Two VLANs, One Subnet

Hans Fugal hans at fugal.net
Fri Mar 9 08:43:10 MST 2007


It came to me in the night. It can be solved with routing.

Part of Cisco's routing table:
[TARGET]         [MASK]           [GATEWAY]       [M][P] [TYPE]    [IF]   [AGE]
216.31.27.109    255.255.255.255  0.0.0.0          1     SHAR      VIP0     0  
216.31.27.104    255.255.255.248  216.31.27.109    1     SAR       VIP0     0  

Openwrt's routing:
216.31.27.105 dev vlan1  scope link 
216.31.27.104/29 dev br0  scope link 
172.17.0.0/24 dev br0  proto kernel  scope link  src 172.17.0.2 
default via 216.31.27.105 dev vlan1 

For the lan clients, you can either turn on proxy arp on openwrt for
vlan1, or you can add a static route for cisco via openwrt.

This works perfectly, even when the arp cache gets a lan host's mac
address in it (which it still does). I can ping from outside, to
outside, and a traceroute from either direction shows us going through
openwrt. In addition, cisco doesn't get any entries other than openwrt
in its arp cache, until the bizarre icmp-induced entries occur.

There is one minor glitch that isn't going to bother me. I can't ping
the cisco from some hosts in the LAN. I'm not sure why, but the ping
replies are headed for the value in the arp cache from cisco, regardless
of the routing settings. But as I don't need to connect directly to
cisco (I can get to it through minicom or openwrt as needed) and
everything else works, I'm not concerned.

On Fri,  9 Mar 2007 at 00:13 -0700, Hans Fugal wrote:
> On Thu,  8 Mar 2007 at 23:32 -0700, Michael Torrie wrote:
> > On Thu, 2007-03-08 at 22:06 -0700, Hans Fugal wrote:
> > > Absolutely not. NAT is out of the question. NAT always causes more
> > > problems than it solves, even in enterprise. In enterprise, you have
> > > full-time sysadmins to go around chasing NAT issues and keeping a
> > > semblance of normalcy. I know, I used to be one. I will set my network
> > > up and just let it run. I will not be a slave to NAT.
> > 
> > I disagree.  Static one-to-one NAT (think of it as a layer 3 bridge) is
> > clean and effective.  You do just set it up once and let it run.  No
> > one's a slave to anything.  Once you introduce dynamic NATing, then,
> > yes, you will likely have problems.  I have never had to chase down NAT
> > problems.  It just works.  What problems have you observed?
> 
> VOIP and bittorrent come to mind. Broken but widespread protocols, like
> SIP, that embed IP information inside the protocol.
> 
> > > > You can do this by either creating 4 virtual interfaces on the openwrt
> > > > box, or using some kind of proxyarp solution.
> > > 
> > > Proxy ARP is the magic I needed. 
> > > http://www.sjdjweis.com/linux/proxyarp/
> > 
> > I see from my 5 second skim that the setup described here seems to be
> > similar to yours.
> > 
> > I'm not quite sure I understand your final setup, though.  Would you
> > care to elaborate for us?
> 
> Sure. openwrt has two interfaces of interest. vlan1 is the port that
> cisco is connected to, and has a public address (27.109). br0 is the
> ports that everything else is connected to, and has a private address
> (0.2). I did try it with br0 having the same address as vlan1, as
> outlined in that article, and it worked fine also (same problem in
> the end though).
> 
> Then I set up the routing as follows:
> 
> openwrt# ip route
> 216.31.27.105 dev vlan1  scope link 
> 216.31.27.104/29 dev br0  scope link 
> 172.17.0.0/24 dev br0  proto kernel  scope link  src 172.17.0.2 
> default via 216.31.27.105 dev vlan1 
> 
> I turn on proxy arp in /proc/sys/net/ipv4/conf/{vlan1,br0}/proxy_arp,
> and set /proc/sys/net/ipv4/conf/{all,default}/proxy_ignore to 0 (it's
> apparently 1 by default on openwrt).
> 
> Finally I remove vlan1 from br0.
> 
> When I type "show arp" on the cisco, it gives me what I expect -
> everyone has the same MAC address (the address of openwrt), until one of
> those ping replies flies out with the real MAC address still embedded
> and cisco updates the cache for that host.
> 
> -- 
> Hans Fugal ; http://hans.fugal.net
>  
> There's nothing remarkable about it. All one has to do is hit the 
> right keys at the right time and the instrument plays itself.
>     -- Johann Sebastian Bach



> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */

-- 
Hans Fugal ; http://hans.fugal.net
 
There's nothing remarkable about it. All one has to do is hit the 
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20070309/bae05555/attachment.bin 


More information about the PLUG mailing list