[LARTC] routing network through bastian host

[LARTC] routing network through bastian host

[David Koski]

Hello,

This seems to be a common problem but AFAIK, without a common solution.  The
network map is as follows:

    T1 to ISP
        |
        | /30 net
        |
+----------------+
| cisco router   |
+----------------+
        | FastEthernet0/0
        | a.b.c.1/24
        |
 (possible switch/hub here in future)
        |
        | a.b.c.2/24
        | eth0
+----------------+
|                |
|           eth1 |---a.b.c.3/24-public-net-----> lan
| linux box      |
|           eth2 |---192.168.1.0/24-private-net---> lan
|                |
+----------------+

Of course the above does not work as eth0 and eth1 are on the same subnet.  So
far, I can see two possible solutions:

1. reassign the cisco to linux net to a private point to point /30 net.  I have
tried with limited success.

2. reassign the cisco to linux net to a.b.c.1/29 (cisco) and a.b.c.2/29 (linux
box).  This would give me a block of 8 between cisco and linux and would enable
me to add a switch/hub between to feed another host for backup mail relay and
dns server.

Questions:

1. Does a different subnet mask define a different subnet?  Will the "two nics
same net" conflict be resolved by applying a longer mask to one subnet?

2. What is required to route through the linux box in "solution" 2 above?  Is
this a case of "more specific, preferred route" applied?

3. Any relevant RFC's would be helpful.

4. Of course, ANY suggestions welcome.

TIA,
David Koski
david@KosmosIsland.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] routing network through bastian host

[Greg Scott]

Is your LAN off of eth1 a DMZ with some kind of publicly availble
server that you want protected?  You could put it in another private
address range, say 192.168.10.0/24 and then use SNAT and DNAT to
disguise it from the world.

Or you could split up a.b.c.0/24 into two sets of a.b.c.0/25 and
a.b.c.128/25 if you need real routable IP addresses on this DMZ 
system.  

You will want the same subnet mask on your a.b.c.<whatevers> unless
you plan to subnet it even more when you get farther inside.  Remember, 
the mask determines which bits are the network and which bits are the 
host.  So it needs to be consistent all the way through. 

- Greg



-----Original Message-----
From: David Koski [mailto:david@kosmosisland.com]
Sent: Monday, January 28, 2002 3:07 PM
To: LARTC@mailman.ds9a.nl
Subject: [LARTC] routing network through bastian host


Hello,

This seems to be a common problem but AFAIK, without a common solution.  The
network map is as follows:

    T1 to ISP
        |
        | /30 net
        |
+----------------+
| cisco router   |
+----------------+
        | FastEthernet0/0
        | a.b.c.1/24
        |
 (possible switch/hub here in future)
        |
        | a.b.c.2/24
        | eth0
+----------------+
|                |
|           eth1 |---a.b.c.3/24-public-net-----> lan
| linux box      |
|           eth2 |---192.168.1.0/24-private-net---> lan
|                |
+----------------+

Of course the above does not work as eth0 and eth1 are on the same subnet.
So
far, I can see two possible solutions:

1. reassign the cisco to linux net to a private point to point /30 net.  I
have
tried with limited success.

2. reassign the cisco to linux net to a.b.c.1/29 (cisco) and a.b.c.2/29
(linux
box).  This would give me a block of 8 between cisco and linux and would
enable
me to add a switch/hub between to feed another host for backup mail relay
and
dns server.

Questions:

1. Does a different subnet mask define a different subnet?  Will the "two
nics
same net" conflict be resolved by applying a longer mask to one subnet?

2. What is required to route through the linux box in "solution" 2 above?
Is
this a case of "more specific, preferred route" applied?

3. Any relevant RFC's would be helpful.

4. Of course, ANY suggestions welcome.

TIA,
David Koski
david@KosmosIsland.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] routing network through bastian host

[David Koski]

Hello Greg,

The LAN off eth1 will provide public services and is allocated to isp clients. 
Hiding is not an option and splitting the net in half will loose too many ip's. 
I have been looking into proxy ARP and it looks like the ticket.  However, I
don't know if it is necessary under the following conditions:

1. The default route for a.b.c.0/24 hosts on LAN A use default route a.b.c.3.

2. The default route for a.b.c.0/24 for the cisco is a.b.c.2/29 (I don't know
how to do this!)

3. The following assignments are used:

    T1 to ISP
        |
        | /30 net
        |
+----------------+
| cisco router   |
+----------------+
        | FastEthernet0/0
        | a.b.c.1/29
        |
 (possible switch/hub here in future)
        |
        | a.b.c.2/29
        | eth0
+----------------+
|                |
|           eth1 |---a.b.c.3/24-public-net-----> LAN A
| linux box      |
|           eth2 |---192.168.1.0/24-private-net---> LAN B
|                |
+----------------+

It seems logical to me that all routing would work with the above configuration.

Proxy ARP looks easy enough though.

David Koski
david@KosmosIsland.com


On Mon, 28 Jan 2002 18:46:58 -0600
Greg Scott <GregScott@InfraSupportEtc.com> wrote:

> Is your LAN off of eth1 a DMZ with some kind of publicly availble
> server that you want protected?  You could put it in another private
> address range, say 192.168.10.0/24 and then use SNAT and DNAT to
> disguise it from the world.
> 
> Or you could split up a.b.c.0/24 into two sets of a.b.c.0/25 and
> a.b.c.128/25 if you need real routable IP addresses on this DMZ 
> system.  
> 
> You will want the same subnet mask on your a.b.c.<whatevers> unless
> you plan to subnet it even more when you get farther inside.  Remember, 
> the mask determines which bits are the network and which bits are the 
> host.  So it needs to be consistent all the way through. 
> 
> - Greg
> 
> 
> 
> -----Original Message-----
> From: David Koski [mailto:david@kosmosisland.com]
> Sent: Monday, January 28, 2002 3:07 PM
> To: LARTC@mailman.ds9a.nl
> Subject: [LARTC] routing network through bastian host
> 
> 
> Hello,
> 
> This seems to be a common problem but AFAIK, without a common solution.  The
> network map is as follows:
> 
>     T1 to ISP
>         |
>         | /30 net
>         |
> +----------------+
> | cisco router   |
> +----------------+
>         | FastEthernet0/0
>         | a.b.c.1/24
>         |
>  (possible switch/hub here in future)
>         |
>         | a.b.c.2/24
>         | eth0
> +----------------+
> |                |
> |           eth1 |---a.b.c.3/24-public-net-----> lan
> | linux box      |
> |           eth2 |---192.168.1.0/24-private-net---> lan
> |                |
> +----------------+
> 
> Of course the above does not work as eth0 and eth1 are on the same subnet.
> So
> far, I can see two possible solutions:
> 
> 1. reassign the cisco to linux net to a private point to point /30 net.  I
> have
> tried with limited success.
> 
> 2. reassign the cisco to linux net to a.b.c.1/29 (cisco) and a.b.c.2/29
> (linux
> box).  This would give me a block of 8 between cisco and linux and would
> enable
> me to add a switch/hub between to feed another host for backup mail relay
> and
> dns server.
> 
> Questions:
> 
> 1. Does a different subnet mask define a different subnet?  Will the "two
> nics
> same net" conflict be resolved by applying a longer mask to one subnet?
> 
> 2. What is required to route through the linux box in "solution" 2 above?
> Is
> this a case of "more specific, preferred route" applied?
> 
> 3. Any relevant RFC's would be helpful.
> 
> 4. Of course, ANY suggestions welcome.
> 
> TIA,
> David Koski
> david@KosmosIsland.com
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

RE: [LARTC] routing network through bastian host

[Greg Scott]

Why put LAN A behind a firewall?  If it's all public and visible, why not
just put it in front of the firewall?  Well, probably cuz you want to
filter packets.  duh!  So, OK, what if you used private addresses in LAN A
and used DNAT to redirect ports and/or public IP addresses to the correct 
host(s) inside LAN A.  But if you have customers doing VPN stuff or IPSEC 
stuff, this won't work.  And there are probably a bunch of other apps
that NAT breaks.

I wonder if you could you get a d.e.f.nn/29 from your ISP and use those 
addresses for FastEthernet 0/0 on the Cisco and eth0 on the firewall?  Now
that would be the ultimate.  

Also, pointing your default gateway of your Cisco back inside your LAN seems
funny.  Wouldn't you want to point that out, not in?

- Greg


-----Original Message-----
From: David Koski [mailto:david@kosmosisland.com]
Sent: Monday, January 28, 2002 7:55 PM
To: Greg Scott; LARTC@mailman.ds9a.nl
Subject: Re: [LARTC] routing network through bastian host


Hello Greg,

The LAN off eth1 will provide public services and is allocated to isp
clients. 
Hiding is not an option and splitting the net in half will loose too many
ip's. 
I have been looking into proxy ARP and it looks like the ticket.  However, I
don't know if it is necessary under the following conditions:

1. The default route for a.b.c.0/24 hosts on LAN A use default route
a.b.c.3.

2. The default route for a.b.c.0/24 for the cisco is a.b.c.2/29 (I don't
know
how to do this!)

3. The following assignments are used:

    T1 to ISP
        |
        | /30 net
        |
+----------------+
| cisco router   |
+----------------+
        | FastEthernet0/0
        | a.b.c.1/29
        |
 (possible switch/hub here in future)
        |
        | a.b.c.2/29
        | eth0
+----------------+
|                |
|           eth1 |---a.b.c.3/24-public-net-----> LAN A
| linux box      |
|           eth2 |---192.168.1.0/24-private-net---> LAN B
|                |
+----------------+

It seems logical to me that all routing would work with the above
configuration.

Proxy ARP looks easy enough though.

David Koski
david@KosmosIsland.com


On Mon, 28 Jan 2002 18:46:58 -0600
Greg Scott <GregScott@InfraSupportEtc.com> wrote:

> Is your LAN off of eth1 a DMZ with some kind of publicly availble
> server that you want protected?  You could put it in another private
> address range, say 192.168.10.0/24 and then use SNAT and DNAT to
> disguise it from the world.
> 
> Or you could split up a.b.c.0/24 into two sets of a.b.c.0/25 and
> a.b.c.128/25 if you need real routable IP addresses on this DMZ 
> system.  
> 
> You will want the same subnet mask on your a.b.c.<whatevers> unless
> you plan to subnet it even more when you get farther inside.  Remember, 
> the mask determines which bits are the network and which bits are the 
> host.  So it needs to be consistent all the way through. 
> 
> - Greg
> 
> 
> 
> -----Original Message-----
> From: David Koski [mailto:david@kosmosisland.com]
> Sent: Monday, January 28, 2002 3:07 PM
> To: LARTC@mailman.ds9a.nl
> Subject: [LARTC] routing network through bastian host
> 
> 
> Hello,
> 
> This seems to be a common problem but AFAIK, without a common solution.
The
> network map is as follows:
> 
>     T1 to ISP
>         |
>         | /30 net
>         |
> +----------------+
> | cisco router   |
> +----------------+
>         | FastEthernet0/0
>         | a.b.c.1/24
>         |
>  (possible switch/hub here in future)
>         |
>         | a.b.c.2/24
>         | eth0
> +----------------+
> |                |
> |           eth1 |---a.b.c.3/24-public-net-----> lan
> | linux box      |
> |           eth2 |---192.168.1.0/24-private-net---> lan
> |                |
> +----------------+
> 
> Of course the above does not work as eth0 and eth1 are on the same subnet.
> So
> far, I can see two possible solutions:
> 
> 1. reassign the cisco to linux net to a private point to point /30 net.  I
> have
> tried with limited success.
> 
> 2. reassign the cisco to linux net to a.b.c.1/29 (cisco) and a.b.c.2/29
> (linux
> box).  This would give me a block of 8 between cisco and linux and would
> enable
> me to add a switch/hub between to feed another host for backup mail relay
> and
> dns server.
> 
> Questions:
> 
> 1. Does a different subnet mask define a different subnet?  Will the "two
> nics
> same net" conflict be resolved by applying a longer mask to one subnet?
> 
> 2. What is required to route through the linux box in "solution" 2 above?
> Is
> this a case of "more specific, preferred route" applied?
> 
> 3. Any relevant RFC's would be helpful.
> 
> 4. Of course, ANY suggestions welcome.
> 
> TIA,
> David Koski
> david@KosmosIsland.com
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] routing network through bastian host (fwd)

[Leen Besselink]

hehe, forgot to send it to the list too.

---------- Forwarded message ----------
Date: Tue, 29 Jan 2002 00:40:47 +0100 (CET)
From: Leen Besselink <leen@wirehub.nl>
To: David Koski <david@kosmosisland.com>
Subject: Re: [LARTC] routing network through bastian host

> Hello Leen,
> 
> I think proxy ARP is the ticket.  Thanks for the help!
> 
np.

> David

Let me know how it works out, as I'm gonna build something similair.
Maybe you can send me your setup or something...

I've got a bit more complicated situation then you and I can use all the
help I can get. :)



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] routing network through bastian host (fwd)

[Leen Besselink]

it was late last night, it's this one...
geez... well atleast I feel I have the right answer... :)

---------- Forwarded message ----------
Date: Tue, 29 Jan 2002 00:23:51 +0100
From: Leen Besselink <leen@wirehub.nl>
To: David Koski <david@kosmosisland.com>
Subject: Re: [LARTC] routing network through bastian host

* David Koski (david@kosmosisland.com) wrote:
> Hello,
> 
Hi,
[..]

Look for arp-proxy, this could be a way to solve your problem, one such resource is here:
http://www.sjdjweis.com/linux/proxyarp/

There is also a much smaller explanation in the HOWTO (pseudo bridges with Proxy-arp)

[..]

PS Please if any network/routing/firewalling guru knowns of a better cleaner way, do tell me.
-------------------------------------
New things are always on the horizon.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

[LARTC] routing network through bastian host

[Konstantin Tsolov]

David, Greg,

Is it not possible to have some private address space between the cisco
router and the linux box ?

sth like this:

   cisco
192.168.1.1/24
     |
     |
(possible hub/switch)
     |
     |
192.168.1.2/24
  linux
   box


So, everything comming from the ISP for a.b.c.nn/24 will route to
192.168.1.1 ?

(I'm new to this, so don't laugh too much, pls ;)

-kosio

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/