This is very much doable with DHCP one liner: add the following to your dhcpd.conf ((!) inside the block of your 192.168.2.0/24 network) option classless-static-routes 192.168.3.0/24 192.168.2.1;
This will install static route into all machines in 192.168.2.0/24 network. When they will try to reach 192.168.3.0/24 machines they will send packets to 192.168.2.1 On Sunday, January 7, 2024 at 02:03:10 p.m. GMT+9, Nick Holland <n...@holland-consulting.net> wrote: On 1/6/24 15:09, Ibsen S Ripsbusker wrote: > Dear colleagues, > > > > I have various network appliances that I don't really trust, like > a printer. I have these plugged into an unmanaged switch and > connected to network interface igc2. > > I want to allow the igc1 network to make web requests to the igc2 > network, and I want the igc2 network to have very restricted access > outside of igc2. what does a printer need internet access for? nevermind. Don't answer that. It's the 21st century. Many people think their bloomin' thermostats should have Internet access...(I'm really close to replacing my non-internet connected digital programmable thermostat with a 100% mechanical. Because...they don't suck) > (My main computer is connected to network interface igc1. > And the egress interface is igc0.) > > MY QUESTION: What would be a normal way of achieving this? let's abstract this a bit... (in large part because a sequence of letters and numbers confuses me quickly.) So you have a trusted network, an untrusted network, and of course, the Internet, which we will just call "The Evil". While you can do it with a bridge, I don't want to think that hard. And it would be a lot of work. [snip bridge stuff] > I also tried setting different subnets. yeah. that's the way I'd go. trusted: > /etc/hostname.igc1:> inet 192.168.2.1/24 untrusted: > /etc/hostname.igc2: > inet 192.168.3.1/24 > > With this everything works as I want except that > the only way I figured out to allow hosts on 192.168.2.1/24 > to access 192.168.3.1/24 was with NAT, and that can't be right. yeah, the problem is, it sounds like your barrier machine is not your primary gateway/firewall. So when your trusted machine in 192.168.2/24 talks to an address in 192.168.3/24, it talks to your primary gateway, and your gateway says, "whoa, dude. wazzat?" I'd fix this by making your main firewall the barrier machine. This would require a three or more port firewall. Pass in from trusted to anywhere. block in quick on untrusted to trusted Pass from untrusted to anywhere (but trusted is already blocked) Failing that, with a separate barrier machine, you will need to add a static route for the 192.168.3/24 subnet to point to the "trusted" address of your barrier machine. That way, when your trusted network machines try to access the untrusted network, they know to route through your barrier machine. Every single trusted machine that wants to access something in that subnet will need that extra route added. Clumsy at best (probably doable with the DHCP server. I just glanced, looks kinda ugly). I guess if there is only one untrusted device, you could just use an inbound NAT tunnel for whatever ports need to access that device, then just use the barrier's IP address to access the device. But I don't normally think in quantities of one, and this doesn't scale well. But if there's only one device, or several devices, but they can all be hit on different ports, that's an option. Another way to do it is with two NATting firewalls: Evil <--[NAT-FW] <- untrusted network [NAT-FW] <- trusted network. (internet) (192.168.3/24) (192.168.2/24) traffic flows unimpeded in the direction of the arrows, and is blocked going backwards. Your trusted machines can hit untrused machines or the internet, untrusted machines can hit the Internet, but they can't dig through to your trusted network. Yeah, the down side is that the trusted network has to jump through two routers, so the untrusted network potentially has better access than the trusted network, and that's just not fair. But ... it's easy. I've done the opposite, what I call "portable DMZ"s, where untrusted machines need access to the Internet but shouldn't be allowed to touch the trusted machines, but unlike your situation, the untrusted machines don't need to be accessed by the trusted. Small machine, two NICs. One NIC is DHCP to the trusted network, NAT and DCHP server on the untrustedv side, maybe a logging DNS server. Block all from the untrusted to the trusted subnet, pass everything else (internet). These don't need those inbound static routes. Nick.