Routing between subnets on different vlans connected by a router/firewall
I tried static routes but couldn't get it to work
You shouldn't need static routes, your system already has all the routes it should need. Linux automatically configures routes for every network that is locally attached. Assuming you have ip_forward enabled, and no firewall rules in place currently blocking traffic, everything should just work.
Do I have to setup a Tunnel to accomplish this?
No, you shouldn't need any tunnels.
I realize I could use NATing but in order to access individual private IP machines,
You shouldn't need any NAT rules. In fact if you already have an overly-broad SNAT/MASQ setup that might be your problem.
Assuming all the clients on 64.22.12.192/27
and 192.168.0.0/24
are using your linux box as the their default gateway, and you don't have any SNAT/MASQ rules setup to change the source address of traffic going from eth3 -> eth1 communication should just work.
Related videos on Youtube
Stallionz
Updated on September 18, 2022Comments
-
Stallionz over 1 year
I have two networks that I'd like to connect with a router/firewall to filter traffic between the two. One network is on a public subnet, let's say
64.22.12.192/27
and the other network is on a private subnet192.168.0.0/24
. The are connected via a router which has three Ethernet ports, one connected to the internet, the other two connected to the public and private subnets and are on their own VLANS. How do I make the private subnet visible to the public network? Here's the network diagram:- Router1 >eth0 --- Connected to Internet
- Router1 >eth1 --- 64.22.12.193/27 Connected to VLAN 64 Subnet 64.22.12.193/27
- Router1 >eth3 --- 192.168.0.1/24 Connected to VLAN 192 Subnet 192.168.0.0/24
I tried static routing
192.168.0.0/24
to64.22.12.193
on the router I also tried routing it to192.168.0.1
. Neither worked.I want traffic between the two subnets to pass through the router because I want to be able to setup firewall rules on the router between the subnets.
I tried static routes but couldn't get it to work, am I doing something wrong?
I realize I could use NATing but in order to access individual private IP machines, I would have to set up a one-to-one NAT which would eat up my precious limited public IPs
Do I have to setup a Tunnel to accomplish this? Wouldn't a tunnel bypass the firewall rules?
IP route show:
default via 66.22.32.137 dev eth0 proto zebra 192.168.0.0/24 dev eth3 proto kernel scope link src 192.168.0.1 64.22.12.192/27 dev eth1 proto kernel scope link src 64.22.12.193 66.22.32.136/29 dev eth0 proto kernel scope link src 66.22.32.141 127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1
-
joeqwerty over 11 years1. What make/model of router? 2. Can you post the roting table from the router? 3. You shouldn't have to manually do anything to get the traffic routed between the internal subnets as the router has an interface directly connected to both internal sunets, just as you shouldn't have to manually do anything to get trafiic routed between each of the internal subnets and the external subnet. 4. Do the hosts on each internal subnet have the router as their DG, using the appropriate ip address of the respective router interface?
-
Michael Hampton over 11 yearsBased on your text, I would guess you're using a Linux box as your router/firewall. Please post the routing table (
route -n
) and your firewall rules (iptables -nvL
). -
Stallionz over 11 yearsI'm using vyatta for router/firewall, I updated it with the ip route show output
-
Stallionz over 11 yearsI should comment that I can ping the port on the other end just fine. From 64.22.12.195 I can ping 192.168.0.1 just fine.
-
Zoredache over 11 yearsWhat do the hosts on
64.22.12.192/27
, and66.22.32.136/29
have as the default gateway? Are they pointed at the Linux box, or something else? -
Stallionz over 11 yearsThe 66.22.32.136/29 subnet connects my router to the ISP. The vyatta router connects to the 66.22.32.137 ip as its gateway. The 64.22.12.192/27 subnet is my local subnet and uses 64.22.12.193 as the gateway address.
-
Shanmugalakshmi over 11 yearsWhat else do you have configured on the Vyatta so far? Also, can you post example net settings for a sample host on both sides (ip addr, netmask, gateway)?
-
Zoredache over 11 yearsPlus try some traceroutes. What happens when you try to do a traceroute for
192.168.0.1
from a host on64.22.12.192/27
that isn't the router? -
Stallionz over 11 yearsSolved: Turns out the machine I was trying to ping had problems, I can ping other machines just fine. Thanks for the input.
-
Stallionz over 11 yearsIndeed I didn't think I needed the static routes but tried it when I couldn't get it to work. The problem turned out to be the machine I was trying to ping, I can ping other machines just fine. I removed the static routing
-
Stallionz over 11 yearsWhat do you mean by overly-broad? I need the 192.168.0.0/24 subnet to be able to access the internet, don't I need the masquerading for it? Or do you simply mean I should limit the ports on the NAT (I was going to do that with the firewall anyways)
-
Zoredache over 11 yearsI mean if you added a rule like
iptables -s 192.168.0.0/24 -j MASQ
then your system would NAT traffic from the private subnet when it accesses the64.22.12.192/27
. You would probably want to an additional condition that limits the MASQ/SNAT so that it only applies when it is leaving theeth0
interface. Something likeiptables -s 192.168.0.0/24 -o eth0 -j MASQ
perhaps.