Menu
What's new
By:
Filters Better Search

Simple Routing Problem?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thorgear

Thorgear

Regular Contributor
I'm having trouble setting up this configuration:
Code: 
              10.0.1.1                10.0.1.230  10.0.2.1
        +---------+       +--------+       +--------+
   ISP--| Gateway |-------| Switch |-------| Router |------LAN & WLAN
        +---------+       +--------+       +--------+      10.0.2.0/24
                              |                 \
                              |                  \10.0.2.99
                          Port Mirror         +--------+
                                              | Client |
                                              +--------+
Gateway (N66 Merlin)
WAN:    ISP assigned
LAN:    10.0.1.1
DHCP:   10.0.1.2-80
NAT/FW: Enabled
Route:  10.0.2.0/24 -> 10.0.1.230 (LAN)

Router (AC68 Merlin)
WAN:    10.0.1.230/24 (GW: 10.0.1.1)
LAN:    10.0.2.1/24
DHCP:   Disabled                          
NAT/FW: Disabled
Route:  10.0.1.0/24 -> 10.0.1.1 (WAN)

Client
IP:     10.0.2.99/24
GW:     10.0.1.1

The gateway can ping the client (10.0.2.99). The router can ping through to the Internet. However, the client can't ping the WAN side of the router (10.0.1.230) or further.

Can someone point me in the right direction?
 
Last edited:
do a trace to see where the packet goes. Normally if you are only doing layer 3 routing and not double NAT than the router would be able to reply from the WAN side so make sure there is a route between both networks on the router.

Your routes are wrong actually. I assume gateway does NAT.
Gateway needs no static route.
Router needs 2 static routes. (these are usually added dynamically).
Dst: x.1.x pref src x.2.x gateway x.2.1
Dst: x.2.x pref src x.1.x gateway x.1.230

source is optional but its to prevent other networks from communicating. Since the client gets a x.2.x IP that means your router is giving it no the gateway so your router needs an additional route since the client sees the router as the network gateway.
0.0.0.0/0 gateway x.1.1

For the gateway you may need to have which you already do
Dst x.2.x gateway x.1.230

Client settings are wrong, the gateway is not on the same subnet.
 
I just got it working by changing the client GW to 10.0.2.1. I'm confused about why that's the case. Shouldn't the client GW be 10.0.1.1?

We crossed posts. Let me try your method.
 
Both methods work. Thank you so much for your help!

What I'm trying to accomplish is to get true port-mirroring, instead using 'iptables --tee' and losing MAC information. Would you say this is a way to do it or the correct way to do it?
 
I'm using WFilter, which seems to give me what I need. Wireshark's learning curve is too steep I need to do more reading before I understand layer 2 or layer 3 monitoring. I know I need MAC, IP, and data. I'll keep reading. Thanks again.
 
Are you going with a routable 10.x.x.x subnet addressing scheme over the non routable 192.168 addressing scheme for a specific reason? As far as crossing subnets you have to make sure that there are routing table entries on both sides of the network.
 
cobra_shipwreck said:
Are you going with a routable 10.x.x.x subnet addressing scheme over the non routable 192.168 addressing scheme for a specific reason? As far as crossing subnets you have to make sure that there are routing table entries on both sides of the network.
Click to expand...

10 dot is private (in networking CIDR parlance, it's actually 10.0.0.0/8), so it's the same as the 192.168.0.0/16 block

There's also the 172.16.0.0/12 block - and there's a couple of link-local blocks that are kinda handy as well...

On the WAN side - the 100.64.0.0/10 block is Carrier Grade NAT - so if you're assigned an address there - well, you know you've been NAT'ed in IPv4 land...
 
cobra_shipwreck said:
Are you going with a routable 10.x.x.x subnet addressing scheme over the non routable 192.168 addressing scheme for a specific reason? As far as crossing subnets you have to make sure that there are routing table entries on both sides of the network.
Click to expand...

Not really. I've been using 10.x.x.x for years, so I do it by convention. Aside from the subnet, I assumed they served the same purpose for the private LAN. I'm not sure what you mean when you say that 192.x.x.x is non-routable. Can you explain?

RE table entries on both sides, will do. Thanks.
 
sfx2000 said:
10 dot is private (in networking CIDR parlance, it's actually 10.0.0.0/8), so it's the same as the 192.168.0.0/16 block

There's also the 172.16.0.0/12 block - and there's a couple of link-local blocks that are kinda handy as well...

On the WAN side - the 100.64.0.0/10 block is Carrier Grade NAT - so if you're assigned an address there - well, you know you've been NAT'ed in IPv4 land...
Click to expand...

Got it. Thanks. :)
 
actually it doesnt matter what IP you use you can route any of it however you like. You can have your LAN use 0.0.0.0/0 but than you wont be able to connect to the internet.

classes of IP like class C, B and so on are just there to reference so that the internet doesnt use them and you can use them on LAN and still use the internet.
 
I'm stuck again. This is driving me crazy. I know I'm missing something obvious.

Code: 
              10.0.3.1     10.0.3.3    10.0.3.2   10.0.1.1
        +---------+       +--------+       +--------+
   ISP--| Gateway |-------| Switch |-------| Router |------LAN & WLAN
        +---------+       +--------+       +--------+      10.0.1.0/24
                              |                 \
                              |                  \10.0.1.4
                          Port Mirror         +--------+
                                              | Client |
                                              +--------+
Gateway (N66 TomatoUSB)
Mode:      Gateway
WAN:       ISP assigned
LAN:       10.0.3.1   
DHCP:      Disabled
NAT/FW:    Enabled
WLAN:      Disabled
Route:     10.0.1.0/24 -> 10.0.3.2 (LAN)

Router (N66 Merlin)
WAN:       10.0.3.2/24 (GW: 10.0.3.1, DNS: 10.0.3.1)
LAN:       10.0.1.1/24
DHCP:      10.0.1.2-99 (GW: 10.0.1.1, DNS: 10.0.3.1)
NAT/FW:    Disabled
Route:     10.0.3.0/24 -> 10.0.3.1 (WAN)             * this shouldn't be necessary

The router can ping the LAN side of the gateway (10.0.3.1) but not beyond. Would you mind taking a look?
 
I spoke too soon. I changed the gateway LAN address to 10.0.3.1/22, and it worked. I don't think it should have, but I'm not complaining. I still can't get ip-to-hostname resolution on the gateway for 10.0.1.x, but I'll figure it out. :)
 
Last edited:
Thorgear said:
I spoke too soon. I changed the gateway LAN address to 10.0.3.1/22, and it worked. I don't think it should have, but I'm not complaining. I still can't get ip-to-hostname resolution on the gateway for 10.0.1.x, but I'll figure it out. :)
Click to expand...

This might help...

CIDR_ipv4_blocks.png
 
Thorgear said:
I'm having trouble setting up this configuration:
Click to expand...

Do you mind if I ask about the use case scenario here?

I see the port mirror - and that's not typical in many home networks - in my experience, this is used many times for Remote User Monitor, IDS, or Cisco SPAN - in any event, port mirrors copy packets to another host for later analysis/archival purposes..

Then you have a router on the backend - breaking out into two subnets - if it's all the same network, might be better to break things out on a managed switch, maybe even the same one that is the mirror, to the untrusted/monitored client (10.0.1.4?), as well as the trusted LAN/WLAN clients, taking that router out and simplifying the network.

Have you considered sflow and prtg? Less intrusive, and one can still monitor host/client interaction if that is what is desired...
 
Thorgear said:
There was a child pornography incident on one of the owner's other properties, so he asked me to start blocking pretty much everything. My feeling is that people should be allowed to do as much as possible, until they do something wrong. He agreed to minimal blocking, with maximum monitoring. Yes, monitoring users is an ethical grey-area, but I feel it's better than the alternative.

I have a laundry list of requirements: monitor and log "everything"; handle more devices, media server, downloaders, and streamers; better QOS; get away from in-band port sniffing; prepare for adding another building on the same property.
Click to expand...

Oh wow... this is so full of problems... the tap puts you at significant risk - in US/California, by having that tap, you are obligated to report -- without it, you're not at risk... check with your attorney to be sure...

Other jurisdictions - it's up to their rules/laws...
 
You must log in or register to reply here.

Similar threads

R
One router, two segments desired.
Replies
4
Views
379
Rombo
R
CaptnDanLKW
Simple Route Add Command
Replies
9
Views
530
ColinTaylor
C
G
subnet of home LAN - did I overlook anything important?
Replies
4
Views
390
gretter
G
A
RT-AC68u 386.12 Ovpn client down after few days
Replies
0
Views
389
autourdesam
A
N
dual wan failover & vpn connection
Replies
2
Views
374
nunu
N
Similar threads
Thread starter Title Forum Replies Date
A Problem with port forwarding. Routers 0
A Problem with port forwarding. Routers 1
C RT-AC88U Problem in wan Routers 13
Moan A very strange problem with GT-AX6000 and QNAP QSW-1105-5T switch Routers 34
Scooterit Att Fiber with Synology Router problem Routers 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 567 (members: 28, guests: 539)
Top