sub-net routing question

marthter marthter-FFYn/CNdgSA at public.gmane.org
Wed Aug 17 21:29:10 UTC 2011


Hey Hugh,

Thanks for the reply...

On 11-08-17 04:27 PM, D. Hugh Redelmeier wrote:
> | From: marthter<marthter-FFYn/CNdgSA at public.gmane.org>
>
> Thanks for your careful explanation.  I have a bit of ADD today so I
> didn't read it all.  Sorry if I missed something important.
>
> | Although I've set up many routers at small businesses and residentially for
> | friends, when I've had more than one router at one site, I've always just
> | turned on NAT instead of doing (what I gather is) the more advanced "proper"
> | way to do it, with sub-netting.
>
> Proper for what?
"Proper" so that hosts on both LANs can reach each other, not just reach 
the internet.  (i.e. one LAN closer-to-the-outside-internet, and the 
second LAN, whose router is a client of the first LAN, plus has more 
hosts within its LAN).

That was just describing my "old" way of doing things, that I'm trying 
to move beyond.

> NAPTing is forced on many of us due to not having a sufficient pool of
> globally routable IP addresses.
>
> NAPTing has many downsides.  The internet was designed to be a network
> of peers.  Things behind NAPT struggle to be anything besides clients.
> The struggle includes nasty things like STUN.
>
> |  I.e. what I normally do is, if the first
> | router (with external IP on its WAN) is giving LAN addresses 192.168.99.x,
> | I'll hook the second router's WAN port to that .99.x LAN, and set the second
> | router to, say, use LAN addresses 192.168.88.x.  The second router uses NAT
> | when its clients send traffic to the first LAN (or internet), and the first
> | router also uses NAT when its clients send traffic to the internet.  This
> | works fine when basically all I need is just a bunch of machines to have
> | internet access (and if there are any in-house servers, file shares, printers,
> | etc, they are only on the first LAN).  There is no manually added routing rule
> | on the first router to allow hosts on the first LAN to reach hosts on the
> | second LAN.
>
> This is the paragraph that I didn't spend the time to understand.
> Sorry.
Yeah that paragraph wasn't crucial, as I said, it was just to explain 
what I'm used to, to give context of what level of understanding I'm at.

> | I think I have a good handle on what a netmask of different lengths means and
> | now I'm trying to put the theory to practice.  Actually this is eventually for
> | a VPN set-up but I'm trying with a LAN first to make sure I understand that.
>
> If that's really what you have in mind, it might be worth spelling it
> out.  Or maybe not.
Yeah I'm thinking not.

Mr. Stickney, my grade 9-10 math teacher used to say, "If you can't 
solve a problem, solve a simpler problem."  I don't think I'm clear 
enough on my "simple" example network to add the VPN stuff yet.

> | Picture three routers and two computers...
> |
> | "middle router" has (for now) nothing connected to WAN, just LAN
> | "left router" has its WAN jack connected to a LAN jack of middle router
> | "right router" has its WAN jack connected to a LAN jack of middle router
> | "left computer" is connected to LAN jack of left router
> | "right computer" is connected to LAN jack of right router
>
> I don't see any connection to the internet.  That means that you don't
> need globally addressable IP addresses.  That means address assignment
> is up to you.  That makes the problem a lot easier.
>
> I'm pretty sure that this isn't really what you want.  So you need to
> throw in a few more details.  Like where the internet connections are.
This is literally on a work bench with 3 routers and 2 computers and no 
internet, so, yes this is what I want.

> If the only connection is through the WAN side of the middle router
At the moment, that is correct, NO internet, (but, yes, later could be 
on WAN of middle router).

> then there is a simple solution that works out of the box with
> consumer routers: allow each router to do NAPT.  Slightly ugly (double
> NAPTing) but it should work as well as any NAPTing works.
yes that works for "left computer" and "right computer" to surf the net, 
but not to ping each other or access other network services on the other.

> | I'm trying to stick to whatever "normal" routing rules are added in a vanilla
> | consumer router when you set up its LAN and WAN ports.  I.e. how do I do this
> | with only setting addresses, netmasks, and gateways, no custom added routes?
>
> Routing gets trickier when there are multiple paths to the internet
> and your router is tasked with choosing the path (think BGP etc.).
>
> At home I have two broadband connections and two routers.  I
> statically each host (via DHCP) to use a specific gateway and thus I
> don't get all the advantages of redundant connections.  But I don't
> think Rogers would let me run BGP.
>
> | My understanding thus far (taking the 192.168.x.x private address space for
> | example) is that the whole network could be 192.168.x.x/16, and the left
> | sub-net could be 192.168.1.x/24, and the right sub-net could be
> | 192.168.2.x/24.
> |
> | left computer: 192.168.1.10/24 (say, via DHCP from left router)
> |
> | left router LAN: 192.168.1.1/24
> | left router WAN: 192.168.1.2/16
> |
> | middle router LAN: 192.168.0.1/16
> | middle router WAN: (un-used in this experiment, could naturally be external IP
> | later, with normal vanilla NAT)
> |
> | right router LAN: 192.168.2.1/24
> | right router WAN: 192.168.2.2/16
> |
> | right computer: 192.168.2.10/24 (say, via DHCP from right router)
> |
> |
> | I guess the main thing I'm doubtful about is the left router (and same issue
> | for right, but just take left for now)...  Does it make sense or it is valid
> | for it to have LAN .1.1/24, and WAN .1.2/16?  i.e. do these final digits .1
> | and .2 need to be different?
>
> You only use NAT if you have to.  What problem does this solve?
>
> If all your networking is on a modest LAN, and you don't need NATing
> on that, generally speaking a switch will do the job.  As you scale,
> more may be needed.  For example, for internal security.
Yes I realize the three routers in my example network could be replaced 
with three switches, and thus left computer could access right computer 
and vice versa.  But I'm trying to experiment with and understand the 
three-routers example so that later when some links are VPN links, I can 
apply it there.

My thinking (in the LAN and WAN addresses/netmasks I proposed above) is 
that the middle router could be set so its LAN is set up as the big 
subnet (i.e. with a /16 netmask), and the left and right router have 
their WAN ports as clients of the middle router, and have their LAN 
ports to clients on smaller subnets (i.e. with /24 netmask).

And I'm thinking (and perhaps this is the wrong part), that it is 
easier/better/cleaner/properer that the two smaller subnets be actual 
SUBNETS OF the big subnet of the middle router.


> | or could it validly have LAN .1.1/24 and WAN .1.1/16  and these are different
> | enough because one is actually [network 192.168.1, host .1], and the other is
> | actually [network 192.168, host .1.1] ?
> |
> | Now after phrasing the question, I'm thinking this is not possible without
> | manually added routes(two?), at the very least on the middle router.
>
> Ordinary switches broadcast stuff on all their ports until they learn
> which port has each MAC address.  This works fine on a LAN (to a
> point) but wastes bandwidth over links with costs and it has security
> implications.
>
> You haven't explained enough to know why switches wouldn't do for left
> and right.
>
> |  Even
> | though its full network (192.168.x.x/16) is "in-house" and "under" its LAN, it
> | only knows for sure the addresses of the left and right router, not the left
> | and right computer under those.  So then if I'm right about that, what would
> | the rule on the middle router be? and could the left and right router still
> | just be set up with vanilla address/netmask/gateway and no further NAT or
> | routing settings?
> |
> | On the third hand, I'm also thinking now that the left and right routers' WAN
> | addresses should be in a different block of the big sub-net, not in blocks
> | also covered by their sub-net LANs.  Like 192.168.0.10, and .0.11.
>
> Why?  I'm not saying you are wrong, I just don't know the motivation.
I'm just saying I don't know if it is valid for the left router's LAN 
address to be 192.168.1.1 with /24 netmask, and its WAN address to be 
192.168.1.2 with a /16 netmask.

(and similarly for right router)

> | Thanks in advance for any insights you can share (including starting from
> | scratch with totally different blocks of numbers; in fact that might be
> | clearer than suggesting many changes to the above).
>
> Globally routable IP addresses make many things better.  There is a
> shortage of them unless you go the IPv6.
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list