Routing between subnets on different vlans connected by a router/firewall

networking firewall routing vlan subnet

7,162

I tried static routes but couldn't get it to work

You shouldn't need static routes, your system already has all the routes it should need. Linux automatically configures routes for every network that is locally attached. Assuming you have ip_forward enabled, and no firewall rules in place currently blocking traffic, everything should just work.

Do I have to setup a Tunnel to accomplish this?

No, you shouldn't need any tunnels.

I realize I could use NATing but in order to access individual private IP machines,

You shouldn't need any NAT rules. In fact if you already have an overly-broad SNAT/MASQ setup that might be your problem.

Assuming all the clients on 64.22.12.192/27 and 192.168.0.0/24 are using your linux box as the their default gateway, and you don't have any SNAT/MASQ rules setup to change the source address of traffic going from eth3 -> eth1 communication should just work.

7,162

Stallionz

Updated on September 18, 2022

Comments

Stallionz over 1 year
I have two networks that I'd like to connect with a router/firewall to filter traffic between the two. One network is on a public subnet, let's say 64.22.12.192/27 and the other network is on a private subnet 192.168.0.0/24. The are connected via a router which has three Ethernet ports, one connected to the internet, the other two connected to the public and private subnets and are on their own VLANS. How do I make the private subnet visible to the public network? Here's the network diagram:
- Router1 >eth0 --- Connected to Internet
- Router1 >eth1 --- 64.22.12.193/27 Connected to VLAN 64 Subnet 64.22.12.193/27
- Router1 >eth3 --- 192.168.0.1/24 Connected to VLAN 192 Subnet 192.168.0.0/24
I tried static routing 192.168.0.0/24 to 64.22.12.193 on the router I also tried routing it to 192.168.0.1. Neither worked.

I want traffic between the two subnets to pass through the router because I want to be able to setup firewall rules on the router between the subnets.
1. I tried static routes but couldn't get it to work, am I doing something wrong?
2. I realize I could use NATing but in order to access individual private IP machines, I would have to set up a one-to-one NAT which would eat up my precious limited public IPs
3. Do I have to setup a Tunnel to accomplish this? Wouldn't a tunnel bypass the firewall rules?
IP route show:
```
default via 66.22.32.137 dev eth0  proto zebra 
192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.1
64.22.12.192/27 dev eth1  proto kernel  scope link  src 64.22.12.193
66.22.32.136/29 dev eth0  proto kernel  scope link  src 66.22.32.141
127.0.0.0/8 dev lo  proto kernel  scope link  src 127.0.0.1 
```
- joeqwerty over 11 years
  
  1. What make/model of router? 2. Can you post the roting table from the router? 3. You shouldn't have to manually do anything to get the traffic routed between the internal subnets as the router has an interface directly connected to both internal sunets, just as you shouldn't have to manually do anything to get trafiic routed between each of the internal subnets and the external subnet. 4. Do the hosts on each internal subnet have the router as their DG, using the appropriate ip address of the respective router interface?
- Michael Hampton over 11 years
  
  Based on your text, I would guess you're using a Linux box as your router/firewall. Please post the routing table (route -n) and your firewall rules (iptables -nvL).
- Stallionz over 11 years
  
  I'm using vyatta for router/firewall, I updated it with the ip route show output
- Stallionz over 11 years
  
  I should comment that I can ping the port on the other end just fine. From 64.22.12.195 I can ping 192.168.0.1 just fine.
- Zoredache over 11 years
  
  What do the hosts on 64.22.12.192/27, and 66.22.32.136/29 have as the default gateway? Are they pointed at the Linux box, or something else?
- Stallionz over 11 years
  
  The 66.22.32.136/29 subnet connects my router to the ISP. The vyatta router connects to the 66.22.32.137 ip as its gateway. The 64.22.12.192/27 subnet is my local subnet and uses 64.22.12.193 as the gateway address.
- Shanmugalakshmi over 11 years
  
  What else do you have configured on the Vyatta so far? Also, can you post example net settings for a sample host on both sides (ip addr, netmask, gateway)?
- Zoredache over 11 years
  
  Plus try some traceroutes. What happens when you try to do a traceroute for 192.168.0.1 from a host on 64.22.12.192/27 that isn't the router?
- Stallionz over 11 years
  
  Solved: Turns out the machine I was trying to ping had problems, I can ping other machines just fine. Thanks for the input.
Stallionz over 11 years

Indeed I didn't think I needed the static routes but tried it when I couldn't get it to work. The problem turned out to be the machine I was trying to ping, I can ping other machines just fine. I removed the static routing
Stallionz over 11 years

What do you mean by overly-broad? I need the 192.168.0.0/24 subnet to be able to access the internet, don't I need the masquerading for it? Or do you simply mean I should limit the ports on the NAT (I was going to do that with the firewall anyways)
Zoredache over 11 years

I mean if you added a rule like iptables -s 192.168.0.0/24 -j MASQ then your system would NAT traffic from the private subnet when it accesses the 64.22.12.192/27. You would probably want to an additional condition that limits the MASQ/SNAT so that it only applies when it is leaving the eth0 interface. Something like iptables -s 192.168.0.0/24 -o eth0 -j MASQ perhaps.