routing: subnet behind gateway in that subnet

To: debian-firewall@lists.debian.org
Subject: routing: subnet behind gateway in that subnet
From: Stefan Radomski <sr@oop.info>
Date: 11 Mar 2003 20:55:07 +0100
Message-id: <[🔎] 1047412508.825.96.camel@hal9000>

Hi there,

I am not sure wether this is the right ml to ask, as it is a generic
routing issue and not directly related to debian (our router runs woody
if that counts) if anyone flames me away as offtopic, please supply me
with a more apt ml :)

We were given a subnet  with a 255.255.255.224 subnet mask, thus 5Byte
for the hostmask. In the prior setup all the hosts in that subnet were
behind a switch, so the gateway at the "computer center" (the place
where all the networking is done) would send all packets for that subnet
down the line.

We liked the idea to have a router/firewall at our end of the cable too,
to further seperate the network to fit our needs and enforce security
policies. At first only the router was reachable from the internet,
because the gateway at the computer center expected all these computers
at the same line, but only the router would respond.

They weren't able for some reason to declare something like:
'route add -host pub.ip.of.router ethX'
'route add -net our.net.ip -netmask 255.255.255.224 gw pub.ip.of.router'

As far as I understood, they are using some old Solaris and it would be
confused by the routing of a net which is behind a gateway in exactly
that net.

We had a meeting and they offered to establish a "transport net" with
private ip adresses, our topology now looks like this:

Internet
   |
router/firewall
(computer center)
192.168.96.2
   |
192.168.96.1
our router/firewall - WLAN with priv. IPs
one public ip
   |
rest of our /27 net

But that leads to a subtle problem, the external ip of the router itself
is now a private one, so no locally generated packets are able to reach
the internet and MASQ for the WLAN clients does not work (in the sense
that they have internet access). Furthermore, our router is reachable
_from_ the internet, because an internal NIC is configured to its
external ip. The other hosts with public ips behind our router/firewall
have no problems to reach/be reached (from) the internet.

I suspect that we could do something ugly like SNAT on our
router/firewall for all locally generated packets to have the public ip
adress as source, but as I feel this is a common routing scenario and
there has to be an elegant solution, I dislike the idea.

Could anyone tell us, what options we have to get this setup working.
Not being able to access the internet for some strange routing problem
the computer center raises is kind of unsatisfying.
Which would be the obvious solution anyone with more experience in
routing issues than we have would come up with?

tia
Stefan

Reply to:

Follow-Ups:
- Re: routing: subnet behind gateway in that subnet
  - From: Jason McCarty <bclg@iup.edu>
- Re: routing: subnet behind gateway in that subnet
  - From: "Arne P. Boettger" <apb@rot26.de>
- Re: routing: subnet behind gateway in that subnet
  - From: Blars Blarson <blarson@blars.org>

Prev by Date: Re: TX errors, internal nic
Next by Date: RE: routing: subnet behind gateway in that subnet
Previous by thread: Re: TX errors, internal nic
Next by thread: Re: routing: subnet behind gateway in that subnet
Index(es):
- Date
- Thread