Re: [LARTC] Bridging two subnets selectively using routing

From: Corey Hickey <bugfood-ml@fatooh.org>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Bridging two subnets selectively using routing
Date: Fri, 02 Nov 2007 20:24:29 +0000	[thread overview]
Message-ID: <472B877D.10501@fatooh.org> (raw)
In-Reply-To: <20071101005039.GA4906@triplehelix.org>

Joshua Kwan wrote:
> Hi LARTC,
> 
> I have two networks that I manage, A and B.  They both have their own
> primary gateways for hosts on the network, let's call them AR and BR.
> There is another box, A1, which lives on network A but also has a wire
> connecting it to a switch on network B. My goal is to let hosts on B
> access three particular hosts on A's subnet (192.168.4.0/24) and let
> hosts on A access one particular host on B's subnet (10.3.0.0/24).
> 
> Suppose the IP addresses of the machines I wish to address on either
> network are A2, A3, A4 and B1.
> 
> A1 has IP 10.3.0.13 on network B and 192.168.4.10 on network A. Is it
> possible to just tell the gateways for each network:
> 
> on BR: ip route add {A2, A3, A4} via 10.3.0.13
> on AR: ip route add B1 via 192.168.4.10
> 
> But when I do that, ping does something like:
> 
> PING A2 56(84) bytes of data.
> From BR: Redirect Host (new nexthop: 10.3.0.13)

That's to be expected, as far as I understand.

> and doesn't actually report success on the ping.

> What am I doing wrong? Is this a job for iptables? I feel like I can do
> this with just routing table magic.

Well, nobody has given you a better answer yet, so I'll take a shot.

1. Check /proc/sys/net/ipv4/ip_forward on box A1 to see if it's
configured to route at all.

2. The hosts on network A will receive packets from miscellaneous IP
addresses in B's subnet, and not have any idea what to do with them.
You'll need to either configure routes on the hosts in network A...
# ip route add 10.3.0.0/16 via 192.168.4.10 dev eth0
...or set up box A1 to SNAT packets
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -d 192.168.4.0/24 \
-j SNAT --to-source 192.168.4.10
You'll have to do something similar for the reverse direction, too.

I haven't tested what I wrote above; if it doesn't work, run tcpdump in
various places to see what icmp packets are going where.

Honestly, though, I think you're setting yourself up for a decent
headache trying to do it this way. In my opinion, the easy solution is
in the first word of your subject line: just make host A1 a bridge.
That's what I did when I originally set up that box, and it worked fine
the whole time I managed it (actually, I didn't manage it at all, since
the bridging never had any problems).

Put both physical networks on the same IP subnet and enforce any desired
firewalling/segmentation with a few simple iptables rules running on the
bridge. If you're still using the same machine that used to do that job,
you might be able to find the relevant configuration files lying around.
If not, I'm sure I can recall at least most of the details.

Either way, if you need assistance, let me know and I'll be happy to
stop by sometime and lend a hand.

-Corey
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc