sub-net routing question

marthter marthter-FFYn/CNdgSA at public.gmane.org
Wed Aug 17 19:40:18 UTC 2011 

Hey folks,

Although I've set up many routers at small businesses and residentially 
for friends, when I've had more than one router at one site, I've always 
just turned on NAT instead of doing (what I gather is) the more advanced 
"proper" way to do it, with sub-netting.  I.e. what I normally do is, if 
the first router (with external IP on its WAN) is giving LAN addresses 
192.168.99.x, I'll hook the second router's WAN port to that .99.x LAN, 
and set the second router to, say, use LAN addresses 192.168.88.x.  The 
second router uses NAT when its clients send traffic to the first LAN 
(or internet), and the first router also uses NAT when its clients send 
traffic to the internet.  This works fine when basically all I need is 
just a bunch of machines to have internet access (and if there are any 
in-house servers, file shares, printers, etc, they are only on the first 
LAN).  There is no manually added routing rule on the first router to 
allow hosts on the first LAN to reach hosts on the second LAN.

I think I have a good handle on what a netmask of different lengths 
means and now I'm trying to put the theory to practice.  Actually this 
is eventually for a VPN set-up but I'm trying with a LAN first to make 
sure I understand that.

Picture three routers and two computers...

"middle router" has (for now) nothing connected to WAN, just LAN
"left router" has its WAN jack connected to a LAN jack of middle router
"right router" has its WAN jack connected to a LAN jack of middle router
"left computer" is connected to LAN jack of left router
"right computer" is connected to LAN jack of right router

I'm trying to stick to whatever "normal" routing rules are added in a 
vanilla consumer router when you set up its LAN and WAN ports.  I.e. how 
do I do this with only setting addresses, netmasks, and gateways, no 
custom added routes?

My understanding thus far (taking the 192.168.x.x private address space 
for example) is that the whole network could be 192.168.x.x/16, and the 
left sub-net could be 192.168.1.x/24, and the right sub-net could be 
192.168.2.x/24.

left computer: 192.168.1.10/24 (say, via DHCP from left router)

left router LAN: 192.168.1.1/24
left router WAN: 192.168.1.2/16

middle router LAN: 192.168.0.1/16
middle router WAN: (un-used in this experiment, could naturally be 
external IP later, with normal vanilla NAT)

right router LAN: 192.168.2.1/24
right router WAN: 192.168.2.2/16

right computer: 192.168.2.10/24 (say, via DHCP from right router)


I guess the main thing I'm doubtful about is the left router (and same 
issue for right, but just take left for now)...  Does it make sense or 
it is valid for it to have LAN .1.1/24, and WAN .1.2/16?  i.e. do these 
final digits .1 and .2 need to be different?

or could it validly have LAN .1.1/24 and WAN .1.1/16  and these are 
different enough because one is actually [network 192.168.1, host .1], 
and the other is actually [network 192.168, host .1.1] ?

Now after phrasing the question, I'm thinking this is not possible 
without manually added routes(two?), at the very least on the middle 
router.  Even though its full network (192.168.x.x/16) is "in-house" and 
"under" its LAN, it only knows for sure the addresses of the left and 
right router, not the left and right computer under those.  So then if 
I'm right about that, what would the rule on the middle router be? and 
could the left and right router still just be set up with vanilla 
address/netmask/gateway and no further NAT or routing settings?

On the third hand, I'm also thinking now that the left and right 
routers' WAN addresses should be in a different block of the big 
sub-net, not in blocks also covered by their sub-net LANs.  Like 
192.168.0.10, and .0.11.

Thanks in advance for any insights you can share (including starting 
from scratch with totally different blocks of numbers; in fact that 
might be clearer than suggesting many changes to the above).

Martin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20110817/29b8588a/attachment.html>

More information about the Legacy mailing list