Hello, On Tue, Mar 11, 2003 at 08:55:07PM +0100, Stefan Radomski wrote: [..] > We were given a subnet with a 255.255.255.224 subnet mask, thus 5Byte > for the hostmask. In the prior setup all the hosts in that subnet were > behind a switch, so the gateway at the "computer center" (the place > where all the networking is done) would send all packets for that subnet > down the line. > > We liked the idea to have a router/firewall at our end of the cable too, > to further seperate the network to fit our needs and enforce security > policies. At first only the router was reachable from the internet, > because the gateway at the computer center expected all these computers > at the same line, but only the router would respond. That is what a subnet does - all machines on that subnet in one broadcast domain. > They weren't able for some reason to declare something like: > 'route add -host pub.ip.of.router ethX' > 'route add -net our.net.ip -netmask 255.255.255.224 gw pub.ip.of.router' > > As far as I understood, they are using some old Solaris and it would be > confused by the routing of a net which is behind a gateway in exactly > that net. It would simply be wrong routing - ugly and wrong, even if it would work, which I don't know, because I wouldn't dare to try. > We had a meeting and they offered to establish a "transport net" with > private ip adresses, our topology now looks like this: > > Internet > | > router/firewall > (computer center) > 192.168.96.2 > | > 192.168.96.1 > our router/firewall - WLAN with priv. IPs > one public ip > | > rest of our /27 net That would be a good solution if it wasn't for the WLAN. > But that leads to a subtle problem, the external ip of the router itself > is now a private one, so no locally generated packets are able to reach > the internet and MASQ for the WLAN clients does not work (in the sense > that they have internet access). Furthermore, our router is reachable > _from_ the internet, because an internal NIC is configured to its > external ip. The other hosts with public ips behind our router/firewall > have no problems to reach/be reached (from) the internet. > > I suspect that we could do something ugly like SNAT on our > router/firewall for all locally generated packets to have the public ip > adress as source, but as I feel this is a common routing scenario and > there has to be an elegant solution, I dislike the idea. Elegant solution is splitting the /27 further apart. How many machines do you have that need to be publically reaced? You could split it in two /28s, and use one for the link to the provider and the other one for your local machines. Or split it in four /29s, use one for the link to the provider and the rest for your machines. Fact is that you should have public addresses for this structure. Another option would be to move the WLAN to another router with an official IP address behind your router/firewall. > Could anyone tell us, what options we have to get this setup working. > Not being able to access the internet for some strange routing problem > the computer center raises is kind of unsatisfying. > Which would be the obvious solution anyone with more experience in > routing issues than we have would come up with? By the way: This is not a strange routing problem at the computer center, it's a strange idea you had - sorry to say that. And either your computer center has noone understanding routing to consult you or you didn't tell them the whole story, because what you have now looks to me like you didn't tell your provider about that WLAN stuff... Oh by the way, of course you can put a filtering bridge there instead, but filtering on layer two for layer three information is a bit awkward - proper routing should be prefered. Ciao, Arne. -- ,``o. OpenBSD - Debian GNU/Linux - Solaris >o) >( ,c@ GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <apb@createx.de> /\\ ',,,' Fingerprint = 6ED9 9A64 CD8A EB6F D841 0391 2F08 8F86 913C 2F81 _\_V
Attachment:
pgptT0BjKNxxH.pgp
Description: PGP signature