Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Need assistance subnetting a Class C with open source layer 3 router - Vyatta

Posted on 2013-01-23
9
97 Views
Last Modified: 2016-03-11
Hello,

We have a Class C of IPv4 public internet addresses and need to subnet them (much like a datacenter does) for various customer servers. The goal is to offer address space and keep everyone segmented for security/reliability reasons  (ie we don't want a customer to impersonate another IP and bring down another server outside of their subnet). Pretty common thing to do... or so I thought.

I have been on the search for a Layer 3 software appliance (this is all done on ESX) and have found Vyatta. The good news is that it accepts many of the same commands as a Cisco Router so any Cisco admins are welcome to jump in here.

I am not new to networking, but this is my first time with something as involved as Vyatta (I have been an Untangle user for years). I have been googling for the past 4 days and there is surprisingly little info on how to subnet a class C.  So I need help, mostly with the logic of the routing, but specific commands are very welcome as well.

For the purposes of this question I have provided a network diagram of what I want to accomplish, but with only two subnets.  if you could help me achieve this I can take it from there.

Subnetting Concept
With great thanks!

Richard
0
Comment
Question by:Richard Amiss
  • 3
  • 2
  • 2
9 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 38812600
In the one on the right, you started too low.
The gateway (L3 switch port) can't be 1.1.1.128, because that's the network ID.
So change the switch port's IP to 1.1.1.129 /25, the IP of the computer in the drawing to 1.1.1.130 /25, and its gateway to 1.1.1.129.

If you're asking how to route the traffic in the Vyatta, the routing table needs to look something like

Destination      Netmask           Gateway
1.1.1.0         255.255.255.128    1.1.1.1
1.1.1.128       255.255.255.128    1.1.1.129

Open in new window

0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38812617
Well, the diagram has IP addresses confused a bit.
As I see it the subnets are:
1.1.1.0/25 with broadcast at 1.1.1.127
and
1.1.1.128/25 with broadcast at 1.1.1.255

I know nothing about the Vyatta but wouldn't it need a couple of IP addresses?
Normally one on the upstream side or WAN and one on the downstream side or LAN.
(It would not have to have addresses on all the subnets.).

Anyway, since you are in private address space why not use NAT?  
Or, what you've shown AT LEAST suggests VLANs.

A VLAN is an electronic version of "separate copper".  That's really what the "LAN" in "VLAN" refers to.

If you NAT then you might have a separate, inexpensive, router for each subnet / LAN.  They can be any size you want really (in powers of 2).  You do understand subnetting, right?  So you could have:

64 in 1.1.1.0/26
64 in 1.1.1.64/26
128 ini 1.1.1.128/25
(less the network and broadcast addresses in the number of addresses above).
and I wouldn't use "Class" anything any more.... just subnet mask bit count or 32 minus that number as above (CIDR).

Maybe Vyatta can do that on a PC with a bunch of NICs.  I don't know.  But, your questions seem basic enough that perhaps having an architecture first would clear the way.  I'm most unclear on the architecture you're proposing except there's a Vyatta box in the middle.

Will you NAT?
Why combine private ranges if you do?
That's the sort of thing I mean by architecture.
etc.
etc.
0
 
LVL 3

Author Comment

by:Richard Amiss
ID: 38812805
Hi,

Yeah, I realized after I posted that I messed up the diagram (I rushed it just as an example).  I do understand subnets and how to break them up.

I am ultimately looking to do VLSM like so:
Address		Mask	Assignable Range	Broadcast
1.1.1.0		/25	1.1.1.1 - 1.1.1.126	1.1.1.127
1.1.1.128	/27	1.1.1.129 - 1.1.1.158	1.1.1.159
1.1.1.160	/27	1.1.1.161 - 1.1.1.190	1.1.1.191
1.1.1.192	/28	1.1.1.193 - 1.1.1.206	1.1.1.207
1.1.1.208	/29	1.1.1.209 - 1.1.1.214	1.1.1.215
1.1.1.216	/29	1.1.1.217 - 1.1.1.222	1.1.1.223
1.1.1.224	/29	1.1.1.225 - 1.1.1.230	1.1.1.231
1.1.1.232	/29	1.1.1.233 - 1.1.1.238	1.1.1.239
1.1.1.240	/29	1.1.1.241 - 1.1.1.246	1.1.1.247
1.1.1.248	/29	1.1.1.249 - 1.1.1.254	1.1.1.255

Open in new window


Vyatta functions with commands similar to any cisco router device, except that it is software. I am running it as a VM, so yes, I can have as many NICs as necessary to make this work.

I am ok doing NAT, as long as I am not NAT'ing to a new private subnet. I literally need to divide the original subnet.

Some questions that might help you help me:
1) How should I address the WAN NIC?  As a single IP or address the entire Class C?
2) In my head it then makes sense to address each LAN NIC as a broadcast for each subnet and then route between the WAN and each LAN.

I have tried 1 and 2 above and nothing gets through.

I know how to route public to private space, but public to public has me stumped because I don't understand the logic of the route.

Richard
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 44

Expert Comment

by:Darr247
ID: 38812897
No matter what size you break them up into, the concept remains the same.
Use one of the addresses as Gateway, and tell your router to send everything with a destination in [network ID] [/netmask] through that gateway.

That's why when you get a /29 set from an ISP, you only get 5 IPs... they 'keep' one to use as the Gateway on their L3 switch that connects your subnet to the internet, so they have a way to route your subnet's traffic to you.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38815270
I'm curious why you need to keep the private addresses that way but ,.. OK, I can go with it even if it is a bit odd.  You might think about that because it's odd and I'm/we're likely winging it a bit:

First things first:  The "primary router" connecting to the service has to have:
- a gateway address (which you have not mentioned or shown)
- an IP address for the "WAN' NIC.
I am going to assume that the gateway is 1.1.1.1
I am going to assume that the "WAN" NIC is 1.1.1.2
Now, I wonder if this would work:
Set the "WAN" NIC to 1.1.1.2/30.
(The hope is that broadcast packets from 1.1.1.2 to 1.1.1.3 won't be missed or important .. but I don't know for sure).
Note that all of the rest of the /24 subnet is "wasted" in a sense.  But, in this case it doesn't matter.
Now you NAT into the subnets you want on the downstream side and use whatever private ranges you want.  They could all be the same!  They could all be size 512!  That's why I ask why you want to use the address ranges as specified.

Perhaps there's another way but it would be conjecture unless we knew what the objectives are here........

For example, you could assign IP addresses in each subnet as desired.
You could interface each subnet with a router (no NAT).  Assuming the routers have some routing/firewall capability perhaps you could block the other subnets.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38815277
By "objectives" I mean things like:

We want to be able to reach xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyyy.
We want to block access from zzz.zzz.zzz.zzz at www.www.www.www
etc.
0
 
LVL 3

Accepted Solution

by:
Richard Amiss earned 0 total points
ID: 38823657
Hello,

I have found a solution and want to update this question for anyone else needing to do subnetting.

In both Linux and Vyatta the solution is as simple as configuring a NIC with an IP in the original Subnet (set as WAN) and a NIC with an IP on the inside of the new subnet (set as LAN). The magic works when you simply enable Proxy-ARP on the WAN interface.

There is a great (albeit old) article on how Proxy-ARP in linux works here. It explains how each packet routes back and forth:
http://www.faqs.org/docs/Linux-mini/Proxy-ARP-Subnet.html#HOW

The setup commands in Vyatta are surprisingly simple:

eth0 (WAN)
set interfaces ethernet eth0 (WAN IP)/24
set interfaces ethernet ip enable-proxy-arp

eth1 (LAN SUBNET)
set interfaces etehrnet eth1 (LAN IP)/XX

set system gateway-address (WAN gateway)
set system name-server 8.8.8.8

Thats it! The just setup the client as expected:

Example client device behind eth1
-------------------------
IP: Within the /XX subnet range as set on eth1
Subnet: 255.255.255.xxx (adjust to your subnet size)
Gateway: the ip set for eth1
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question