Selective routing / how to separate 2 subnets

Hi,

I have problem to separate 2 subnets:
192.168.0.64/26
192.168.0.128/26

Normally they are working togheter and everything is ok (I mean hosts
from 192.168.0.64/26 cannot communicate with 192.168.0.128/26 hosts -
according to ip theory ), but now i want to provide them with
internet and i don't want them to see each other.

So, this is how it looks like:

1.host (192.168.0.66/26) eth0 \
\ router
== eth0 (192.168.0.65/26) | eth1 ==>
/ (192.168.0.129/26)|(80.0.0.2/30)
2.host (192.168.0.130/26) eth0/


Router configuration:
ip r flush all
ip a flush dev eth0
ip r flush dev eth1

ip a add 80.0.0.2/30 dev eth1 #(let's just assume that address)
ip a add 192.168.0.65/26 dev eth0
ip a add 192.168.0.129/26 dev eth0

ip r add default via 80.0.0.1

iptables -A FORWARD -s 192.168.0.64/26 -d 192.168.0.128/26 -j DROP
iptables -A FORWARD -s 192.168.0.128/26 -d 192.168.0.64/26 -j DROP
iptables -A INPUT -s 192.168.0.64/26 -d 192.168.0.128/26 -j DROP
iptables -A INPUT -s 192.168.0.128/26 -d 192.168.0.64/26 -j DROP

echo 1 > /proc/sys/net/ipv4/conf/all/arp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

Now I ping 192.168.0.130 from host 192.168.0.66 and it replies...
It looks like this:
[...]
PING 192.168.0.130 (192.168.0.130) 56(84) bytes of data.
From 192.168.0.65: icmp_seq=1 Redirect Host(New nexthop: 192.168.0.130)
From 192.168.0.65: icmp_seq=2 Redirect Host(New nexthop: 192.168.0.130)
64 bytes from 192.168.0.130: icmp_seq=4 ttl=64 time=0.957 ms
[...]

So without a router pings don't work - it's ok.
With router - hosts communicate :/
How to prevent router from doing it - i suppose "Redirect Host(New
nexthop: 192.168.0.130)" is the key...

What's wierd - host communicate directly, which means after first ping
reply, I can shut down the router and communication still works
(192.168.0.66 directly to 192.168.0.130 - where is ip theory now? ). Why?

Thank you for help!

--
Piotrek

On Sat, 19 Apr 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <fucg8u$ak8$(E-Mail Removed)>, Piotrek G. wrote:

>I have problem to separate 2 subnets:
>192.168.0.64/26
>192.168.0.128/26
>
>Normally they are working togheter and everything is ok (I mean hosts
>from 192.168.0.64/26 cannot communicate with 192.168.0.128/26 hosts -
>according to ip theory ), but now i want to provide them with
>internet and i don't want them to see each other.
>
>So, this is how it looks like:
>
>1.host (192.168.0.66/26) eth0 \
> \ router
> == eth0 (192.168.0.65/26) | eth1 ==>
> / (192.168.0.129/26)|(80.0.0.2/30)
>2.host (192.168.0.130/26) eth0/

They are physically connected - and you need to separate that. (Try
listening with a packet sniffer on 192.168.0.66, and you will see the
packets from 192.168.0.130.) Add a third network card to the router
so that 192.168.0.64/26 and 192.168.0.128/26 are on different NICs such
as eth0 and eth2.

>Router configuration:

Look basically OK. The more important data - what is the output of
/sbin/route -a on all three systems?

>ip a add 80.0.0.2/30 dev eth1 #(let's just assume that address)

Let's not. That address is real, and in use. See RFC3330 for other
addresses you can use for text examples - 192.0.2.12 would be nice.

>Now I ping 192.168.0.130 from host 192.168.0.66 and it replies...
>It looks like this:

/sbin/arp -a will show the "other" MAC address. This happens
because you have them on the same physical wire.

>So without a router pings don't work - it's ok.

Because the 192.168.0.64/26 and 192.168.0.128/26 wires are not
connected together.

>With router - hosts communicate :/

Because you connected both networks to the same single NIC.

>How to prevent router from doing it - i suppose "Redirect Host(New
>nexthop: 192.168.0.130)" is the key...

Separate them physically. The redirects occur when the router sees
that it's going to be sending the packet out of the same NIC it
received the original from - and it thinks "Why are these idiots
bothering me when they are on the same wire and can talk directly?".

>What's wierd - host communicate directly, which means after first ping
>reply, I can shut down the router and communication still works
>(192.168.0.66 directly to 192.168.0.130 - where is ip theory now? ).
> Why?

You've wired the Ethernets together. Don't do that.

Old guy

Moe Trin wrote:
[...]

First of all I want to thank you for your reply.

>>Router configuration:
>
>
> Look basically OK. The more important data - what is the output of
> /sbin/route -a on all three systems?
Actually there is something wrong - a lack of:
iptables -A OUTPUT -p icmp --icmp-type redirect -j DROP
It solved my problem with redirections.

What's strange, using
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
doesn't help - redirects are sent all the time... Why?
Some kernel misconfiguration? It's PLD linux with distribution kernel
2.6.11-6.


>>ip a add 80.0.0.2/30 dev eth1 #(let's just assume that address)
>
>
> Let's not. That address is real, and in use. See RFC3330 for other
> addresses you can use for text examples - 192.0.2.12 would be nice.
>
You're right, but this is completely separated network, without
communication with the real world. So I set it up to...let's say
"simulate" real situation. I didn't mention that, sorry.

[...]

> Separate them physically. The redirects occur when the router sees
> that it's going to be sending the packet out of the same NIC it
> received the original from - and it thinks "Why are these idiots
> bothering me when they are on the same wire and can talk directly?".
It's reasonable
But I don't understand how it (IP addressing) works in spite of two
different netmasks. They should communicate through gateway.
Let's see:
192.168.0.66: 11000000.10101000.00000000.01000010
255.255.255.192: 11111111.11111111.11111111.11000000
AND -----------------------------------
11000000.10101000.00000000.01000000 -+
|
192.168.0.130 11000000.10101000.00000000.10000010 |
255.255.255.192 11111111.11111111.11111111.11000000 |
AND ----------------------------------- |
11000000.10101000.00000000.10000000 -+
|
|
It says - oops,
host you're trying
to connect is in the
different net - use
your default gateway
which is in the same
subnet.
[...]
>
> You've wired the Ethernets together. Don't do that.
>

Maybe it's a lame question but... Why I can't wire two subnets together?
Isn't subneting invented to separate two or more networks connected
together? It works perfectly without a router and, I think, it's desired
solution in some circumstances, isn't it?


--
Piotrek

On Apr 19, 10:07 pm, "Piotrek G." <remove.every.
2nd.letter.starting.from.firstone_ngouslpaa...@o2. pl> wrote:
> Moe Trin wrote:
>
> [...]
>
> First of all I want to thank you for your reply.
>
> >>Router configuration:
>
> > Look basically OK. The more important data - what is the output of
> > /sbin/route -a on all three systems?
>
> Actually there is something wrong - a lack of:
> iptables -A OUTPUT -p icmp --icmp-type redirect -j DROP
> It solved my problem with redirections.
>
> What's strange, using
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
> doesn't help - redirects are sent all the time... Why?
> Some kernel misconfiguration? It's PLD linux with distribution kernel
> 2.6.11-6.
>
> >>ip a add 80.0.0.2/30 dev eth1 #(let's just assume that address)
>
> > Let's not. That address is real, and in use. See RFC3330 for other
> > addresses you can use for text examples - 192.0.2.12 would be nice.
>
> You're right, but this is completely separated network, without
> communication with the real world. So I set it up to...let's say
> "simulate" real situation. I didn't mention that, sorry.
>
> [...]
>
> > Separate them physically. The redirects occur when the router sees
> > that it's going to be sending the packet out of the same NIC it
> > received the original from - and it thinks "Why are these idiots
> > bothering me when they are on the same wire and can talk directly?".
>
> It's reasonable
> But I don't understand how it (IP addressing) works in spite of two
> different netmasks. They should communicate through gateway.
> Let's see:
> 192.168.0.66: 11000000.10101000.00000000.01000010
> 255.255.255.192: 11111111.11111111.11111111.11000000
> AND -----------------------------------
> 11000000.10101000.00000000.01000000 -+
> |
> 192.168.0.130 11000000.10101000.00000000.10000010 |
> 255.255.255.192 11111111.11111111.11111111.11000000 |
> AND ----------------------------------- |
> 11000000.10101000.00000000.10000000 -+
> |
> |
> It says - oops,
> host you're trying
> to connect is in the
> different net - use
> your default gateway
> which is in the same
> subnet.
> [...]
>
>
>
> > You've wired the Ethernets together. Don't do that.
>
> Maybe it's a lame question but... Why I can't wire two subnets together?
> Isn't subneting invented to separate two or more networks connected
> together? It works perfectly without a router and, I think, it's desired
> solution in some circumstances, isn't it?
>
> --
> Piotrek

hello ,
i think this is because of icmp-redirects,
so you should disable icmp redirect in your router :
add this lines to your /etc/sysctl.conf :

net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

and then run : # sysctl -p

On Sat, 19 Apr 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <fudfsh$r5q$(E-Mail Removed)>, Piotrek G. wrote:

>Moe Trin wrote:

>Actually there is something wrong - a lack of:
>iptables -A OUTPUT -p icmp --icmp-type redirect -j DROP
>It solved my problem with redirections.
>
>What's strange, using
>echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>doesn't help - redirects are sent all the time... Why?

Can't say, as I've never had the problem, and never looked into
the algorithms.

>Some kernel misconfiguration? It's PLD linux with distribution kernel
>2.6.11-6.

Not using PLD, but that is an older kernel.

-rw-r--r-- 1 admin admin 46583827 Mar 26 2005 linux-2.6.11.6.tar.gz

The most current kernels are 2.6.25 (Apr 17 2008) and 2.6.24.5 (Apr 19
2008). There have been a LOT of changes since 2.6.11.

>> Separate them physically. The redirects occur when the router sees
>> that it's going to be sending the packet out of the same NIC it
>> received the original from - and it thinks "Why are these idiots
>> bothering me when they are on the same wire and can talk directly?".

>It's reasonable

Not to the kernel - It doesn't want to work any harder than you do ;-)

>But I don't understand how it (IP addressing) works in spite of two
>different netmasks. They should communicate through gateway.

Assuming they can't hear each other, yes.

> It says - oops, host you're trying to connect is in the
> different net - use your default gateway which is in the
> same subnet.

The redirect overrides this behavior.

>Maybe it's a lame question but... Why I can't wire two subnets
>together? Isn't subneting invented to separate two or more networks
>connected together?

No. Lessee... the old (RFC) documents are

0917 Internet subnets. J.C. Mogul. Oct-01-1984.
0925 Multi-LAN address resolution. J. Postel. Oct-01-1984.
0932 Subnetwork addressing scheme. D.D. Clark. Jan-01-1985
0936 Another Internet subnet addressing scheme. M.J. Karels. Feb-01-1985
0940 Toward an Internet standard scheme for subnetting. Gateway
Algorithms and Data Structures Task Force. Apr-01-1985.

and these were beaten together in many meetings and mails, and the
result was RFC0950

0950 Internet Standard Subnetting Procedure. J.C. Mogul, J. Postel.
Aug-01-1985. (Format: TXT=37985 bytes) (Updates RFC0792) (Also
STD0005) (Status: STANDARD)

and you want to read section 1 of that document. BRIEFLY, the reasons
for subnetting was hardware (bandwidth - only so many hosts could
"fit" on one wire and be able to talk), (physical - the length of the
wire was limited even with repeaters, and some facilities are more
than several kilometers in "length") and security or privacy (recall
that Ethernet was originally coax, and all hosts on the wire could
"hear" all others). These problems still exist even when using
switches (broadcasts are heard on all ports). Where I work, we
originally set up our subnets with a /22 (255.255.252.0) mask. As we
got more hosts on the wire (and we did start with 10Base5 Thicknet),
we found that traffic was an issue, and added Etherswitches to the
coax to break up the traffic segment so that no more than 100 hosts
were on the same coax. With twisted pair (10BaseT, 100BaseT,
1000BaseT) or fiber, your next limit becomes the bandwidth of the
switch you use.

Old guy

On Apr 19, 12:07 pm, "Piotrek G."
> Maybe it's a lame question but... Why I can't wire two subnets together?
> Isn't subneting invented to separate two or more networks connected
> together? It works perfectly without a router and, I think, it's desired
> solution in some circumstances, isn't it?

The short answer -- no. Subnetting was *not* designed to separate two
or more networks connected together. It was to make it possible to
separate two or more networks and have them communicate with each
other.

If you choose to put more than one subnet on the same virtual network,
you will not be able to prevent machines from talking to each other.
It takes active steps at every possible pathway two machines could use
to talk to each other to keep them from talking to each other, and you
can't do that on a physical wire without using VLANs or a similar
scheme.

You may get it to work for a bit, and then suddenly the machines find
some other way to talk to each other.

DS