From: sillysausage <sillysausage@privatedemail.net>
To: netfilter@vger.kernel.org
Subject: Re: Creating a LAN only null routed network (no access to internet)
Date: Thu, 13 Aug 2015 15:10:36 +0930 [thread overview]
Message-ID: <55CC2DD4.6090706@privatedemail.net> (raw)
In-Reply-To: <55CB462D.6040203@privatedemail.net>
On 12/08/15 22:42, sillysausage wrote:
> I'm a bit stuck as to what the default route should be for the LAN
> table.
>
> In the past I've used something like:
>
> /sbin/ip route add table <table> default via ${IPLOCAL}
>
> However this table shouldn't be routed to ppp0 or tun0's IP.
>
I solved this problem it was as simple as creating an unreachable range
and then setting that to the default route:
# Add an unreachable subnet
ip route add unreachable 192.168.4.0/24
# Make the unreachable subnet the default gateway for members of LAN
/sbin/ip route add table LAN default via 192.168.4.0
> Likewise the from rule I've used in the past has usually been
> something like:
>
> /sbin/ip rule add from ${IPLOCAL} table <table>
>
This wasn't needed either, all I had to do was add an entry in each
table to see the 192.168.3.0/24 range eg:
# Add route to ISP from LAN
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP
# Add route to VPN from LAN
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN
> gateway:~# ip route add 192.168.1.0/24 dev eth0 table LAN
> gateway:~# ip route add 192.168.2.0/24 dev eth0 table LAN
> gateway:~# ip route add 192.168.3.0/24 dev eth0 table LAN
And of course this.
I removed all the fwmark 0x3 rules because that was me over thinking the
problem.
It does turn out I will need to buy myself a managed switch at some
point and use VLANs instead of virtual interfaces if I want to assign IP
addresses in this range. Virtual interfaces such as eth0:3 (192.168.3.1)
currently have the same broadcast as eth0 (192.168.1.1) which would mean
this will never work:
eg the printer will be assigned something in the 192.168.1.0/24 range.
gateway:~# cat /etc/dhcp/dhcpd.conf
authoritative;
ddns-update-style interim;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.240;
default-lease-time 259200;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option ntp-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
}
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.2 192.168.3.240;
default-lease-time 259200;
max-lease-time 518400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.3.255;
option routers 192.168.3.1;
deny unknown-clients;
host printer {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address 192.168.3.25;
option subnet-mask 255.255.255.0;
option routers 192.168.3.1;
}
}
next prev parent reply other threads:[~2015-08-13 5:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-12 13:12 Creating a LAN only null routed network (no access to internet) sillysausage
2015-08-13 5:40 ` sillysausage [this message]
2015-08-13 6:31 ` Neal P. Murphy
2015-08-15 14:32 ` sillysausage
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55CC2DD4.6090706@privatedemail.net \
--to=sillysausage@privatedemail.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.