Route between same subnet

Hello,
I have a odd problem here. I should know the answer, but it is not
coming to me.

Situation:
My school has a Wireless LAN with 4 AP's connected to a switch
connected to a Linux box on eth1, with eth0 connected to the master
switches to get Internet and files.
Sadly, the students log into the laptops via MS Active Directory and
to do this we need to have both sides of the Linux box on the same
network.

So:

[WLAN] <-> [eth1: 10.89.100.1/16][eth0: 10.89.200.27/16] <->
[INTERNET/10.89.1.1/16]

How should I set up my route(s)? I have iptables working for MAC
filtering and ip_forwarding, is there something else I should add?

It worked fine when the wireless was on the 192.168.20.0/24 subnet,
however, AD didn't work.

Sorry if this is a very basic question, but google didn't help and I am
at a loss here.

Thank you,
Scott Brown

On Mon, 11 Oct 2004 15:53:34 -0700, /dev/scott0 wrote:

> Hello,
> I have a odd problem here. I should know the answer, but it is not
> coming to me.
>
> Situation:
> My school has a Wireless LAN with 4 AP's connected to a switch
> connected to a Linux box on eth1, with eth0 connected to the master
> switches to get Internet and files.
> Sadly, the students log into the laptops via MS Active Directory and
> to do this we need to have both sides of the Linux box on the same
> network.
>
> So:
>
> [WLAN] <-> [eth1: 10.89.100.1/16][eth0: 10.89.200.27/16] <->
> [INTERNET/10.89.1.1/16]
>
> How should I set up my route(s)? I have iptables working for MAC filtering
> and ip_forwarding, is there something else I should add?
>
> It worked fine when the wireless was on the 192.168.20.0/24 subnet,
> however, AD didn't work.
>
> Sorry if this is a very basic question, but google didn't help and I am at
> a loss here.
>
> Thank you,
> Scott Brown

Never tried it, but you could config your box as a bridge.

Maybe I'm missing something, but I wasn't aware that you couldn't access an
Active Directory domain from a remote subnet. And if you're for sure using
a 16-bit subnet mask on all the computer on the network, then you shouldn't
have a routing issue because it's technically all the same subnet. Make
sure the computers on the WLAN are setup to look at your Windows domain
controller for DNS services and that your Windows server has DNS properly
configured to point to itself for the domain. I know with the little bit I
messed with Active Directory, the DNS issue was weird. Let's say you create
a domain called yourdomain.com and setup the DNS for that. When you do the
"join a domain" option on a Windows 2000 or XP workstation, you have to type
in only "yourdomain" instead of "yourdomain.com" when it asks for the domain
name, or else it won't work. I don't know if that's a feature, a bug, or
improper configuration on my part, but that's the way it worked.

Not knowing your setup, it's hard to tell what a good course of action would
be, but since you, in fact, only have one subnet, and if you don't have
security concerns about the wireless part, I would just plug those secondary
switches right into the master switches and then plug the Linux box into a
switch ports, instead of having the Linux box sit directly between the two
sets of switches. That's only if there's no real reason for the Linux box
to be dividing the two parts of the network.

"/dev/scott0" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
> I have a odd problem here. I should know the answer, but it is not coming
> to me.
>
> Situation:
> My school has a Wireless LAN with 4 AP's connected to a switch connected
> to a Linux box on eth1, with eth0 connected to the master switches to get
> Internet and files.
> Sadly, the students log into the laptops via MS Active Directory and to
> do this we need to have both sides of the Linux box on the same network.
>
> So:
>
> [WLAN] <-> [eth1: 10.89.100.1/16][eth0: 10.89.200.27/16] <->
> [INTERNET/10.89.1.1/16]
>
> How should I set up my route(s)? I have iptables working for MAC filtering
> and ip_forwarding, is there something else I should add?
>
> It worked fine when the wireless was on the 192.168.20.0/24 subnet,
> however, AD didn't work.
>
> Sorry if this is a very basic question, but google didn't help and I am at
> a loss here.
>
> Thank you,
> Scott Brown

You are allowed to connect to the AD server if there is a "trust" setup
with another AD server on the different subnet.

The Linux box is requiered between the WLAN and the LAN. It is what
provides the MAC address filtering (using iptables).

It does look like I have to turn it into a bridge somehow....

--Scott

pcfixer wrote:
> Maybe I'm missing something, but I wasn't aware that you couldn't access an
> Active Directory domain from a remote subnet. And if you're for sure using
> a 16-bit subnet mask on all the computer on the network, then you shouldn't
> have a routing issue because it's technically all the same subnet. Make
> sure the computers on the WLAN are setup to look at your Windows domain
> controller for DNS services and that your Windows server has DNS properly
> configured to point to itself for the domain. I know with the little bit I
> messed with Active Directory, the DNS issue was weird. Let's say you create
> a domain called yourdomain.com and setup the DNS for that. When you do the
> "join a domain" option on a Windows 2000 or XP workstation, you have to type
> in only "yourdomain" instead of "yourdomain.com" when it asks for the domain
> name, or else it won't work. I don't know if that's a feature, a bug, or
> improper configuration on my part, but that's the way it worked.
>
> Not knowing your setup, it's hard to tell what a good course of action would
> be, but since you, in fact, only have one subnet, and if you don't have
> security concerns about the wireless part, I would just plug those secondary
> switches right into the master switches and then plug the Linux box into a
> switch ports, instead of having the Linux box sit directly between the two
> sets of switches. That's only if there's no real reason for the Linux box
> to be dividing the two parts of the network.

I'm not sure what you mean by an AD server, but I think you missed my main
point. If you are using a 16-bit subnet mask for both sides of the network
(16-bit meaning 255.255.0.0), then unless there's some funky configuration
you haven't mentioned here, they aren't actually separate subnets, but
rather the same subnet. With a mask of 255.255.0.0, only the first two
octets have to be the same in order to be on the same subnet. Both of your
"sides" of the network are 10.89.x.x, meaning they should all be the same
subnet. Therefore, something in your firewall settings must be restricting
too much access between the two sides of the network. It doesn't sound like
a routing issue at all, but rather a firewall issue or something. I wonder
if some necessary ports for the Active Directory are being blocked or
something.


"/dev/scott0" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You are allowed to connect to the AD server if there is a "trust" setup
> with another AD server on the different subnet.
>
> The Linux box is requiered between the WLAN and the LAN. It is what
> provides the MAC address filtering (using iptables).
>
> It does look like I have to turn it into a bridge somehow....
>
> --Scott
>
> pcfixer wrote:
>> Maybe I'm missing something, but I wasn't aware that you couldn't access
>> an Active Directory domain from a remote subnet. And if you're for sure
>> using a 16-bit subnet mask on all the computer on the network, then you
>> shouldn't have a routing issue because it's technically all the same
>> subnet. Make sure the computers on the WLAN are setup to look at your
>> Windows domain controller for DNS services and that your Windows server
>> has DNS properly configured to point to itself for the domain. I know
>> with the little bit I messed with Active Directory, the DNS issue was
>> weird. Let's say you create a domain called yourdomain.com and setup the
>> DNS for that. When you do the "join a domain" option on a Windows 2000
>> or XP workstation, you have to type in only "yourdomain" instead of
>> "yourdomain.com" when it asks for the domain name, or else it won't work.
>> I don't know if that's a feature, a bug, or improper configuration on my
>> part, but that's the way it worked.
>>
>> Not knowing your setup, it's hard to tell what a good course of action
>> would be, but since you, in fact, only have one subnet, and if you don't
>> have security concerns about the wireless part, I would just plug those
>> secondary switches right into the master switches and then plug the Linux
>> box into a switch ports, instead of having the Linux box sit directly
>> between the two sets of switches. That's only if there's no real reason
>> for the Linux box to be dividing the two parts of the network.