Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Need assistance subnetting a Class C with open source layer 3 router - Vyatta

Posted on 2013-01-23
9
Medium Priority
?
116 Views
Last Modified: 2016-03-11
Hello,

We have a Class C of IPv4 public internet addresses and need to subnet them (much like a datacenter does) for various customer servers. The goal is to offer address space and keep everyone segmented for security/reliability reasons  (ie we don't want a customer to impersonate another IP and bring down another server outside of their subnet). Pretty common thing to do... or so I thought.

I have been on the search for a Layer 3 software appliance (this is all done on ESX) and have found Vyatta. The good news is that it accepts many of the same commands as a Cisco Router so any Cisco admins are welcome to jump in here.

I am not new to networking, but this is my first time with something as involved as Vyatta (I have been an Untangle user for years). I have been googling for the past 4 days and there is surprisingly little info on how to subnet a class C.  So I need help, mostly with the logic of the routing, but specific commands are very welcome as well.

For the purposes of this question I have provided a network diagram of what I want to accomplish, but with only two subnets.  if you could help me achieve this I can take it from there.

Subnetting Concept
With great thanks!

Richard
0
Comment
Question by:Richard Amiss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
9 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 38812600
In the one on the right, you started too low.
The gateway (L3 switch port) can't be 1.1.1.128, because that's the network ID.
So change the switch port's IP to 1.1.1.129 /25, the IP of the computer in the drawing to 1.1.1.130 /25, and its gateway to 1.1.1.129.

If you're asking how to route the traffic in the Vyatta, the routing table needs to look something like

Destination      Netmask           Gateway
1.1.1.0         255.255.255.128    1.1.1.1
1.1.1.128       255.255.255.128    1.1.1.129

Open in new window

0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38812617
Well, the diagram has IP addresses confused a bit.
As I see it the subnets are:
1.1.1.0/25 with broadcast at 1.1.1.127
and
1.1.1.128/25 with broadcast at 1.1.1.255

I know nothing about the Vyatta but wouldn't it need a couple of IP addresses?
Normally one on the upstream side or WAN and one on the downstream side or LAN.
(It would not have to have addresses on all the subnets.).

Anyway, since you are in private address space why not use NAT?  
Or, what you've shown AT LEAST suggests VLANs.

A VLAN is an electronic version of "separate copper".  That's really what the "LAN" in "VLAN" refers to.

If you NAT then you might have a separate, inexpensive, router for each subnet / LAN.  They can be any size you want really (in powers of 2).  You do understand subnetting, right?  So you could have:

64 in 1.1.1.0/26
64 in 1.1.1.64/26
128 ini 1.1.1.128/25
(less the network and broadcast addresses in the number of addresses above).
and I wouldn't use "Class" anything any more.... just subnet mask bit count or 32 minus that number as above (CIDR).

Maybe Vyatta can do that on a PC with a bunch of NICs.  I don't know.  But, your questions seem basic enough that perhaps having an architecture first would clear the way.  I'm most unclear on the architecture you're proposing except there's a Vyatta box in the middle.

Will you NAT?
Why combine private ranges if you do?
That's the sort of thing I mean by architecture.
etc.
etc.
0
 
LVL 3

Author Comment

by:Richard Amiss
ID: 38812805
Hi,

Yeah, I realized after I posted that I messed up the diagram (I rushed it just as an example).  I do understand subnets and how to break them up.

I am ultimately looking to do VLSM like so:
Address		Mask	Assignable Range	Broadcast
1.1.1.0		/25	1.1.1.1 - 1.1.1.126	1.1.1.127
1.1.1.128	/27	1.1.1.129 - 1.1.1.158	1.1.1.159
1.1.1.160	/27	1.1.1.161 - 1.1.1.190	1.1.1.191
1.1.1.192	/28	1.1.1.193 - 1.1.1.206	1.1.1.207
1.1.1.208	/29	1.1.1.209 - 1.1.1.214	1.1.1.215
1.1.1.216	/29	1.1.1.217 - 1.1.1.222	1.1.1.223
1.1.1.224	/29	1.1.1.225 - 1.1.1.230	1.1.1.231
1.1.1.232	/29	1.1.1.233 - 1.1.1.238	1.1.1.239
1.1.1.240	/29	1.1.1.241 - 1.1.1.246	1.1.1.247
1.1.1.248	/29	1.1.1.249 - 1.1.1.254	1.1.1.255

Open in new window


Vyatta functions with commands similar to any cisco router device, except that it is software. I am running it as a VM, so yes, I can have as many NICs as necessary to make this work.

I am ok doing NAT, as long as I am not NAT'ing to a new private subnet. I literally need to divide the original subnet.

Some questions that might help you help me:
1) How should I address the WAN NIC?  As a single IP or address the entire Class C?
2) In my head it then makes sense to address each LAN NIC as a broadcast for each subnet and then route between the WAN and each LAN.

I have tried 1 and 2 above and nothing gets through.

I know how to route public to private space, but public to public has me stumped because I don't understand the logic of the route.

Richard
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 
LVL 44

Expert Comment

by:Darr247
ID: 38812897
No matter what size you break them up into, the concept remains the same.
Use one of the addresses as Gateway, and tell your router to send everything with a destination in [network ID] [/netmask] through that gateway.

That's why when you get a /29 set from an ISP, you only get 5 IPs... they 'keep' one to use as the Gateway on their L3 switch that connects your subnet to the internet, so they have a way to route your subnet's traffic to you.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38815270
I'm curious why you need to keep the private addresses that way but ,.. OK, I can go with it even if it is a bit odd.  You might think about that because it's odd and I'm/we're likely winging it a bit:

First things first:  The "primary router" connecting to the service has to have:
- a gateway address (which you have not mentioned or shown)
- an IP address for the "WAN' NIC.
I am going to assume that the gateway is 1.1.1.1
I am going to assume that the "WAN" NIC is 1.1.1.2
Now, I wonder if this would work:
Set the "WAN" NIC to 1.1.1.2/30.
(The hope is that broadcast packets from 1.1.1.2 to 1.1.1.3 won't be missed or important .. but I don't know for sure).
Note that all of the rest of the /24 subnet is "wasted" in a sense.  But, in this case it doesn't matter.
Now you NAT into the subnets you want on the downstream side and use whatever private ranges you want.  They could all be the same!  They could all be size 512!  That's why I ask why you want to use the address ranges as specified.

Perhaps there's another way but it would be conjecture unless we knew what the objectives are here........

For example, you could assign IP addresses in each subnet as desired.
You could interface each subnet with a router (no NAT).  Assuming the routers have some routing/firewall capability perhaps you could block the other subnets.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38815277
By "objectives" I mean things like:

We want to be able to reach xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyyy.
We want to block access from zzz.zzz.zzz.zzz at www.www.www.www
etc.
0
 
LVL 3

Accepted Solution

by:
Richard Amiss earned 0 total points
ID: 38823657
Hello,

I have found a solution and want to update this question for anyone else needing to do subnetting.

In both Linux and Vyatta the solution is as simple as configuring a NIC with an IP in the original Subnet (set as WAN) and a NIC with an IP on the inside of the new subnet (set as LAN). The magic works when you simply enable Proxy-ARP on the WAN interface.

There is a great (albeit old) article on how Proxy-ARP in linux works here. It explains how each packet routes back and forth:
http://www.faqs.org/docs/Linux-mini/Proxy-ARP-Subnet.html#HOW

The setup commands in Vyatta are surprisingly simple:

eth0 (WAN)
set interfaces ethernet eth0 (WAN IP)/24
set interfaces ethernet ip enable-proxy-arp

eth1 (LAN SUBNET)
set interfaces etehrnet eth1 (LAN IP)/XX

set system gateway-address (WAN gateway)
set system name-server 8.8.8.8

Thats it! The just setup the client as expected:

Example client device behind eth1
-------------------------
IP: Within the /XX subnet range as set on eth1
Subnet: 255.255.255.xxx (adjust to your subnet size)
Gateway: the ip set for eth1
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question