[CoLoCo] changing subnet mask

Kevin Fries kfries at cctus.com
Mon Sep 22 15:21:19 BST 2008 

> Okay, I finally got around to try this and it's a no go. I set the 192.168.1.1<http://192.168.1.1>
> router's subnet to 255.255.252.0<http://255.255.252.0> and I can't ping router 2 on
> 192.168.2.1<http://192.168.2.1> from a computer connected directly (wired) to router 1. Is this
> what you mean by "should but doesn't". The dd-wrt firmware is supposed to give you a
> semi-professional router. Do I need to change the subnet on my desktop too? That's not an
> option with dhcp so would I have to use a static ip on the desktop?

Yep.  The software can not make up for the limitations of the hardware.  In a truly professional router, there are no WAN ports, just ports.  The WAN is defined by the rules of the router, not the hardware ports.  A new example will make this clear.  If I have a standard Cisco router, I may have four ports available.  Lets assume for ease of explanation they are all serial ports, so I can name them S0, S1, S2, S3.  Which of these ports connects to the Internet?  Its a trick question because any of them can be, as well as more than one (two ISPs to provide redundancy in your upstream connections).  What defines the upstream is generally what is known as a route of last resort (or default route).  So, traffic can go from any interface to any interface, depending on the route rules of the router.  A Linux box with two or more interfaces will behave the same exact way.  So, if you want to play with this, build a old junky box and put two or three interfaces in it, then start playing with something like Shorewall.

On the other hand, these home based routers only have ONE interface, and a hub.  The hardware dictates how some of the rules MUST work.  Therefore, no software can get around the hardware limitations of the system.  These home based routers were not designed to do what you are asking them to do.  Even DD-WRT has the concept of inside interface and external interface.  It allows you to define a DMZ, Inside, and Outside IP ranges only.  While DD-WRT will allow you to build some fairly nice filtering rules to filter traffic, I have never seen it have the advanced route rules you require to get around the hardware.  (BTW, I have seen DD-WRT build rules in a professional way on routers with the correct hardware, so it is not a DD-WRT problem)

So in summary.  A truly professional setup will have a router, where one of the interfaces is connected up to a hub.  That router will need to have "route add" commands issued to tell the router how to handle all traffic.  If you wanted to have two network segments, plus the internet, you simply need three interfaces and some rules that would build logic something like this:

  * any traffic from S1 with a destination IP address of 192.168.2.x is routed to interface S2

  * any traffic from S1 with any destination address is routed to S0

  * any traffic from S2 with a destination IP address of 192.168.1.x is routed to S1

  * any traffic from S2 with any destination address is routed to S0

  * any traffic from S0 that is not part of a existing session is rejected

A home router does not have this flexibility because there is only one interface and a hub combined into one simplified device.

Any trick you do to get around this will be a kludge/hack that can be easily undone with a security patch.

Sorry to be the bearer of bad news.

Kevin

More information about the Ubuntu-us-co mailing list