Solved

routing

Posted on 2013-01-21
14
162 Views
Last Modified: 2013-01-31
Hi,

I would like to add a permanent route (with a different gateway) for a specific range of ip addresses (1 subnet).

Does anyone have advice as to how to go about it?

Example:

default gateway is 10.0.7.254 (255.255.248.0) for all traffic except 10.0.24.x...10.0.31.254 (255.255.248.0) where the gateway would be 10.0.7.253.

Any advice would be appreciated.

Thanks,

Mark
0
Comment
Question by:mbudman
  • 4
  • 3
  • 3
  • +2
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38802893
Do you have a DHCP server on your network? Then you could just distribute it that way.
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 38802894
You'll need elevated privs, but you'd enter:

route -p add 10.0.24.0 mask 255.255.248.0 10.0.7.253 metric 1
0
 
LVL 1

Author Comment

by:mbudman
ID: 38802906
How would one implement this with a DHCP server?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 38802930
In the (MS) DHCP server you have option 249 Classless Static Routes. Use that to add the route to the scope.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38802947
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 38803388
Well, in case you don'w have Windows Server xxxx

default gateway is 10.0.7.254 (255.255.248.0) for all traffic except 10.0.24.x...10.0.31.254 (255.255.248.0) where the gateway would be 10.0.7.253.

hmmmm.... there must be a typo because the target addresses are outside the subnet of the gateway.

And, after thinking about it, I think you're saying you want "source-based" routing.  That is, you want routing based on where the traffic is coming FROM and not TO.

But, if I ignore that minor detail :-) and overcome it by assuming:
The current subnet is really 10.0.0.0 / 19 or 255.255.224.0 with 10.0.7.254 the gateway address within that subnet.

Now we have a subnet that includes BOTH 10.0.7.254 AND 10.0.31.254 which appears to be what you need (without using a router between subnets).

Add a SOURCE route in the gateway:
IF SOURCE: 10.0.24.0/21 or 255.255.248.0 route to 10.0.7.253
(note that this isn't really a "subnet" but an address range as it's a set of addresses within a larger proper subnet).

Now, packets initiated at 10.0.8.0 to 10.0.31.254 will be directed to 10.0.7.253 from the current gateway.  It adds a hop doing it that way but it's flexible in that you can cut it up into whatever chunks you want.  That's what gateways are for - to help make routing simple to manage.

Many gateway-type devices won't do this.  Juniper Networks will and there must be others.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 38807686
If policy based routing, PBR, is supported by your router that will do what you want.
You set up a policy to tell the router what to do with packets meeting your conditions and tell it to bypass the route table and use the next hop you configure in the policy.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 8

Expert Comment

by:d0ughb0y
ID: 38810190
@fmarshal - Um... I beg to differ with you on that one. 10.0.24.0/21 (255.255.248.0) gives you an address range of 10.0.24.1-10.0.31.254. His main network is 10.0.0.0/21, which would give you addresses in the range of 10.0.0.1-10.0.7.254. If the target addresses were within the 0-7 range, they'd be local LAN addresses, and wouldn't need a router at all.

PBR is way overblown for what you need. It's a single route! The best solution is what erniebeek suggested: Deliver the other route via DHCP, which would give each client that static route as part of their DHCP configuration.

There is another way, but it's a little unorthodox, and your router may not like it: You might be able to put the static route on your default router, and leave the clients alone. Your clients would send to the default route, which would then forward those packets out the same interface through which they came in (that's the part the router may not like) and to the 7.253 router, which has the proper route.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 38819263
doughboy:
@fmarshal - Um... I beg to differ with you on that one. 10.0.24.0/21 (255.255.248.0) gives you an address range of 10.0.24.1-10.0.31.254. His main network is 10.0.0.0/21, which would give you addresses in the range of 10.0.0.1-10.0.7.254. If the target addresses were within the 0-7 range, they'd be local LAN addresses, and wouldn't need a router at all.
I don't understand where the "differing" would be.  I agree with everything you say above.  I don't think I suggested anything else.  

I found it "interesting" that the gateway addresses in the example were outside the address range of the subnet of interest..... that's all.  It seems a rather important point.

Then, in response again to the example:
default gateway is 10.0.7.254 (255.255.248.0) for all traffic except 10.0.24.x...10.0.31.254 (255.255.248.0) where the gateway would be 10.0.7.253.
I agree that the wording is a little vague and I can understand how one might come to a different conclusion than I do but this seems to me to be saying:

"All traffic coming from 10.0.24.0/21 must be directed to 10.0.7.253 as the gateway".

Perhaps the notion of "gateway" needs to be better defined ... as in mbudman's context.
- does it mean "the internet gateway"?
- does it mean "the next hop"?
One can well understand how "the next hop" might be dealt with using DHCP but "the next hop" can't be outside the local subnet.  So how does that work?  I'm simply ignorant on that subject.
If it means "the internet gateway" then there are all kinds of routing things that can be done.
I believe that the stated requirement may be interpreted to *require* source-based routing.  But, as above, it's fuzzy isn't it?

I think it's time for mbudman to help us out here with a bit more participation and clarification.....
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 38819469
Sorry for the confusion. I see, now, how you read it. That's not the way I did. My understanding of the question was: I want all non-local, outbound traffic to be sent to 10.0.7.254, EXCEPT for anything destined for 10.0.24.0/21, which should be directed to 10.0.7.253 instead.

If that's not what Mark wanted, then I completely misunderstood. Perhaps he can clarify.

Given that my understanding was as I described, I thought you were suggesting that, in order for him to send traffic to the 24.0/21 network, he would have to have that network being part of his local network, which just didn't make any sense at all. That's where I differed.

Also, given my understanding, I don't think it makes any difference whether "gateway" is being used to mean "Internet router" or any other router. The default gateway (aka the default router) is just where you send things you don't otherwise know where to send. From the LAN perspective, it doesn't matter whether the default route of that router is an ISP or another internal router. All the LAN needs to know is where to send the packets, including Internet-bound packets.

So thanks for clearing that up!

Oh, as for DHCP including the "next hop" information, DHCP can include a whole list of options - it's not just the IP address. It can include the DNS servers to use, routes, time servers, and a whole slew of other options. So for Mark's purposes, the easiest way to do this would be to set the DHCP server to include the route TO 10.0.24.0/21 as pointing to 10.0.7.253, reboot the machines (so they re-request their DHCP information), and that would be that.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 38820619
d0ughb0y:
Yes, if you're talking about Windows Server DHCP.  There are lots of routers/DHCP servers that won't do all those things.......

The reason I took the trouble to differentiate between "internet gateway" and "next hop" is because people might get confused in dealing with this question.  As you know, it's entirely possible to use a router as a gateway that re-routes traffic to the actual internet interface router.  In that case, yes, the latter would look like the internet gateway to a host but a trace route would reveal the difference.
0
 
LVL 8

Expert Comment

by:d0ughb0y
ID: 38828468
fmarshall:

It's true, a lot of DHCP server devices won't include those advanced features. But they are in the spec. ;)

If Mark isn't using a Windows (or decent *nix) DHCP server, then you're right - it may not work. It'd be helpful if Mark would come back and address some of these questions, given that neither of us actually know what his environment looks like. In any case, if he's not then he could try my other suggestions. :)
0
 
LVL 1

Author Comment

by:mbudman
ID: 38840819
Hi,

I would like to thank everyone for their answers. We are running an internal network.

My goal was:

I want all non-local, outbound traffic to be sent to 10.0.7.254, EXCEPT for anything destined for 10.0.24.0/21, which should be directed to 10.0.7.253 instead.

That being said, erniebeek understood my request correctly.

I was using Windows DHCP server and Windows DNS, but the updates were not being recorded in a timely fashion for non-window (Linux) boxes.

We decided to scrap this configuration and made a complete distinct network outside of the production network. Communication between the2 networks is accomplished via PPTP VPN.

I would like ot thank everyone for their comments and participation in responding to my initial query.

Best,

Mark
0
 
LVL 1

Author Closing Comment

by:mbudman
ID: 38840820
Thank you for your time and advice.

Cheers,

Mark
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now