# Routing between two networks

## Fran

At work we have a private network with several servers. Let's say 10.0.0.0/24. The servers in this private network access the outside world thought a gateway (G1) with ip 10.0.0.1.

We also have a public network (let's say 2.2.2.0/24). The gateway for this network is 2.2.2.1 (G2). My computer (C2, with ip 2.2.2.20) is in this network. 

What I want is to access the servers in 10.0.0.0/24 from my computer C2, but I'm having some problems.  I'm trying to do it through another computer (R) with two network interfaces (2.2.2.40 and 10.0.0.40):

```
                Internet

     

         G2                    G1

       2.2.2.1              10.0.0.1

          |                     |

          |                     |

   C2-----+----------R----------+------Servers

2.2.2.20     2.2.2.40 10.0.0.40
```

What I've done:

- In R: 

1. Enable ip forwarding

2. iptables:

-A FORWARD -i eth1 -j ACCEPT  #eth1=private

-A FORWARD -i eth0 -d 10.0.0.0/24 -j ACCEPT  #eth0=public

-t nat -A POSTROUTING -o eth0 -j SNAT --to-source 2.2.2.40

- In C2: ip route add 10.0.0.0/24 via 2.2.2.40 dev eth0

This works fine... ONLY if the server I'm connecting to has its gateway configured as 10.0.0.40 (i.e, R). If the server's gateway is configured as 10.0.0.1, I can't connect to the server. Ping works, but ssh waits forever.

If I add iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.0.40 in R, I can connect to a server in 10.0.0.0/24 even if its gateway is configured as 10.0.0.1, BUT... now the server cannot connect to my computer C2.

What am I missing? Is there any way to achieve what I'm trying to do without openvpn?

----------

## papahuhn

 *Fran wrote:*   

> BUT... now the server cannot connect to my computer C2.

 

I'm trying to understand this last bit. "But now" in contrast to when? Is there a setup where the server can connect to C2?

----------

## Hu

That is a strange network setup, but the SNAT rule seems like the simplest workaround.  The inability to get responses without SNAT makes sense, because the server sends the traffic to its default gateway, and G1 has no way to route the traffic to you.

----------

## Ant P.

The computers in 2.2.2.0/24 need to be told there's a route to 10.0.0.0/24 via that router, and vice versa. Adding a route on one machine will let you send traffic, but the other end will still have no idea where to send the reply.

There might be a way to do all this with DHCP but I'm not seeing anything in dhcpd's man pages for it. You might have to manually set static IPv4 routes on every machine (or at least on the 2 gateways as a workaround) to get it to work.

----------

## Fran

 *papahuhn wrote:*   

>  *Fran wrote:*   BUT... now the server cannot connect to my computer C2. 
> 
> I'm trying to understand this last bit. "But now" in contrast to when? Is there a setup where the server can connect to C2?

 

If I don't add the rule, I can ssh from a server to C2. If I add it, I can't. I suppose it's because the ssh connection goes server->G1->G2->C2, but the replies from C2 to the server go C2->R->server (because of route I added in C2). With the iptables rule, R changes the "from" in the reply from 2.2.2.20 to 10.0.0.40, and the sshd in the server gets confused (?). Without the rule, the "from" is still 2.2.2.20 and the connection succeeds.

(edit) Wait, this doesn't make sense. G1 should have changed the "from" address too with NAT, because the server has a 10.x.x.x address and C2 wouldn't be able to respond to that. Weird. But I've tested, and server->C2 only works without the iptables rule in R.

 *Ant P. wrote:*   

> The computers in 2.2.2.0/24 need to be told there's a route to 10.0.0.0/24 via that router, and vice versa. Adding a route on one machine will let you send traffic, but the other end will still have no idea where to send the reply. 

 

The problem is I don't control all the servers in 10.0.0./24. For the ones I do control, I've set their gateway to R and everything's peachy. For the rest I have this problem.

 *hu wrote:*   

> That is a strange network setup, but the SNAT rule seems like the simplest workaround. The inability to get responses without SNAT makes sense, because the server sends the traffic to its default gateway, and G1 has no way to route the traffic to you.

 

Yeah, I suppose it's the best solution (besides vpn, which also works -i've tested it- but is slow and cumbersome). For me it's more important to be able to connect from C2 to computers in the private network than vice versa, so I'll add the rule.

Thanks to all.

(P.S.: That network setup is due to our department migrating from a network with public addresses to a private one. For a while we had enough public IPs. Now, not so much. I want to have my computer in the public network, but most of our servers have moved.)

----------

