View previous topic :: View next topic |
Author |
Message |
Fran Guru
Joined: 29 Feb 2004 Posts: 530 Location: Coruña (Spain)
|
Posted: Tue Apr 01, 2014 10:13 am Post subject: Routing between two networks |
|
|
At work we have a private network with several servers. Let's say 10.0.0.0/24. The servers in this private network access the outside world thought a gateway (G1) with ip 10.0.0.1.
We also have a public network (let's say 2.2.2.0/24). The gateway for this network is 2.2.2.1 (G2). My computer (C2, with ip 2.2.2.20) is in this network.
What I want is to access the servers in 10.0.0.0/24 from my computer C2, but I'm having some problems. I'm trying to do it through another computer (R) with two network interfaces (2.2.2.40 and 10.0.0.40):
Code: | Internet
G2 G1
2.2.2.1 10.0.0.1
| |
| |
C2-----+----------R----------+------Servers
2.2.2.20 2.2.2.40 10.0.0.40 |
What I've done:
- In R:
1. Enable ip forwarding
2. iptables:
-A FORWARD -i eth1 -j ACCEPT #eth1=private
-A FORWARD -i eth0 -d 10.0.0.0/24 -j ACCEPT #eth0=public
-t nat -A POSTROUTING -o eth0 -j SNAT --to-source 2.2.2.40
- In C2: ip route add 10.0.0.0/24 via 2.2.2.40 dev eth0
This works fine... ONLY if the server I'm connecting to has its gateway configured as 10.0.0.40 (i.e, R). If the server's gateway is configured as 10.0.0.1, I can't connect to the server. Ping works, but ssh waits forever.
If I add iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.0.40 in R, I can connect to a server in 10.0.0.0/24 even if its gateway is configured as 10.0.0.1, BUT... now the server cannot connect to my computer C2.
What am I missing? Is there any way to achieve what I'm trying to do without openvpn? |
|
Back to top |
|
|
papahuhn l33t
Joined: 06 Sep 2004 Posts: 626
|
Posted: Tue Apr 01, 2014 7:31 pm Post subject: Re: Routing between two networks |
|
|
Fran wrote: | BUT... now the server cannot connect to my computer C2. |
I'm trying to understand this last bit. "But now" in contrast to when? Is there a setup where the server can connect to C2? _________________ Death by snoo-snoo! |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Wed Apr 02, 2014 1:41 am Post subject: |
|
|
That is a strange network setup, but the SNAT rule seems like the simplest workaround. The inability to get responses without SNAT makes sense, because the server sends the traffic to its default gateway, and G1 has no way to route the traffic to you. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Wed Apr 02, 2014 4:58 am Post subject: |
|
|
The computers in 2.2.2.0/24 need to be told there's a route to 10.0.0.0/24 via that router, and vice versa. Adding a route on one machine will let you send traffic, but the other end will still have no idea where to send the reply.
There might be a way to do all this with DHCP but I'm not seeing anything in dhcpd's man pages for it. You might have to manually set static IPv4 routes on every machine (or at least on the 2 gateways as a workaround) to get it to work. |
|
Back to top |
|
|
Fran Guru
Joined: 29 Feb 2004 Posts: 530 Location: Coruña (Spain)
|
Posted: Wed Apr 02, 2014 9:07 am Post subject: Re: Routing between two networks |
|
|
papahuhn wrote: | Fran wrote: | BUT... now the server cannot connect to my computer C2. |
I'm trying to understand this last bit. "But now" in contrast to when? Is there a setup where the server can connect to C2? |
If I don't add the rule, I can ssh from a server to C2. If I add it, I can't. I suppose it's because the ssh connection goes server->G1->G2->C2, but the replies from C2 to the server go C2->R->server (because of route I added in C2). With the iptables rule, R changes the "from" in the reply from 2.2.2.20 to 10.0.0.40, and the sshd in the server gets confused (?). Without the rule, the "from" is still 2.2.2.20 and the connection succeeds.
(edit) Wait, this doesn't make sense. G1 should have changed the "from" address too with NAT, because the server has a 10.x.x.x address and C2 wouldn't be able to respond to that. Weird. But I've tested, and server->C2 only works without the iptables rule in R.
Ant P. wrote: | The computers in 2.2.2.0/24 need to be told there's a route to 10.0.0.0/24 via that router, and vice versa. Adding a route on one machine will let you send traffic, but the other end will still have no idea where to send the reply. |
The problem is I don't control all the servers in 10.0.0./24. For the ones I do control, I've set their gateway to R and everything's peachy. For the rest I have this problem.
hu wrote: | That is a strange network setup, but the SNAT rule seems like the simplest workaround. The inability to get responses without SNAT makes sense, because the server sends the traffic to its default gateway, and G1 has no way to route the traffic to you. |
Yeah, I suppose it's the best solution (besides vpn, which also works -i've tested it- but is slow and cumbersome). For me it's more important to be able to connect from C2 to computers in the private network than vice versa, so I'll add the rule.
Thanks to all.
(P.S.: That network setup is due to our department migrating from a network with public addresses to a private one. For a while we had enough public IPs. Now, not so much. I want to have my computer in the public network, but most of our servers have moved.) |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|