Tuesday, October 12, 2021

Least messy way to have two public networks and private networks on one router

Consider a router with the following network interfaces:

  1. 192.168.200.1/24 . This is an internal LAN.
  2. 203.0.113.1/32 . This is a DSL upstream and the default route. It performs NAT. Connects to the internet.
  3. 198.51.100.255/32 . Point-to-point link to another connection (it is actually a tunnel endpoint)
  4. 198.51.100.193/27 . This is a network with public IP addresses having servers and equipment
  • No NAT should be performed
  • This network should be "multi homed":
  • This network should be reachable from the interal LAN(s) (192.168.200.1/24), and from both links above.
  • The preference should be given to "Connection 1" but if outage happens, traffic should be routed via "Connection 2"

The issue with IP routing is that it is asymmetric: Route is determined only based on destination.

So when the router receives a packet from arbitrary source for 198.51.100.255/32 (or a host in 198.51.100.193/27), the response will be sent through 203.0.113.1/32 since it's the default gateway. It would not take the same route as it came from. Of course, this fails, due to NAT.

Even if NAT would not be performed, the provider would filter out the response packet upstream.

Now I could implement source routing: All packets with source address 198.51.100.255/32, 198.51.100.193/27, 198.51.100.240/29 are never routed through default route but through either Connection 1 or Connection 2 (with different route metrics).

  • This feels very messy
  • I am actually in control of whole 198.51.100.0/24. However, not all subnets are in the same location. Should I apply source routing to the entire network or just the parts that are "hosted" on the location where the router is?
  • How should I deal with the LAN? It an issue if potentially the whole 198.51.100.0/24 is accessed from 192.168.200.0/24 without NAT?
  • In either case, source routing gets even more complicated in this scenario: Say, 192.168.200.121 sends a packet to 198.51.100.10. The other systems also need specific routes for the RFC1918 addresses


No comments:

Post a Comment