Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
From: Robbie Crash [mailto:sardonic.smi...@gmail.com] If you're not accessing clients on the remote 192.168.1.0 subnet, why are you adding the second network? Why are you not handling this on the router instead of the client? Static routes on a client are bad mojo. It's the router's job to route, let it do that. All you should need to do is tell the router to route all traffic for 192.168.10.0/24 to use whatever the VPN interface is. The problem is at the remote side. If they have a huge internal corporate network that happens to include 192.168.10.x/24 and 192.168.1.x/24 ... When I VPN to them and my LAN is 192.168.1.x/24, I have a subnet that overlaps with their pre-existing subnet. They can't route traffic to me without breaking one of their internal subnets. The most elegant solution (aside from renumbering my network) would be NAT. It would be nice to eliminate 192.168.2.x/24 from my house, and configure the firewall so when I send a packet to the VPN network, let my source IP be NAT'd to 192.168.2.x/24. However, I have not yet had any luck configuring pfsense to NAT the traffic first and then route it, NAT'd across the VPN. At present, I have two problems I'm trying to solve in parallel. If I can either make OI behave as expected, then I can use the multiple-subnets-on-a-single-LAN solution and move forward. Or if I can get the firewall to NAT as expected, then I can scrap the multiple-subnets idea and move forward. The issue here sounds like since the OI box already knows that it has a route to 192.168.10.10 over its default route, it doesn't need to use the secondary IP. That's not quite correct. Sure, if I didn't add the static route 192.168.10.x via 192.168.2.1, then OI would try to reach 192.168.10.x via the default gateway. But that's irrelevant - By adding the 192.168.2.1 route, the system does in fact know it's supposed to reach 192.168.10.x via 192.168.2.1. The evidence is when a packet leaves the NIC destined for 192.168.10.x, its destination MAC corresponds to 192.168.2.1. But unfortunately, the source IP is wrong. If you can't configure the router, PCI NICs are $9 these days, and that'll work for sure. I might do that. The main obstacle is knowing I would have to wait for it to arrive, and it will require downtime on the VM host, to solve something that should be solvable in software. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
Got several questions at once: 1) Why not use VNICs to avoid the MAC-related problem altogether? 2) Can you run the VPN client on the client computer so that it has an IP address of the corporate net and cares not about the home IP routing? It can have routes to other corporate nets via the router (and maybe NAT) provided by the VPN server, and to the corporate net it would seem like one of their own addresses. 3) On OI you can use IPFilter to cause packets going out of one interface with a matched source/dest address, to be re-issued on another. I don't think it would work with aliases, but may help if the problem continues with VNICs. Roughly so: # enforce that packets coming out of an interface go to the correct subnet # rhetoric question: does this skip the firewall rules below in the file? block out quick on e1000g0 to e1000g81000:81.x.x.1 from 81.x.x.0/24 to any block out quick on e1000g81000 to e1000g0:192.168.y.2 from ! 81.x.x.0/24 to any Technically this duplicates matching packets on another interface, destines them to given host (router or IDS usually) and in this case blocks the original (in case of IDS inspection - allows). HTH, //Jim ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
On Wed, Mar 6, 2013 at 7:25 AM, Edward Ned Harvey (openindiana) openindi...@nedharvey.com wrote: The problem is at the remote side. If they have a huge internal corporate network that happens to include 192.168.10.x/24 and 192.168.1.x/24 ... When I VPN to them and my LAN is 192.168.1.x/24, I have a subnet that overlaps with their pre-existing subnet. They can't route traffic to me without breaking one of their internal subnets. I get that, but in your original email you stated you don't need to access their 192.168.1.0 subnet, unless all their traffic routes over that subnet internally you shouldn't have an issue. Their side will see the request coming from your VPN point, and will send traffic there and your VPN server will send it to the proper client. What IP address are you receiving from the VPN server? Is it a 192.168.1.0 address? If it is,you're going to have more problems than it's worth and you should reIP your home network. The most elegant solution (aside from renumbering my network) would be NAT. It would be nice to eliminate 192.168.2.x/24 from my house, and configure the firewall so when I send a packet to the VPN network, let my source IP be NAT'd to 192.168.2.x/24. However, I have not yet had any luck configuring pfsense to NAT the traffic first and then route it, NAT'd across the VPN. At present, I have two problems I'm trying to solve in parallel. If I can either make OI behave as expected, then I can use the multiple-subnets-on-a-single-LAN solution and move forward. Or if I can get the firewall to NAT as expected, then I can scrap the multiple-subnets idea and move forward. The issue here sounds like since the OI box already knows that it has a route to 192.168.10.10 over its default route, it doesn't need to use the secondary IP. That's not quite correct. Sure, if I didn't add the static route 192.168.10.x via 192.168.2.1, then OI would try to reach 192.168.10.x via the default gateway. But that's irrelevant - By adding the 192.168.2.1 route, the system does in fact know it's supposed to reach 192.168.10.x via 192.168.2.1. The evidence is when a packet leaves the NIC destined for 192.168.10.x, its destination MAC corresponds to 192.168.2.1. But unfortunately, the source IP is wrong. Except what you're saying is that it's being sent via the default IP address (192.168.1.X) to 192.168.2.1, which is fine your router knows where that is, so it can get there. But that means that OI is using your primary IP address, not the secondary one. If you can't configure the router, PCI NICs are $9 these days, and that'll work for sure. I might do that. The main obstacle is knowing I would have to wait for it to arrive, and it will require downtime on the VM host, to solve something that should be solvable in software. This is something that should be handled at the router, not at the client in software. I get that this can be handled in software, but it shouldn't be. It's not a client's job to route traffic to appropriate destinations. Static routing and multiple subnets on the clients are not the proper way to handle situations like this if any other option is available. Since it sounds like you're dialing the VPN from your router, the proper fix to this is to reIP your internal network to something other than one of the private nets you're trying to reach, and then add a route on the router to handle traffic to .1. and .10. and be done with it. -- Seconds to the drop, but it seems like hours. http://www.openmedia.ca https://robbiecrash.me ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
From: Robbie Crash [mailto:sardonic.smi...@gmail.com] The problem is at the remote side. If they have a huge internal corporate network that happens to include 192.168.10.x/24 and 192.168.1.x/24 ... When I VPN to them and my LAN is 192.168.1.x/24, I have a subnet that overlaps with their pre-existing subnet. They can't route traffic to me without breaking one of their internal subnets. I get that, but in your original email you stated you don't need to access their 192.168.1.0 subnet, unless all their traffic routes over that subnet internally you shouldn't have an issue. Their side will see the request coming from your VPN point, and will send traffic there and your VPN server will send it to the proper client. No, there's something you seem to be missing. I'm making up the details in this email, but the concept stands: They have 192.168.1.x/24 in Buffalo. 192.168.10.x/24 in Syracuse. 10.10.10.x/24 in Toronto. 172.16.14.x/24 in Vancouver... and a hundred other sites. They have all their routers configured to support this. If somebody at any site sends traffic to 192.168.1.x/24, their routers know the traffic is routed to Buffalo. So if I get inside the network, using 192.168.1.x/24 in Boston, all those other sites can't talk to me, or can't talk to Buffalo. I have to either use a subnet that doesn't conflict, or I have to NAT and virtually use a subnet that doesn't conflict. If I actually use the new subnet, 192.168.2.x/24 which isn't used anywhere else in the company, then all traffic is routable to and from my network, which is good. But if I virtuallly NAT my 192.168.1.x/24 network, making my traffic appear as 192.168.2.x/24 as far as the company's concerned ... Then I have no way to access their 192.168.1.x/24 because my systems will think the destination is local and hence not use the router. I am saying that I'm ok using this NAT solution to avoid the need to renumber my systems. I'm only blocking the traffic from my local 192.168.1.x to the company's 192.168.1.x (and vice-versa) but I don't care about connecting to anything in the company's 192.168.1.x range. Make sense now?;-) What IP address are you receiving from the VPN server? Their VPN server doesn't assign an IP address. This is not a mobile client VPN we're talking about, it's a site-to-site VPN. Firewall to firewall. Corporate home office. And I'm the IT guy. So I can do whatever I want and support whatever I want. The question is what do I want. Well, I have about a dozen or two systems in my house, including a mobile vpn server, site-to-site vpn's with other companies, two windows active directory domains, a few dns zones, and a virtualization infrastructure. While I *can* renumber, it'll cost me about a day's work. So the NAT solution is attractive. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
From: Robbie Crash [mailto:sardonic.smi...@gmail.com] This is something that should be handled at the router, not at the client in software. It turns out, I reached a conclusion with the NAT possibility. In pfsense, you can NAT traffic before it goes across an openvpn, but you can't NAT traffic before it goes across an ipsec vpn. (Just a limitation of their software, until at least the next release, when they *might* add that feature.) At present, in pfsense, I would need one firewall to establish the VPN connection, and another firewall to NAT from that subnet to my internal subnet. Thanks to Jim's idea of VNIC, I have a solution in client-side software. So this thread really doesn't need to continue... But it was an interesting and fun exercise to talk about. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
How about summarizing on the wiki? --- On Wed, 3/6/13, Edward Ned Harvey (openindiana) openindi...@nedharvey.com wrote: From: Edward Ned Harvey (openindiana) openindi...@nedharvey.com Subject: Re: [OpenIndiana-discuss] multiple IP addresses, same NIC To: Discussion list for OpenIndiana openindiana-discuss@openindiana.org Date: Wednesday, March 6, 2013, 1:56 PM From: Robbie Crash [mailto:sardonic.smi...@gmail.com] This is something that should be handled at the router, not at the client in software. It turns out, I reached a conclusion with the NAT possibility. In pfsense, you can NAT traffic before it goes across an openvpn, but you can't NAT traffic before it goes across an ipsec vpn. (Just a limitation of their software, until at least the next release, when they *might* add that feature.) At present, in pfsense, I would need one firewall to establish the VPN connection, and another firewall to NAT from that subnet to my internal subnet. Thanks to Jim's idea of VNIC, I have a solution in client-side software. So this thread really doesn't need to continue... But it was an interesting and fun exercise to talk about. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
From: Reginald Beardsley [mailto:pulask...@yahoo.com] Sent: Wednesday, March 06, 2013 3:34 PM How about summarizing on the wiki? I'm in favor, but in this case, I don't think there's anything to summarize ... Here is the summary: sudo dladm create-vnic -l e1000g0 vnic0 sudo ipadm create-addr -T static -a 192.168.2.100/24 vnic0/v4static sudo route -p add 192.168.10.0/24 192.168.2.1 And voila. New IP address and new MAC address on the same wire with my pre-existing LAN subnet, with a static route. Actually ... I believe all these commands are already on the wiki. I think I actually *got* these answers from the wiki, once I knew what to look for. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
It's the 'how to do foo' part that matters. Almost all the information is out there (all if you include the source). It's the finding part that is more difficult. What I'm suggesting is summarizing in the title and intro paragraph how you were viewing the problem when you started followed by a short statement of the solution. I'm lobbying for building comprehensive documentation one word at a time. Far too often finding the answer is entirely dependent upon phrasing the query exactly right. The old Usenet tradition was responses by email and summary to the newsgroup. The modern version is summarize to the wiki. Have Fun! Reg --- On Wed, 3/6/13, Edward Ned Harvey (openindiana) openindi...@nedharvey.com wrote: From: Edward Ned Harvey (openindiana) openindi...@nedharvey.com Subject: Re: [OpenIndiana-discuss] multiple IP addresses, same NIC To: Discussion list for OpenIndiana openindiana-discuss@openindiana.org Date: Wednesday, March 6, 2013, 5:47 PM From: Reginald Beardsley [mailto:pulask...@yahoo.com] Sent: Wednesday, March 06, 2013 3:34 PM How about summarizing on the wiki? I'm in favor, but in this case, I don't think there's anything to summarize ... Here is the summary: sudo dladm create-vnic -l e1000g0 vnic0 sudo ipadm create-addr -T static -a 192.168.2.100/24 vnic0/v4static sudo route -p add 192.168.10.0/24 192.168.2.1 And voila. New IP address and new MAC address on the same wire with my pre-existing LAN subnet, with a static route. Actually ... I believe all these commands are already on the wiki. I think I actually *got* these answers from the wiki, once I knew what to look for. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
From: Doug Hughes [mailto:d...@will.to] 2) explicitly set the route for 192.168.10.x : route add 192.168.10.0/mask 192.168.2.1 That's what I'm saying I have already done. I set the default route to 192.168.1.1, and I set a static route, 192.168.10.x/24 via 192.168.2.1. The route is in effect, as evidenced: For simplicity, let's say 192.168.1.1 has MAC 11:11:11:11:11:11 and let's say 192.168.2.1 has mac 22:22:22:22:22:22. When I ping something on the internet, I see a packet go out my NIC, source IP 192.168.1.100, destination MAC 11:11:11:11:11:11 and destination IP 8.8.8.8. It all works, I get a ping response. When I ping 192.168.2.1 directly, I see a packet go out my NIC, source IP 192.168.2.100, destination MAC 22:22:22:22:22:22 and destination IP 192.168.2.1. It all works, I get a ping response. When I ping something on the other end of the VPN, I see a packet go out of my NIC, source IP 192.168.1.100, destination MAC 22:22:22:22:22:22 and destination IP 192.168.10.10 (or whatever.) The firewall drops the packet, because duh, the source IP isn't in the same subnet as the firewall. I am also exploring the NAT option, assuming I'm not going to be able to resolve the above problem. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
On 3/5/2013 10:18 PM, Edward Ned Harvey (openindiana) wrote: From: Doug Hughes [mailto:d...@will.to] 2) explicitly set the route for 192.168.10.x : route add 192.168.10.0/mask 192.168.2.1 That's what I'm saying I have already done. I set the default route to 192.168.1.1, and I set a static route, 192.168.10.x/24 via 192.168.2.1. The route is in effect, as evidenced: For simplicity, let's say 192.168.1.1 has MAC 11:11:11:11:11:11 and let's say 192.168.2.1 has mac 22:22:22:22:22:22. When I ping something on the internet, I see a packet go out my NIC, source IP 192.168.1.100, destination MAC 11:11:11:11:11:11 and destination IP 8.8.8.8. It all works, I get a ping response. When I ping 192.168.2.1 directly, I see a packet go out my NIC, source IP 192.168.2.100, destination MAC 22:22:22:22:22:22 and destination IP 192.168.2.1. It all works, I get a ping response. When I ping something on the other end of the VPN, I see a packet go out of my NIC, source IP 192.168.1.100, destination MAC 22:22:22:22:22:22 and destination IP 192.168.10.10 (or whatever.) The firewall drops the packet, because duh, the source IP isn't in the same subnet as the firewall. I am also exploring the NAT option, assuming I'm not going to be able to resolve the above problem. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss is it the same if you use something other than ping? Does it work correctly if you use ping -i to specify the source interface? Another option may be tagged vlans. Supporting a separate tagged interface would be very clear for the host. It would appear as a totally separate layer2 so there'd be no chance for mac reuse. That's only if your router can support that too, however... ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] multiple IP addresses, same NIC
If you're not accessing clients on the remote 192.168.1.0 subnet, why are you adding the second network? Why are you not handling this on the router instead of the client? Static routes on a client are bad mojo. It's the router's job to route, let it do that. All you should need to do is tell the router to route all traffic for 192.168.10.0/24 to use whatever the VPN interface is. I'm assuming you're using something like Tomato or DD-WRT on your router, which both should accept a Linux style route add along with an iptables chain. I have this setup on mine, networks changed for you: route add -net 192.168.10.0 netmask 255.255.255.0 ppp1 iptables --insert OUTPUT --source 0.0.0.0/0.0.0.0 --destination 192.168.10.0/255.255.255.0 --jump ACCEPT --out-interface ppp1 iptables --insert INPUT --source 192.168.10.0/255.255.255.0 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1 iptables --insert FORWARD --source 0.0.0.0/0.0.0.0 --destination 192.168.10.0/255.255.255.0 --jump ACCEPT --out-interface ppp1 iptables --insert FORWARD --source 192.168.10.0/255.255.255.0 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp1 iptables --insert FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu would do it. The issue here sounds like since the OI box already knows that it has a route to 192.168.10.10 over its default route, it doesn't need to use the secondary IP. If you can't configure the router, PCI NICs are $9 these days, and that'll work for sure. On Tue, Mar 5, 2013 at 10:24 PM, Doug Hughes d...@will.to wrote: On 3/5/2013 10:18 PM, Edward Ned Harvey (openindiana) wrote: From: Doug Hughes [mailto:d...@will.to] 2) explicitly set the route for 192.168.10.x : route add 192.168.10.0/mask 192.168.2.1 That's what I'm saying I have already done. I set the default route to 192.168.1.1, and I set a static route, 192.168.10.x/24 via 192.168.2.1. The route is in effect, as evidenced: For simplicity, let's say 192.168.1.1 has MAC 11:11:11:11:11:11 and let's say 192.168.2.1 has mac 22:22:22:22:22:22. When I ping something on the internet, I see a packet go out my NIC, source IP 192.168.1.100, destination MAC 11:11:11:11:11:11 and destination IP 8.8.8.8. It all works, I get a ping response. When I ping 192.168.2.1 directly, I see a packet go out my NIC, source IP 192.168.2.100, destination MAC 22:22:22:22:22:22 and destination IP 192.168.2.1. It all works, I get a ping response. When I ping something on the other end of the VPN, I see a packet go out of my NIC, source IP 192.168.1.100, destination MAC 22:22:22:22:22:22 and destination IP 192.168.10.10 (or whatever.) The firewall drops the packet, because duh, the source IP isn't in the same subnet as the firewall. I am also exploring the NAT option, assuming I'm not going to be able to resolve the above problem. __**_ OpenIndiana-discuss mailing list OpenIndiana-discuss@**openindiana.orgOpenIndiana-discuss@openindiana.org http://openindiana.org/**mailman/listinfo/openindiana-**discusshttp://openindiana.org/mailman/listinfo/openindiana-discuss is it the same if you use something other than ping? Does it work correctly if you use ping -i to specify the source interface? Another option may be tagged vlans. Supporting a separate tagged interface would be very clear for the host. It would appear as a totally separate layer2 so there'd be no chance for mac reuse. That's only if your router can support that too, however... __**_ OpenIndiana-discuss mailing list OpenIndiana-discuss@**openindiana.orgOpenIndiana-discuss@openindiana.org http://openindiana.org/**mailman/listinfo/openindiana-**discusshttp://openindiana.org/mailman/listinfo/openindiana-discuss -- Seconds to the drop, but it seems like hours. http://www.openmedia.ca https://robbiecrash.me ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss