Two VLANs, One Subnet

Hans Fugal hans at fugal.net
Fri Mar 9 00:13:34 MST 2007


On Thu,  8 Mar 2007 at 23:32 -0700, Michael Torrie wrote:
> On Thu, 2007-03-08 at 22:06 -0700, Hans Fugal wrote:
> > Absolutely not. NAT is out of the question. NAT always causes more
> > problems than it solves, even in enterprise. In enterprise, you have
> > full-time sysadmins to go around chasing NAT issues and keeping a
> > semblance of normalcy. I know, I used to be one. I will set my network
> > up and just let it run. I will not be a slave to NAT.
> 
> I disagree.  Static one-to-one NAT (think of it as a layer 3 bridge) is
> clean and effective.  You do just set it up once and let it run.  No
> one's a slave to anything.  Once you introduce dynamic NATing, then,
> yes, you will likely have problems.  I have never had to chase down NAT
> problems.  It just works.  What problems have you observed?

VOIP and bittorrent come to mind. Broken but widespread protocols, like
SIP, that embed IP information inside the protocol.

> > > You can do this by either creating 4 virtual interfaces on the openwrt
> > > box, or using some kind of proxyarp solution.
> > 
> > Proxy ARP is the magic I needed. 
> > http://www.sjdjweis.com/linux/proxyarp/
> 
> I see from my 5 second skim that the setup described here seems to be
> similar to yours.
> 
> I'm not quite sure I understand your final setup, though.  Would you
> care to elaborate for us?

Sure. openwrt has two interfaces of interest. vlan1 is the port that
cisco is connected to, and has a public address (27.109). br0 is the
ports that everything else is connected to, and has a private address
(0.2). I did try it with br0 having the same address as vlan1, as
outlined in that article, and it worked fine also (same problem in
the end though).

Then I set up the routing as follows:

openwrt# ip route
216.31.27.105 dev vlan1  scope link 
216.31.27.104/29 dev br0  scope link 
172.17.0.0/24 dev br0  proto kernel  scope link  src 172.17.0.2 
default via 216.31.27.105 dev vlan1 

I turn on proxy arp in /proc/sys/net/ipv4/conf/{vlan1,br0}/proxy_arp,
and set /proc/sys/net/ipv4/conf/{all,default}/proxy_ignore to 0 (it's
apparently 1 by default on openwrt).

Finally I remove vlan1 from br0.

When I type "show arp" on the cisco, it gives me what I expect -
everyone has the same MAC address (the address of openwrt), until one of
those ping replies flies out with the real MAC address still embedded
and cisco updates the cache for that host.

-- 
Hans Fugal ; http://hans.fugal.net
 
There's nothing remarkable about it. All one has to do is hit the 
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20070309/002e0c20/attachment.bin 


More information about the PLUG mailing list