---------------------------------
> 1 WAN port x.x.x.
> 233
> WAN port x.x.x.234
> Netgear 1 - NAT and
> firewall
> Netgear 2 - NAT and firewall
> LAN ports on
> 10.1.1.0/24
> LAN ports on 10.1.2.0/24
> --------------------------------
> ------------------------------------
>
> |
> |
> [Email server and admin
> PC's]
> [Student PC's]
>

If your Netgear support, I'm sure you can solve the problem gracefully
by IP alias or VLAN.
To control the traffic between 10.1.1.0/24 and 10.1.2.0/24, you can
setup firewall rules.