LARTC - Feb 2003 - How do I collapse this configuration into 1 router.

Hi,

I want the collapse the following configuration into 1 router...

LAN1:192.168.1.0/24 --- Router1 [SNAT onto 10.0.0.1] --- LAN3
LAN2:192.168.1.0/24 --- Router2 [SNAT onto 10.0.0.2] --- LAN3
LAN3:10.0.0.0/8 --- Router3 [SNAT onto public IP] --- Internet

Routers 1 & 2 SNAT traffic from LAN1 & LAN2 respectively on to LAN3 and
Router3 then SNATs from LAN3 onto the public Internet connection.

My question is how I can collapse this into a single router (Router3),
eliminating LAN3, without renumbering LAN 1 or 2 so they don''t have
duplicate adresses?

Regards,
Chris.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On 14-02-2003 at 01:26:00PM -0000, Chris Paulson-Ellis wrote:
CPE> Hi,
CPE> 
CPE> I want the collapse the following configuration into 1 router...
CPE> 
CPE> LAN1:192.168.1.0/24 --- Router1 [SNAT onto 10.0.0.1] --- LAN3
CPE> LAN2:192.168.1.0/24 --- Router2 [SNAT onto 10.0.0.2] --- LAN3
CPE> LAN3:10.0.0.0/8 --- Router3 [SNAT onto public IP] --- Internet
CPE> 
CPE> Routers 1 & 2 SNAT traffic from LAN1 & LAN2 respectively on to
LAN3 and
CPE> Router3 then SNATs from LAN3 onto the public Internet connection.
CPE> 
CPE> My question is how I can collapse this into a single router (Router3),
CPE> eliminating LAN3, without renumbering LAN 1 or 2 so they don''t
have
CPE> duplicate adresses?
CPE> 
If they don''t have duplicate addresses connect them together and leave
Router3 with SNAT.

If You need to have 2 LANs:
LAN1
    \192.168.1.1(eth0)
                 Router3 ---- Internet
    /192.168.1.2(eth1)
LAN2
ip a a 192.168.1.1 dev eth0
ip a a 192.168.1.2 dev eth1

ip r a 192.168.1.x dev eth0
ip r a 192.168.1.x dev eth0
...
ip r a 192.168.1.y dev eth1
ip r a 192.168.1.y dev eth1
...
where: x - IPs from LAN1
       y - IPs from LAN2
Router3 leave with SNAT.

Rgds,
  Bartek.
--
GPG-Key:
   http://www.bartek.bicom.pl/public_key.txt
   pub  1024D/948DE45D 2002-12-12 Bartek Krajnik <bartek@bicom.pl>
   Primary key fingerprint: 95E9 8E2D 1801 7864 2244  6EAA 03E5 764D 948D E45D

Chris,

 : I want the collapse the following configuration into 1 router...
 : My question is how I can collapse this into a single router (Router3),
 : eliminating LAN3, without renumbering LAN 1 or 2 so they don''t have
 : duplicate adresses?

Perhaps you have already read Bartek''s suggestion.  He prefaces his
suggestion as follows:

  If they don''t have duplicate addresses connect them together and
leave
  Router3 with SNAT.

If no hosts on your LAN1 and LAN2 use the same IP (same final octet), you
are in a great position--Bartek''s solution will serve beautifully.  In
short, he is suggesting host routes to each destination on the interface
to which it is connected.

I''m responding to make a suggestion if there are duplicate addresses on
LAN1 and LAN2.  You''ll need to use a two router solution, but you can
configure the second router in a clever way to aid in your transition to a
new and non-clashing IP space.  The benefit is you can slowly readdress
all of the machines in LAN2 (or whichever) to the new IP addressing
scheme.  This makes your router consolidation project a two phase
endeavour.  I''ll choose an arbitrary numbering scheme for the new
network.

Phase I:

  - consolidate router3 and router1
    - ethA internet
    - ethB 10.0.0.0/8
    - ethC 192.168.1.0/24 (LAN1)
    - ethD 192.168.254.0/24 (router2)
  - configure router2 to NAT 192.168.254.0/24 into LAN2 192.168.1.0/24
    - ethA 192.168.254.0/24
    - ethB (or ethA!) 192.168.1.0/24 (LAN2)

Phase II:

  - renumber machines in LAN2 to use 192.168.254.0/24
  - when renumbering is finished, turn off router2

So, here''s a description of phase I:

The best part of this, is that your router2 machine doesn''t need to
have
multiple interfaces--you can perform the translation on a single media
segment.  Here''s an example, assuming that router3 has 192.168.254.1
(our
gateway), and that your duplicate IP addresses (in LAN2) are 192.168.1.17,
192.168.1.18, 192.168.1.44, etc....

router2# ip addr add 192.168.254.254/24 dev eth0
router2# ip addr add 192.168.1.254/24 dev eth0
router2# ip route add default via 192.168.254.1
router2# for hostoctet in 17 18 44 $( seq 50 89 ) ; do
> ip route add nat 192.168.254.$hostoctet via 192.168.1.$hostoctet
> ip rule add nat 192.168.254.$hostoctet from 192.168.1.$hostoctet
# done

Now, the hosts in LAN2 will be accessible from router3''s perspective as
192.168.254.$hostoctet, but router2 will be performing NAT to the
192.168.1.0/24 IP configured on the individual machines.

Conditions of this example:

  - all of the LAN2 hosts are connected to the same ethernet as
router3''s
    ethD interface and router2''s interface
  - LAN2 (192.168.1.0/24) must use router2''s 192.168.1.X IP as a
default
    gateway
  - router3 must not be configured for proxy ARP nor to answer any ARP
    query for 192.168.1.0/24
  - router3 must forward all packets for 192.168.1.0/24 to the "REAL"
    192.168.1.0/24, LAN 1

Finally, you must be very careful about ARP issues.  If you are using
proxy ARP on router3, this will break in strange and wonderful ways, so
you''d be better off making router2 a traditional two-interface router.

and a description of phase II:

This is the easy part.  You visit the machines which need to be
readdressed (at your convenience) and give them IPs in the
192.168.254.0/24 network.  If you give these machines the same final octet
as in the 192.168.1.0/24 network, you''ll need to remove the NAT entry
on
router2.  Otherwise, it should be an easy and convenient transition.  No
cable swapping, no muss, and no fuss.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

My problem is that I cannot practically renumber LAN1 & LAN2 to have
different addresses. Is there any way to cope with this? The only thing I
could think of was SNATing each of LAN1 & LAN2 onto 2 addresses in another
private address subnet by routing their traffic through the lookback
interface, but I''m not sure how to route the returning traffic as it
comes
out of the loopback (presumably I''d have to do it by both source and
destination address).

Chris.

----- Original Message -----
From: "Bartek Krajnik" <bartek@bicom.pl>
To: "Chris Paulson-Ellis" <chris@edesix.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Saturday, February 15, 2003 5:56 PM
Subject: Re: [LARTC] How do I collapse this configuration into 1 router.

On 14-02-2003 at 01:26:00PM -0000, Chris Paulson-Ellis wrote:
CPE> Hi,
CPE>
CPE> I want the collapse the following configuration into 1 router...
CPE>
CPE> LAN1:192.168.1.0/24 --- Router1 [SNAT onto 10.0.0.1] --- LAN3
CPE> LAN2:192.168.1.0/24 --- Router2 [SNAT onto 10.0.0.2] --- LAN3
CPE> LAN3:10.0.0.0/8 --- Router3 [SNAT onto public IP] --- Internet
CPE>
CPE> Routers 1 & 2 SNAT traffic from LAN1 & LAN2 respectively on to
LAN3 and
CPE> Router3 then SNATs from LAN3 onto the public Internet connection.
CPE>
CPE> My question is how I can collapse this into a single router (Router3),
CPE> eliminating LAN3, without renumbering LAN 1 or 2 so they don''t
have
CPE> duplicate adresses?
CPE>
If they don''t have duplicate addresses connect them together and leave
Router3 with SNAT.
[snip]


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

An excellent migration plan, but I''m trying to avoid renumbering.
I''m
consolidating the internet connections of customer LANs which have long had
their own networks and don''t want to change their numbering. Some of
them
have equipment that can only have their IP address altered by serial
connection; very tedious.

Could I re-create the network with a single router by adding some sort of
extra internal interfaces and routing based on ingress interface as well as
destination address (and SNAT twice as at present)? Loopback interfaces
don''t seem to be suitable as they don''t have two ends and
there is only one
of it.

Chris.

----- Original Message -----
From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: "Chris Paulson-Ellis" <chris@edesix.com>
Cc: <lartc@mailman.ds9a.nl>
Sent: Saturday, February 15, 2003 8:07 PM
Subject: Re: [LARTC] How do I collapse this configuration into 1 router.

> Chris,
>
>  : I want the collapse the following configuration into 1 router...
>  : My question is how I can collapse this into a single router (Router3),
>  : eliminating LAN3, without renumbering LAN 1 or 2 so they don''t
have
>  : duplicate adresses?
>
> Perhaps you have already read Bartek''s suggestion.  He prefaces
his
> suggestion as follows:
>
>   If they don''t have duplicate addresses connect them together and
leave
>   Router3 with SNAT.
>
> If no hosts on your LAN1 and LAN2 use the same IP (same final octet), you
> are in a great position--Bartek''s solution will serve beautifully.
In
> short, he is suggesting host routes to each destination on the interface
> to which it is connected.
>
> I''m responding to make a suggestion if there are duplicate
addresses on
> LAN1 and LAN2.  You''ll need to use a two router solution, but you
can
> configure the second router in a clever way to aid in your transition to a
> new and non-clashing IP space.  The benefit is you can slowly readdress
> all of the machines in LAN2 (or whichever) to the new IP addressing
> scheme.  This makes your router consolidation project a two phase
> endeavour.  I''ll choose an arbitrary numbering scheme for the new
network.
>
> Phase I:
>
>   - consolidate router3 and router1
>     - ethA internet
>     - ethB 10.0.0.0/8
>     - ethC 192.168.1.0/24 (LAN1)
>     - ethD 192.168.254.0/24 (router2)
>   - configure router2 to NAT 192.168.254.0/24 into LAN2 192.168.1.0/24
>     - ethA 192.168.254.0/24
>     - ethB (or ethA!) 192.168.1.0/24 (LAN2)
>
> Phase II:
>
>   - renumber machines in LAN2 to use 192.168.254.0/24
>   - when renumbering is finished, turn off router2
>
> So, here''s a description of phase I:
>
> The best part of this, is that your router2 machine doesn''t need
to have
> multiple interfaces--you can perform the translation on a single media
> segment.  Here''s an example, assuming that router3 has
192.168.254.1 (our
> gateway), and that your duplicate IP addresses (in LAN2) are 192.168.1.17,
> 192.168.1.18, 192.168.1.44, etc....
>
> router2# ip addr add 192.168.254.254/24 dev eth0
> router2# ip addr add 192.168.1.254/24 dev eth0
> router2# ip route add default via 192.168.254.1
> router2# for hostoctet in 17 18 44 $( seq 50 89 ) ; do
> > ip route add nat 192.168.254.$hostoctet via 192.168.1.$hostoctet
> > ip rule add nat 192.168.254.$hostoctet from 192.168.1.$hostoctet
> # done
>
> Now, the hosts in LAN2 will be accessible from router3''s
perspective as
> 192.168.254.$hostoctet, but router2 will be performing NAT to the
> 192.168.1.0/24 IP configured on the individual machines.
>
> Conditions of this example:
>
>   - all of the LAN2 hosts are connected to the same ethernet as
router3''s
>     ethD interface and router2''s interface
>   - LAN2 (192.168.1.0/24) must use router2''s 192.168.1.X IP as a
default
>     gateway
>   - router3 must not be configured for proxy ARP nor to answer any ARP
>     query for 192.168.1.0/24
>   - router3 must forward all packets for 192.168.1.0/24 to the
"REAL"
>     192.168.1.0/24, LAN 1
>
> Finally, you must be very careful about ARP issues.  If you are using
> proxy ARP on router3, this will break in strange and wonderful ways, so
> you''d be better off making router2 a traditional two-interface
router.
>
> and a description of phase II:
>
> This is the easy part.  You visit the machines which need to be
> readdressed (at your convenience) and give them IPs in the
> 192.168.254.0/24 network.  If you give these machines the same final octet
> as in the 192.168.1.0/24 network, you''ll need to remove the NAT
entry on
> router2.  Otherwise, it should be an easy and convenient transition.  No
> cable swapping, no muss, and no fuss.
>
> -Martin
>
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/