Need assistance subnetting a Class C with open source layer 3 router - Vyatta

Posted on 2013-01-23
Medium Priority
Last Modified: 2016-03-11

We have a Class C of IPv4 public internet addresses and need to subnet them (much like a datacenter does) for various customer servers. The goal is to offer address space and keep everyone segmented for security/reliability reasons  (ie we don't want a customer to impersonate another IP and bring down another server outside of their subnet). Pretty common thing to do... or so I thought.

I have been on the search for a Layer 3 software appliance (this is all done on ESX) and have found Vyatta. The good news is that it accepts many of the same commands as a Cisco Router so any Cisco admins are welcome to jump in here.

I am not new to networking, but this is my first time with something as involved as Vyatta (I have been an Untangle user for years). I have been googling for the past 4 days and there is surprisingly little info on how to subnet a class C.  So I need help, mostly with the logic of the routing, but specific commands are very welcome as well.

For the purposes of this question I have provided a network diagram of what I want to accomplish, but with only two subnets.  if you could help me achieve this I can take it from there.

Subnetting Concept
With great thanks!

Question by:Richard Amiss
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 44

Expert Comment

ID: 38812600
In the one on the right, you started too low.
The gateway (L3 switch port) can't be, because that's the network ID.
So change the switch port's IP to /25, the IP of the computer in the drawing to /25, and its gateway to

If you're asking how to route the traffic in the Vyatta, the routing table needs to look something like

Destination      Netmask           Gateway

Open in new window

LVL 26

Expert Comment

by:Fred Marshall
ID: 38812617
Well, the diagram has IP addresses confused a bit.
As I see it the subnets are: with broadcast at
and with broadcast at

I know nothing about the Vyatta but wouldn't it need a couple of IP addresses?
Normally one on the upstream side or WAN and one on the downstream side or LAN.
(It would not have to have addresses on all the subnets.).

Anyway, since you are in private address space why not use NAT?  
Or, what you've shown AT LEAST suggests VLANs.

A VLAN is an electronic version of "separate copper".  That's really what the "LAN" in "VLAN" refers to.

If you NAT then you might have a separate, inexpensive, router for each subnet / LAN.  They can be any size you want really (in powers of 2).  You do understand subnetting, right?  So you could have:

64 in
64 in
128 ini
(less the network and broadcast addresses in the number of addresses above).
and I wouldn't use "Class" anything any more.... just subnet mask bit count or 32 minus that number as above (CIDR).

Maybe Vyatta can do that on a PC with a bunch of NICs.  I don't know.  But, your questions seem basic enough that perhaps having an architecture first would clear the way.  I'm most unclear on the architecture you're proposing except there's a Vyatta box in the middle.

Will you NAT?
Why combine private ranges if you do?
That's the sort of thing I mean by architecture.

Author Comment

by:Richard Amiss
ID: 38812805

Yeah, I realized after I posted that I messed up the diagram (I rushed it just as an example).  I do understand subnets and how to break them up.

I am ultimately looking to do VLSM like so:
Address		Mask	Assignable Range	Broadcast		/25 -	/27 -	/27 -	/28 -	/29 -	/29 -	/29 -	/29 -	/29 -	/29 -

Open in new window

Vyatta functions with commands similar to any cisco router device, except that it is software. I am running it as a VM, so yes, I can have as many NICs as necessary to make this work.

I am ok doing NAT, as long as I am not NAT'ing to a new private subnet. I literally need to divide the original subnet.

Some questions that might help you help me:
1) How should I address the WAN NIC?  As a single IP or address the entire Class C?
2) In my head it then makes sense to address each LAN NIC as a broadcast for each subnet and then route between the WAN and each LAN.

I have tried 1 and 2 above and nothing gets through.

I know how to route public to private space, but public to public has me stumped because I don't understand the logic of the route.

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

LVL 44

Expert Comment

ID: 38812897
No matter what size you break them up into, the concept remains the same.
Use one of the addresses as Gateway, and tell your router to send everything with a destination in [network ID] [/netmask] through that gateway.

That's why when you get a /29 set from an ISP, you only get 5 IPs... they 'keep' one to use as the Gateway on their L3 switch that connects your subnet to the internet, so they have a way to route your subnet's traffic to you.
LVL 26

Expert Comment

by:Fred Marshall
ID: 38815270
I'm curious why you need to keep the private addresses that way but ,.. OK, I can go with it even if it is a bit odd.  You might think about that because it's odd and I'm/we're likely winging it a bit:

First things first:  The "primary router" connecting to the service has to have:
- a gateway address (which you have not mentioned or shown)
- an IP address for the "WAN' NIC.
I am going to assume that the gateway is
I am going to assume that the "WAN" NIC is
Now, I wonder if this would work:
Set the "WAN" NIC to
(The hope is that broadcast packets from to won't be missed or important .. but I don't know for sure).
Note that all of the rest of the /24 subnet is "wasted" in a sense.  But, in this case it doesn't matter.
Now you NAT into the subnets you want on the downstream side and use whatever private ranges you want.  They could all be the same!  They could all be size 512!  That's why I ask why you want to use the address ranges as specified.

Perhaps there's another way but it would be conjecture unless we knew what the objectives are here........

For example, you could assign IP addresses in each subnet as desired.
You could interface each subnet with a router (no NAT).  Assuming the routers have some routing/firewall capability perhaps you could block the other subnets.
LVL 26

Expert Comment

by:Fred Marshall
ID: 38815277
By "objectives" I mean things like:

We want to be able to reach xxx.xxx.xxx.xxx from yyy.yyy.yyy.yyyy.
We want to block access from zzz.zzz.zzz.zzz at www.www.www.www

Accepted Solution

Richard Amiss earned 0 total points
ID: 38823657

I have found a solution and want to update this question for anyone else needing to do subnetting.

In both Linux and Vyatta the solution is as simple as configuring a NIC with an IP in the original Subnet (set as WAN) and a NIC with an IP on the inside of the new subnet (set as LAN). The magic works when you simply enable Proxy-ARP on the WAN interface.

There is a great (albeit old) article on how Proxy-ARP in linux works here. It explains how each packet routes back and forth:

The setup commands in Vyatta are surprisingly simple:

eth0 (WAN)
set interfaces ethernet eth0 (WAN IP)/24
set interfaces ethernet ip enable-proxy-arp

set interfaces etehrnet eth1 (LAN IP)/XX

set system gateway-address (WAN gateway)
set system name-server

Thats it! The just setup the client as expected:

Example client device behind eth1
IP: Within the /XX subnet range as set on eth1
Subnet: 255.255.255.xxx (adjust to your subnet size)
Gateway: the ip set for eth1

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Make the most of your online learning experience.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question