Re: [LARTC] Bridging two subnets selectively using routing

[Grant Taylor <gtaylor@riverviewtech.net>]

On 11/02/07 15:24, Corey Hickey wrote:
> 1. Check /proc/sys/net/ipv4/ip_forward on box A1 to see if it's 
> configured to route at all.
> 
> 2. The hosts on network A will receive packets from miscellaneous IP 
> addresses in B's subnet, and not have any idea what to do with them. 
> You'll need to either configure routes on the hosts in network A... 
> 
> # ip route add 10.3.0.0/16 via 192.168.4.10 dev eth0
> 
> ...or set up box A1 to SNAT packets
> 
> # iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -d 192.168.4.0/24 -j 
> SNAT --to-source 192.168.4.10
> 
> You'll have to do something similar for the reverse direction, too.

You could do either of the above.

However there should be a route from any box on either network to 
specific boxes on the other network.  Remember that the OP configured 
routes on AR and BR to reach host(s) on Net B and Net A (respectively) 
via A1.  Thus when a host on Net B receives a packet from a host on Net 
A, it will reply via its default gateway, BR.  BR will then redirect or 
route the packet back to A1 which will then send the packet directly on 
to the original host on Net A.  This is all of course presuming that A1 
is forwarding packets like it needs to be and that there are no 
firewalls in place blocking any thing, especially reverse path filters.

> I haven't tested what I wrote above; if it doesn't work, run tcpdump 
> in various places to see what icmp packets are going where.

TCPDump / Etherial is your *FRIEND*!!!

> Honestly, though, I think you're setting yourself up for a decent 
> headache trying to do it this way. In my opinion, the easy solution 
> is in the first word of your subject line: just make host A1 a 
> bridge.  That's what I did when I originally set up that box, and it 
> worked fine the whole time I managed it (actually, I didn't manage it 
> at all, since the bridging never had any problems).

Bridging and / or proxy ARP by them selves will not solve this problem. 
  Net A and Net B have different IP address ranges, thus even with a 
bridge in place the hosts will never communicate.  In fact a bridge with 
out any thing else will just worsen the situation by passing broadcasts 
where they are not needed.

> Put both physical networks on the same IP subnet and enforce any 
> desired firewalling/segmentation with a few simple iptables rules 
> running on the bridge. If you're still using the same machine that 
> used to do that job, you might be able to find the relevant 
> configuration files lying around.  If not, I'm sure I can recall at 
> least most of the details.

Ugh.  I'm going to presume that the networks have different IP address 
ranges and are not presently joined for a reason.  Thus combining the IP 
address ranges and bridging them together will actually be a regression 
in network config / technology / evolution.

Now if you want to bridge the networks together wile still using the 
separate IP address ranges AND multi-home select boxen so that they are 
on both Net A and Net B then bridging and / or proxy ARP will work just 
fine.

> Either way, if you need assistance, let me know and I'll be happy to 
> stop by sometime and lend a hand.

You can drop a line in here too.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc