Solved

Need assistance subnetting a Class C with open source layer 3 router - Vyatta

Posted on 2013-01-23
9
86 Views
Last Modified: 2016-03-11
Hello,

We have a Class C of IPv4 public internet addresses and need to subnet them (much like a datacenter does) for various customer servers. The goal is to offer address space and keep everyone segmented for security/reliability reasons  (ie we don't want a customer to impersonate another IP and bring down another server outside of their subnet). Pretty common thing to do... or so I thought.

I have been on the search for a Layer 3 software appliance (this is all done on ESX) and have found Vyatta. The good news is that it accepts many of the same commands as a Cisco Router so any Cisco admins are welcome to jump in here.

I am not new to networking, but this is my first time with something as involved as Vyatta (I have been an Untangle user for years). I have been googling for the past 4 days and there is surprisingly little info on how to subnet a class C.  So I need help, mostly with the logic of the routing, but specific commands are very welcome as well.

For the purposes of this question I have provided a network diagram of what I want to accomplish, but with only two subnets.  if you could help me achieve this I can take it from there.

Subnetting Concept
With great thanks!

Richard
0
Comment
Question by:ramiss
  • 3
  • 2
  • 2
9 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 38812600
In the one on the right, you started too low.
The gateway (L3 switch port) can't be 1.1.1.128, because that's the network ID.
So change the switch port's IP to 1.1.1.129 /25, the IP of the computer in the drawing to 1.1.1.130 /25, and its gateway to 1.1.1.129.

If you're asking how to route the traffic in the Vyatta, the routing table needs to look something like

Destination      Netmask           Gateway
1.1.1.0         255.255.255.128    1.1.1.1
1.1.1.128       255.255.255.128    1.1.1.129

Open in new window

0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 38812617
Well, the diagram has IP addresses confused a bit.
As I see it the subnets are:
1.1.1.0/25 with broadcast at 1.1.1.127
and
1.1.1.128/25 with broadcast at 1.1.1.255

I know nothing about the Vyatta but wouldn't it need a couple of IP addresses?
Normally one on the upstream side or WAN and one on the downstream side or LAN.
(It would not have to have addresses on all the subnets.).

Anyway, since you are in private address space why not use NAT?  
Or, what you've shown AT LEAST suggests VLANs.

A VLAN is an electronic version of "separate copper".  That's really what the "LAN" in "VLAN" refers to.

If you NAT then you might have a separate, inexpensive, router for each subnet / LAN.  They can be any size you want really (in powers of 2).  You do understand subnetting, right?  So you could have:

64 in 1.1.1.0/26
64 in 1.1.1.64/26
128 ini 1.1.1.128/25
(less the network and broadcast addresses in the number of addresses above).
and I wouldn't use "Class" anything any more.... just subnet mask bit count or 32 minus that number as above (CIDR).

Maybe Vyatta can do that on a PC with a bunch of NICs.  I don't know.  But, your questions seem basic enough that perhaps having an architecture first would clear the way.  I'm most unclear on the architecture you're proposing except there's a Vyatta box in the middle.

Will you NAT?
Why combine private ranges if you do?
That's the sort of thing I mean by architecture.
etc.
etc.
0
 
LVL 2

Author Comment

by:ramiss
ID: 38812805
Hi,

Yeah, I realized after I posted that I messed up the diagram (I rushed it just as an example).  I do understand subnets and how to break them up.

I am ultimately looking to do VLSM like so:
Address		Mask	Assignable Range	Broadcast
1.1.1.0		/25	1.1.1.1 - 1.1.1.126	1.1.1.127
1.1.1.128	/27	1.1.1.129 - 1.1.1.158	1.1.1.159
1.1.1.160	/27	1.1.1.161 - 1.1.1.190	1.1.1.191
1.1.1.192	/28	1.1.1.193 - 1.1.1.206	1.1.1.207
1.1.1.208	/29	1.1.1.209 - 1.1.1.214	1.1.1.215
1.1.1.216	/29	1.1.1.217 - 1.1.1.222	1.1.1.223
1.1.1.224	/29	1.1.1.225 - 1.1.1.230	1.1.1.231
1.1.1.232	/29	1.1.1.233 - 1.1.1.238	1.1.1.239
1.1.1.240	/29	1.1.1.241 - 1.1.1.246	1.1.1.247
1.1.1.248	/29	1.1.1.249 - 1.1.1.254	1.1.1.255

Open in new window


Vyatta functions with commands similar to any cisco router device, except that it is software. I am running it as a VM, so yes, I can have as many NICs as necessary to make this work.

I am ok doing NAT, as long as I am not NAT'ing to a new private subnet. I literally need to divide the original subnet.

Some questions that might help you help me:
1) How should I address the WAN NIC?  As a single IP or address the entire Class C?
2) In my head it then makes sense to address each LAN NIC as a broadcast for each subnet and then route between the WAN and each LAN.

I have tried 1 and 2 above and nothing gets through.

I know how to route public to private space, but public to public has me stumped because I don't understand the logic of the route.

Richard
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 44

Expert Comment

by:Darr247
ID: 38812897
No matter what size you break them up into, the concept remains the same.
Use one of the addresses as Gateway, and tell your router to send everything with a destination in [network ID] [/netmask] through that gateway.

That's why when you get a /29 set from an ISP, you only get 5 IPs... they 'keep' one to use as the Gateway on their L3 switch that connects your subnet to the internet, so they have a way to route your subnet's traffic to you.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 38815270
I'm curious why you need to keep the private addresses that way but ,.. OK, I can go with it even if it is a bit odd.  You might think about that because it's odd and I'm/we're likely winging it a bit:

First things first:  The "primary router" connecting to the service has to have:
- a gateway address (which you have not mentioned or shown)
- an IP address for the "WAN' NIC.
I am going to assume that the gateway is 1.1.1.1
I am going to assume that the "WAN" NIC is 1.1.1.2
Now, I wonder if this would work:
Set the "WAN" NIC to 1.1.1.2/30.
(The hope is that broadcast packets from 1.1.1.2 to 1.1.1.3 won't be missed or important .. but I don't know for sure).
Note that all of the rest of the /24 subnet is "wasted" in a sense.  But, in this case it doesn't matter.
Now you NAT into the subnets you want on the downstream side and use whatever private ranges you want.  They could all be the same!  They could all be size 512!  That's why I ask why you want to use the address ranges as specified.

Perhaps there's another way but it would be conjecture unless we knew what the objectives are here........

For example, you could assign IP addresses in each subnet as desired.
You could interface each subnet with a router (no NAT).  Assuming the routers have some routing/firewall capability perhaps you could block the other subnets.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 38815277
By "objectives" I mean things like:

We want to be able to reach xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyyy.
We want to block access from zzz.zzz.zzz.zzz at www.www.www.www
etc.
0
 
LVL 2

Accepted Solution

by:
ramiss earned 0 total points
ID: 38823657
Hello,

I have found a solution and want to update this question for anyone else needing to do subnetting.

In both Linux and Vyatta the solution is as simple as configuring a NIC with an IP in the original Subnet (set as WAN) and a NIC with an IP on the inside of the new subnet (set as LAN). The magic works when you simply enable Proxy-ARP on the WAN interface.

There is a great (albeit old) article on how Proxy-ARP in linux works here. It explains how each packet routes back and forth:
http://www.faqs.org/docs/Linux-mini/Proxy-ARP-Subnet.html#HOW

The setup commands in Vyatta are surprisingly simple:

eth0 (WAN)
set interfaces ethernet eth0 (WAN IP)/24
set interfaces ethernet ip enable-proxy-arp

eth1 (LAN SUBNET)
set interfaces etehrnet eth1 (LAN IP)/XX

set system gateway-address (WAN gateway)
set system name-server 8.8.8.8

Thats it! The just setup the client as expected:

Example client device behind eth1
-------------------------
IP: Within the /XX subnet range as set on eth1
Subnet: 255.255.255.xxx (adjust to your subnet size)
Gateway: the ip set for eth1
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now