sub-net routing question

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Wed Aug 17 20:27:24 UTC 2011


| From: marthter <marthter-FFYn/CNdgSA at public.gmane.org>

Thanks for your careful explanation.  I have a bit of ADD today so I
didn't read it all.  Sorry if I missed something important.

| Although I've set up many routers at small businesses and residentially for
| friends, when I've had more than one router at one site, I've always just
| turned on NAT instead of doing (what I gather is) the more advanced "proper"
| way to do it, with sub-netting.

Proper for what?

NAPTing is forced on many of us due to not having a sufficient pool of
globally routable IP addresses.

NAPTing has many downsides.  The internet was designed to be a network
of peers.  Things behind NAPT struggle to be anything besides clients.
The struggle includes nasty things like STUN.

|  I.e. what I normally do is, if the first
| router (with external IP on its WAN) is giving LAN addresses 192.168.99.x,
| I'll hook the second router's WAN port to that .99.x LAN, and set the second
| router to, say, use LAN addresses 192.168.88.x.  The second router uses NAT
| when its clients send traffic to the first LAN (or internet), and the first
| router also uses NAT when its clients send traffic to the internet.  This
| works fine when basically all I need is just a bunch of machines to have
| internet access (and if there are any in-house servers, file shares, printers,
| etc, they are only on the first LAN).  There is no manually added routing rule
| on the first router to allow hosts on the first LAN to reach hosts on the
| second LAN.

This is the paragraph that I didn't spend the time to understand.
Sorry.

| I think I have a good handle on what a netmask of different lengths means and
| now I'm trying to put the theory to practice.  Actually this is eventually for
| a VPN set-up but I'm trying with a LAN first to make sure I understand that.

If that's really what you have in mind, it might be worth spelling it
out.  Or maybe not.

| Picture three routers and two computers...
| 
| "middle router" has (for now) nothing connected to WAN, just LAN
| "left router" has its WAN jack connected to a LAN jack of middle router
| "right router" has its WAN jack connected to a LAN jack of middle router
| "left computer" is connected to LAN jack of left router
| "right computer" is connected to LAN jack of right router

I don't see any connection to the internet.  That means that you don't
need globally addressable IP addresses.  That means address assignment
is up to you.  That makes the problem a lot easier.

I'm pretty sure that this isn't really what you want.  So you need to
throw in a few more details.  Like where the internet connections are.

If the only connection is through the WAN side of the middle router
then there is a simple solution that works out of the box with
consumer routers: allow each router to do NAPT.  Slightly ugly (double
NAPTing) but it should work as well as any NAPTing works.

| I'm trying to stick to whatever "normal" routing rules are added in a vanilla
| consumer router when you set up its LAN and WAN ports.  I.e. how do I do this
| with only setting addresses, netmasks, and gateways, no custom added routes?

Routing gets trickier when there are multiple paths to the internet
and your router is tasked with choosing the path (think BGP etc.).

At home I have two broadband connections and two routers.  I
statically each host (via DHCP) to use a specific gateway and thus I
don't get all the advantages of redundant connections.  But I don't
think Rogers would let me run BGP.

| My understanding thus far (taking the 192.168.x.x private address space for
| example) is that the whole network could be 192.168.x.x/16, and the left
| sub-net could be 192.168.1.x/24, and the right sub-net could be
| 192.168.2.x/24.
| 
| left computer: 192.168.1.10/24 (say, via DHCP from left router)
| 
| left router LAN: 192.168.1.1/24
| left router WAN: 192.168.1.2/16
| 
| middle router LAN: 192.168.0.1/16
| middle router WAN: (un-used in this experiment, could naturally be external IP
| later, with normal vanilla NAT)
| 
| right router LAN: 192.168.2.1/24
| right router WAN: 192.168.2.2/16
| 
| right computer: 192.168.2.10/24 (say, via DHCP from right router)
| 
| 
| I guess the main thing I'm doubtful about is the left router (and same issue
| for right, but just take left for now)...  Does it make sense or it is valid
| for it to have LAN .1.1/24, and WAN .1.2/16?  i.e. do these final digits .1
| and .2 need to be different?

You only use NAT if you have to.  What problem does this solve?

If all your networking is on a modest LAN, and you don't need NATing
on that, generally speaking a switch will do the job.  As you scale,
more may be needed.  For example, for internal security.

| or could it validly have LAN .1.1/24 and WAN .1.1/16  and these are different
| enough because one is actually [network 192.168.1, host .1], and the other is
| actually [network 192.168, host .1.1] ?
| 
| Now after phrasing the question, I'm thinking this is not possible without
| manually added routes(two?), at the very least on the middle router.

Ordinary switches broadcast stuff on all their ports until they learn
which port has each MAC address.  This works fine on a LAN (to a
point) but wastes bandwidth over links with costs and it has security
implications.

You haven't explained enough to know why switches wouldn't do for left
and right.

|  Even
| though its full network (192.168.x.x/16) is "in-house" and "under" its LAN, it
| only knows for sure the addresses of the left and right router, not the left
| and right computer under those.  So then if I'm right about that, what would
| the rule on the middle router be? and could the left and right router still
| just be set up with vanilla address/netmask/gateway and no further NAT or
| routing settings?
| 
| On the third hand, I'm also thinking now that the left and right routers' WAN
| addresses should be in a different block of the big sub-net, not in blocks
| also covered by their sub-net LANs.  Like 192.168.0.10, and .0.11.

Why?  I'm not saying you are wrong, I just don't know the motivation.

| Thanks in advance for any insights you can share (including starting from
| scratch with totally different blocks of numbers; in fact that might be
| clearer than suggesting many changes to the above).

Globally routable IP addresses make many things better.  There is a
shortage of them unless you go the IPv6.
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list