How to route 192.168.1.0/24 from 192.168.1.0/24

pike · 2017-10-09 13:49:15 UTC

Ok, i know the title seems a bit stupid but… It has a little sense.
My Green interface is 192.168.1.0/24 subnetted And i have a TUN OpenVPN on 192.168.254.8/28.
Sometimes a person need to connect via OpenVPN (client on a computer) and has to access to some addresses (not only 1) on Green. Obviously, the network for his lan is 192.168.1.0/24

AFAIK my options are 3:

Change LAN addressing of the client from 192.168.1.0/24
Change green addressing 192.168.1.0/24
Do something smarter with routing and masquerading, without change addressing/subnet of both LANs.

And options 3 is why i opened this thread.

FWIW, if the ip address to access is only 1, maybe port forwarding could do the trick. I know that with multiple addresses and the same port, maybe port translanting could do the trick.

But… why not read some interesting things?

Thanks for your time.

filippo_carletti · 2017-10-09 14:14:20 UTC

See:
http://shorewall.org/netmap.html

Ask here if you find it hard, I’ll go looking for some examples.

pike · 2017-10-09 14:43:33 UTC

Therefore, a little “link” for people…
This is the example…

LongStoryShort solution should be SNAT+DNAT and DNAT+SNAT.
and these are the rules for ShoreWall 4.4.22 or earlier

The entries in /etc/shorewall/netmap in firewall1 would be as follows:

#TYPE NET1           INTERFACE        NET2
SNAT  192.168.1.0/24 vpn              10.10.11.0/24        #RULE 1A
DNAT  10.10.11.0/24  vpn              192.168.1.0/24       #RULE 1B

The entry in /etc/shorewall/netmap in firewall2 would be:

#TYPE NET1           INTERFACE        NET2
DNAT  10.10.10.0/24  vpn              192.168.1.0/24       #RULE 2A
SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B

And these are for ShoreWall 4.4.23 or later; according to the link…

Beginning with Shorewall 4.4.23, you can bridge two duplicate networks with one router, provided that your kernel and iptables include Rawpost Table Support. That support is used to implement Stateless NAT which allows for performing DNAT in the rawpost table POSTROUTING and OUTPUT chains and for performing SNAT in the raw table PREROUTING chain. Using this support, only firewall1 requires /etc/shorewall/netmap. Two additional entries are added.

#TYPE NET1            INTERFACE        NET2
SNAT   192.168.1.0/24 vpn              10.10.11.0/24
DNAT   10.10.11.0/24  vpn              192.168.1.0/24
SNAT:P 192.168.1.0/24 vpn              10.10.10.0/24
DNAT:T 10.10.10.0/24  vpn              192.168.1.0/24

I’ll try to get some fun with these settings into my enviroment. I’m quite sure that it will be really a mess during tests…

mrmarkuz · 2017-10-09 15:35:21 UTC

This is a really nice shorewall feature, I didn’t know before. Thanks.

This would have been my solution. In this case changing the clients home LAN would be the easiest way.

Maybe this scenario fits better to yours:

http://shorewall.org/OPENVPN.html#Dupnet

pike · 2017-10-09 17:08:15 UTC

This is my scenario, so that’s why I need to rethink the firewall implementation.

[quote=“mrmarkuz, post:4, topic:8020”]
This would have been my solution. In this case changing the clients home LAN would be the easiest way.[/quote]And this is viable, because the ip addresses on the Green network are few (an AP, two switches, the firewall, three MFP), but it’s my last resource. Sometimes home network lan of Roadwarrior is not changeable…
I would like to find a good solution, not an easy one.
Maybe next time I won’t be that lucky to have time and opportunity to find a better way

mrmarkuz · 2017-10-09 20:54:41 UTC

Sorry, I think you misunderstood me. Changing the networks was my solution until today because now I know shorewall netmap, sorry for my bad English past tense somewhat…

I am like you looking for a good solution which may also be easy.
Did you notice the advice in the link?

server 192.168.254.8 255.255.255.240
port 1195
push “route 172.20.1.0 255.255.255.0”

In /etc/shorewall/netmap, put these entries:

#TYPE	NET1			INTERFACE	NET2
SNAT	192.168.1.0/24		tun1		172.20.1.0/24
DNAT	172.20.1.0/24		tun1		192.168.1.0/24

The roadwarrior can now connect to port 1195 and access the lan on the right as 172.20.1.0/24.

pike · 2017-10-09 22:13:13 UTC

The firewall distro that i am using into this enviroment do not allow two openvpn servers. Or better: maybe is allowed, i’m still not sure about that, but it’s quite far from the webgui level of access.

Maybe i also misunderstood you, it’s always possibile when the language is often used, but not the natural one for who’s writing.
Anyway, thanks for your time, maybe this solution could help someone with the same kind of issue

Andy_Wismer · 2017-10-10 09:14:06 UTC

Hi
I’ve had to do this for a large Company / Enterprise about 20 years ago. They bought control of a company in Germany wanted their Networks hooked up.

Some luck. Despite using an unusual combination of 172.x.x.x as an enterprise network so was this company, both thinking it’s unusual.

Long story cut short: I did it using a form of double Natting and a lookup table, mapping the entire Network of the subsidiary in Germany to another Network range. Today, it would be MUCH easier to do this.

BUT…

You don’t really want to!

Having two networks with same IP ranges is always a BIG headache when troubleshooting.
Is it my local server or remote server with the IP 192.168.1.23 causing problems?
Or is my DNS showing the real server or the remote server?
DNS is another BIG headache in double IP networks - no one really wants to go there!
Monitoring two identical Networks with tools like Zabbix / Nagios / whatever is more work than benefit.

It is much easier, and definetely Best Practices if each node in the whole network (VPNs and all interconnected sites) have a consistant numbering / name scheme.

–> If possible, change the Network IP of one of the involved sites.

Also Best Advice for all of you in Networking:

NEVER set up a clients network using any of the following IP ranges:

192.168.0.x
192.168.1.x
192.168.10.x

A lot of Hardware like WLan Routers come preconfigured with IPs in that range. Now an employee buys himself a Wireless Router for Home use and thinks: Well, I have time in my break, I’ll just hook it up to the LAN…
Now: if your main router also has that same IP, and worse, both are doing DHCP Services, it’ll be within minutes that some host can do Internet and some can’t. Or none - due to IP conflict!

Just evade those IP ranges, especially if you’re free to set up the network!

My 2 cents!
Andy

pike · 2017-10-10 18:50:30 UTC

You’re totally right @Andy_Wismer. And a business partner hates me because i’m quite “creative” with subnets and addressing. He would ever like the same subnet for all customers, but thats’ bad, or as writed into a nested-group-related-topic, cube-bad.
I loved to misuse Class-B subnetting, but i have a little problem called “biggest ISP in italy” which is using Class-B subnets into infastructure. But i am able to ping/route-them (crap!).

Anyway…

Sometimes you can’t decide subnetting. Sometimes 'cause your LART is too weak, sometimes 'cause the job for change addressing is huge on one of the sides.
This is not the case: i have time for think more than one solution and test it. And i have an escape path called “change subnet for the whole office”, which is really viable.

Maybe tomorrow i won’t have any other option than use the same subnet on both sides of a VPN connection, but not enough time to create, evaluate and test a good solution.
So, this testbench could be… a little swissknife in time of need.
Swissknife is a great tool, but not a good one. Because it can cut, screw, open, saw, slice. But it’s not a good screwdriver, a good knife, a good pair of scissors, a good can opener…

Thanks for your experience @Andy_Wismer, believe me i share most of your believings about subnetting. For a customer i sliced 192.168.11.0 into 5 different subnets for devices and connections…

Andy_Wismer · 2017-10-10 22:37:24 UTC

@pike

Have a peek at the OPNsense Distro. They have also hardware boxes at a reasonable price.

I find it a bit better than the much mentionned PFsense. Both come from a MonoWall basis (Same as FreeNAS!) using an unusual XML / PHP boot system instead of the usual etc. And on FreeBSD, not your average Linux.

The original developer (Manual Kaspar, also a Swiss like me) of MonoWall also endorses OPNsense.

It has all the bells and whistles you need of open source, combines IPsec AND OpenVPN and is even easy to fix when a problem arises. Had a case of a defective SD - they used a Transcend, which is good quality in my opinion. Changed with a 20.- SD from the local store. Up and running within the hour.

As any decent open source, you have the option to download a live cd or USB image to test it on ANY box lying around. Or use a VM, it works very well in both situations. The live CD (Or USB stick) can be installed on an empty Disk or SD. Use Etcher to burn the Image to a SD or USB.

You might be in for a pleasant surprise…

BTW: what’s your language / region? I’m English / German, based in Switzeland, and can also handle some french and italian.

As to [quote=“pike, post:9, topic:8020”]
biggest ISP in italy
[/quote]

I think that’s with all / most ex-state owned monopolists. We’ve got that same problem with a few providers here in Switzerland.

Best regards
Andy

pike · 2017-10-16 16:08:20 UTC

You’re writing in the wrong way, man. It was m0n0wall, as Manuel wrote on FAQ.

I’m italian and i speak Italian, i hope my English not that bad…

Anyway, i was thinking during the weekend, on these rules for SNAT+DNAT…

And i was thinking: which subnet a site should look for to access to the other one?

Rules says
Site 1 =>route to 10.10.10.0/24 for reaching Site 2
Site 2 =>route to 10.10.11.0/24 for reaching Site 1

But my head still says that it’s not correct…