[ previous ] [ next ] [ threads ]
 
 From:  "David Burgess" <apt dot get at gmail dot com>
 To:  "Marc A. Runkel" <mrunkel at skyriver dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] multiple subnets on single LAN interface?
 Date:  Wed, 7 Mar 2007 10:47:09 -0700
I appreciate the detailed responses I've had on this topic. I feel
like I'm getting close to a solution here.

On 3/7/07, Marc A. Runkel <mrunkel at skyriver dot net> wrote:
> Hey David,
>
> If I understand this right, all your clients and your servers/equipment are connected in the same
broadcast domain, but are separated by logical IP addressing?  Ie, the devices are plugged into the
same switch, but have different IP ranges?

Correct.

> First, it must be a very interesting story about why this came about, but we'll leave that for a
different day.

Since it's probably quite relevant to the present discussion, I'll
elaborate a bit on that. We are a wireless ISP. We have no publicly
accessible servers on the network, but each client has a radio or "SM"
which is essentially a wireless bridge. This SM has a configuration
gui with a manual IP address, in our case on the 172.16/16 network. We
don't want the client to access it, but we need to be able to access
it.

We also have a number of access points and backhauls (a pair of radios
linking one AP tower to the next).

We have 200+ customers, each with a computer or router on the 10.0/16
network using monowall's 10.0.0.1 LAN as gateway.

Therefore we have 200+ SMs plus a handful of APs, BHs, and other
sundry control equipment all on 172.16/16. These are physically
intermingled with the 10.0/16 machines, of necessity.

Here's a simplified ASCII diagram of our network for fun and information:

customer1 - SM           customer3 - SM
                        \                              \
                        AP - BH ---------- BH - AP - BH ------- BH -
monowall - internet
                        /                              /
customer2 - SM          customer4 - SM

> Second, one solution is to... change your DHCP server settings overnight...

Obviously our 172.16 equipment is password protected, nevertheless we
prefer to maintain it on a separate subnet if possible. Out of sight,
out of mind.

> If you really want to maintain your existing IP numbering scheme, you need to add a secondary IP
to the monowall interface. NO way to do this through the GUI though.  You'd have to do it with the
/exec.php page.

I'm all for that. I'll keep searching the archives for a way to do
that, but any pointers would be appreciated.

> Or, if you have an extra interface in your monowall, plug it into the same switch and give it the
server's IP range.  Just turn on advanced NAT.

This looks like the immediate solution, just adding a third NIC,
plugging it into the LAN switch and naming it 172.16.0.1/16.

>Lacking an extra interface, you can also setup VLANs (if your
switches support that feature) and route between the virtual
interfaces.

This solution appeals to me, but doesn't that require having the
172.16 machine on a physically separate switch port from the 10.0
machine? That would be impossible in this case, as each 10.0 client
connects to monowall through the 172.16 equipment.

> The monowall (any router) needs to "know" about the equipment's IP network and it needs to know
how to get there.  Note that in any setup where the router gets involved, you are creating a
bottleneck at the router, both in it's CPU's ability to switch the packets and on the total
bandwidth of the router interface.

As an ISP, we have virtually no intranet traffic. Any traffic passed
from the router's 10.0 interface to its 172.16 interface will be
occasional and minimal.

As the internet gateway, the monowall is a natural bottleneck and has
been designed with the resulting bandwidth and cpu loads in mind.

> Lastly, 300+ devices is a lot for any Ethernet subnet.  You might want to plug ethereal into your
network and take a look at your broadcast traffic...

Perhaps you're right, although I suspect that our broadcast traffic is
relatively minimal. Could be an illuminating exercise though.

db

> m.
> -----Original Message-----
> From: David Burgess [mailto:apt dot get at gmail dot com]
> Sent: Tuesday, March 06, 2007 3:24 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] multiple subnets on single LAN interface?
>
> On 3/6/07, krt <kkrrtt at gmail dot com> wrote:
> > Short Answer: No
> >
> > Long Answer:
> > You have to route your packets if you do not participate in those
> > subnets with a local interface.
>
> By "route your packets" are you referring to routing table
> modifications on my client machine? Or routing table modifications to
> the m0n0wall? Because the latter is kind of where I was trying to go,
> and without success.
>
> > Why not run the DHCP server with a range of IP addresses from the
> > 172.16.0.0/16 that you've reserved as the "DHCP RANGE" and that you will
> > not and do not have current static assignments in?
>
> This is an option, but it means lots and lots of people not having
> internet access until they renew their dhcp lease, which in many cases
> would mean a week up to a month without internet. And no, most of
> these people aren't savvy enough to try that on their own, and no, I
> won't be fielding all the angry phone calls. So basically it's not a
> very practical option for us.
>
> So is there a really long answer that wasn't included in the first
> response? I'm not averse to reading up if there's a way to do this.
> I'm just not finding anything really relevant in my searches so far.
>
> For what it's worth, here's an interesting excerpt from m0n0wall's
> System:Advanced page:
>
> "Bypass firewall rules for traffic on the same interface
> This option only applies if you have defined one or more static
> routes. If it is enabled, traffic that enters and leaves through the
> same interface will not be checked by the firewall..."
>
> Am I wrong in inferring that if traffic enters an interface,
> potentially passes through the firewall, then leaves the same
> interface, then said traffic must have differing source and
> destination subnets, which is basically what I'm trying to implement.
> Am I misinterpreting the function of a static route here?
>
> db
>
>
> > David Burgess wrote:
> > > I'm not sure if I'm going down a blind alley here, but it seems to me
> > > there must be a way to access a subnet other than one's own without
> > > crossing the firewall. Here's my m0n0wall's basic setup:
> > >
> > > WAN: static public IP address
> > > LAN: 10.0.0.1/16, running dhcpd
> > >
> > > Our clients all get IPs from the LAN dhcpd.
> > > Meanwhile, our equipment all have static IP addresses on the subnet
> > > 172.16.0.0/16. Currently, to connect with a piece of equipment one
> > > must change one's IP address manually to the 172.16/16 subnet. Is
> > > there not a way using static routes to maintain one's 10/16 address
> > > and have the m0n0wall redirect 172.16/16 requests to the appropriate
> > > equipment on the LAN? I tried adding a static route thus:
> > >
> > > 172.16             172.16.0.1         UGS         0      126    [LAN]
> > >
> > > but no dice. I tried a similar entry, using 10.0.0.1 as the gateway,
> > > but nothing still. Is this possible? Can somebody point me to a
> > > resource if it's not a simple fix? Please don't tell me to change my
> > > equipment to the 10/16 subnet, as we're talking about ~300 items here.
> > > I'll consider that a last resort, along with manually changing my IP
> > > to the 172.16/16 every time I want to have a look.
> > >
> > > Thanks,
> > > db
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>