Re: Creating a LAN only null routed network (no access to internet)

[sillysausage <sillysausage@privatedemail.net>]

> It does turn out I will need to buy myself a managed switch at
> some point and use VLANs instead of virtual interfaces if I want
> to assign IP addresses in this range. Virtual interfaces such
> as eth0:3 (192.168.3.1) currently have the same broadcast as eth0
> (192.168.1.1) which would mean this will never work:

> What happens if you don't use virtual IFs? That is, use multiple
> primary addresses:

> ip addr add 192.168.1.1/24 dev eth0
> ip addr add 192.168.2.1/24 dev eth0
> ip addr add 192.168.3.1/24 dev eth0

> The system determines the correct broadcast address to use based
> on the source address. With correct primary CIDR addresses, you
> don't need to specify the broadcast address at all.

> Or does this make your routing impossible to achieve?

No it's possible. I miss-configured the DHCP server turns out you can
correctly configure it over virtual interfaces but they all need to
be a part of the same group.

Ie:

authoritative;
ddns-update-style interim;

shared-network home {
    # Subnet for regular nodes that require direct Internet access
    subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.10 192.168.1.240;
        default-lease-time 259200;
        max-lease-time 518400;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
        option routers 192.168.1.1;
        option ntp-servers 192.168.1.1;
        option domain-name-servers 192.168.1.1;
        allow unknown-clients;

        host Gaming_Computer {
            hardware ethernet XX:XX:XX:XX:XX:XX;
            fixed-address 192.168.1.20;
            option subnet-mask 255.255.255.0;
            option routers 192.168.1.1;
        }
    }

    # Subnet for regular nodes that require VPN access
    subnet 192.168.2.0 netmask 255.255.255.0 {
        range 192.168.2.10 192.168.2.240;
        default-lease-time 259200;
        max-lease-time 518400;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
        option routers 192.168.2.1;
        option ntp-servers 192.168.2.1;
        option domain-name-servers 192.168.1.1;
        ignore unknown-clients;

        host Linux_Workstation {
            hardware ethernet YY:YY:YY:YY:YY:YY;
            fixed-address 192.168.2.20;
            option subnet-mask 255.255.255.0;
            option routers 192.168.2.1;
        }
    }

    # Subnet for regular nodes that require no Internet access
    subnet 192.168.3.0 netmask 255.255.255.0 {
        range 192.168.3.10 192.168.3.240;
        default-lease-time 259200;
        max-lease-time 518400;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
        option routers 192.168.3.1;
        option ntp-servers 192.168.3.1;
        option domain-name-servers 192.168.1.1;
        ignore unknown-clients;

        host printer {
            hardware ethernet ZZ:ZZ:ZZ:ZZ:ZZ:ZZ;
            fixed-address 192.168.3.9;
            option subnet-mask 255.255.255.0;
            option routers 192.168.3.1;
        }
    }
}

The rest of it was documented here:

http://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#Creating_a_LAN_only_Subnet

I used iptables to filter the subnet.