[LARTC] Mulitple VLANs containing the same ip subnet NATed on same

[LARTC] Mulitple VLANs containing the same ip subnet NATed on same

[Geoff Karl]

I know this is not a normal request, but I would like to connect two
vlans into the same box that have the same subnet on them, and then
NAT them out to the Internet.

We don't need to make any connections inbound to them, but only
provide outbound access.

Any suggestions on how to do this?

If I can't do it with routing then I could use something like
user-mode Linux, or other virtualization software.

Thanks,

Geoff
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Mulitple VLANs containing the same ip subnet NATed on

[Geoff Karl]

On 7/8/06, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> Geoff Karl wrote:
> > I know this is not a normal request, but I would like to connect two
> > vlans into the same box that have the same subnet on them, and then
> > NAT them out to the Internet.
> >
> > We don't need to make any connections inbound to them, but only
> > provide outbound access.
> >
> > Any suggestions on how to do this?
>
> Bridge the two VLAN interfaces together and assign your internal IP to the bridge interface.  Then you will do standard NATing between your external interface and your bridge interface.  By the way, inbound access will be just as easy as outbound.
>
> > If I can't do it with routing then I could use something like
> > user-mode Linux, or other virtualization software.
>
> I don't think you need any thing as complicated as UML.
>
> You could even do this with 1 network interface with everything being VLANs.
>
> I.e.
>
> eth0.0001       VLAN for workstations
> eth0.0002       VLAN for workstations
> eth0.0003       VLAN for internet access
>
> eth0.0001 and eth0.0002 are bridge together yielding bri0
>
> bri0            internal interface
> eth0.0003       external interface
>
> NAT between bri0 and eth0.0003.
>
> If you ever added a second internet service provider, put them on eth0.0004 and update your routing.
>
>
>
> Grant. . . .
>

Thanks for the reply Grant.

What would happen if workstations on the "workstations" vlan had the
same ip addresses?  Can i bridge two networks that have the same ip
addresses without getting errors.

Geoff
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Mulitple VLANs containing the same ip subnet NATed on

[Grant Taylor]

Geoff Karl wrote:
> I know this is not a normal request, but I would like to connect two
> vlans into the same box that have the same subnet on them, and then
> NAT them out to the Internet.
> 
> We don't need to make any connections inbound to them, but only
> provide outbound access.
> 
> Any suggestions on how to do this?

Bridge the two VLAN interfaces together and assign your internal IP to the bridge interface.  Then you will do standard NATing between your external interface and your bridge interface.  By the way, inbound access will be just as easy as outbound.

> If I can't do it with routing then I could use something like
> user-mode Linux, or other virtualization software.

I don't think you need any thing as complicated as UML.

You could even do this with 1 network interface with everything being VLANs.

I.e.

eth0.0001	VLAN for workstations
eth0.0002	VLAN for workstations
eth0.0003	VLAN for internet access

eth0.0001 and eth0.0002 are bridge together yielding bri0

bri0		internal interface
eth0.0003	external interface

NAT between bri0 and eth0.0003.

If you ever added a second internet service provider, put them on eth0.0004 and update your routing.



Grant. . . .

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Mulitple VLANs containing the same ip subnet NATed on

[Grant Taylor]

Geoff Karl wrote:
> Thanks for the reply Grant.

You are welcome.

> What would happen if workstations on the "workstations" vlan had the
> same ip addresses?  Can i bridge two networks that have the same ip
> addresses without getting errors.

Well, seeing as how bridging (EBTables) is a layer 2 bridge, there would be no problem with having the same subnet on both sides of the bridge.  Now if you are asking if there would be a problem with a workstation on VLAN 1 having the same IP as a workstation on VLAN 2, then you would end up with the same situation that you would as if both workstations were on the same VLAN.  However, that being said, if these two workstations never needed to talk there are some things that you can do.  You can set up some EBTables filtering rule to prevent the bridging of the two MAC addresses in question to the other side.  I would block those MAC addresses from being bridged primarily to prevent a (pseudo) multi master type of situation.  Consider if you will if workstation A2 ARPs for the (shared) IP of workstation A1 / B1.  Both workstation A1 and B1 will reply to the ARP saying IP is at MAC <bla>.  So workstation A2 will have two ARP replies to deal with, thus being an IP conflict.  Wh
ere as if you prevent workstation A1 and B1's MACs from being bridged, then both workstations will reply to the ARP, however the replies will not be bridged because they will be filtered out by source MAC.  If you are wondering about the ARP reply form workstation B1 just broadcasting out in to the ether with the requester never actually talking to workstation B2, there is no real problem with this.  Yes, it is wasted traffic, but there is no harm in it.

This bridging while filtering out the conflicting source MACs will allow all other equipment on the networks to communicate with out any problem.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc