# Changing the order of route rules

## halfgaar

My ISP blocks all traffic between customers on the same subnet. This means I cannot connect to my neighbour, whereas connecting to other customers of the same ISP who are located farther away, and thus are part of another subnet, works fine.

They say I should add a route manually to circumvent this, like so:

```
route add -host <ip-of-friend> gw <ISP's-default-gateway-ip>
```

On a side note first: This technicly doesn't change anything in how the traffic is routed. After all, it is sent to the same router. An answer to why this should work may be that when you run "route" on a computer directly connected to the internet (as the friend I'm trying to connect to has), it shows a route which prevents everything located on the same subnet to be sent to the default gateway. This is probably how they implemented their 'security'.

Anyway, I can't set up a route directly to the router of my ISP, because I have a home-router in between, so there is no route to the ISP's router. Changing <ISP's-default-gateway-ip> to my home-routers ip doesn't work, probably because the route which stops traffic to the local subnet exists in my home-routers routing table as well. 

So, what I need to do is set up a route to my ISP's router, bypassing my home router. I can set up a route to it like so

```
route add -host <ip-of-ISP-router> gw <my-router>
```

But then when I try to add the route to my friend:

```
route add -host <ip-of-friend> gw <ip-of-ISP-router>
```

it says the network is unreachable. It seems that it has no knowledge of how to get to the ISP's router because it adds the rule to the top.

So, is there a way to change the order of routing rules, so that the second rule I try to add knows about the first? "route" itself provides no such functionality.

----------

## NeddySeagoon

halfgaar,

Can you post your routing table and the IP (or subnet) to which you would like to connect

Do you have a single IP address or a subnet of your own ?

----------

## halfgaar

Firstly, I'd like to state I think I made an error in interpreting how the ISP implements this block. It seems that they simply do not allow communication within a subnet, but when you route it through a router, even though it routes back to the same subnet, it accepts it. That's why that route rule was needed, so that traffic is sent to the ISP's router, whether you're trying to communicate with a host in the same subnet or not.

My problem may also be more extensive then I thought. I think I'm gonna need to be able to modify the routing table of my e-tech router for this, which of course, is impossible. Whether this is really necessary, well, let's find out.

Anyway, my situation (embedding the image fails for some reason, hence the extra link):

http://members.home.nl/halfgaar/posts/200511/net.png

[img:00f565092e]http://members.home.nl/halfgaar/posts/200511/net.png[/img:00f565092e]

I didn't wanna reveal the IP of my friend, so I wrote 1.1.1.1 for it.

At the top of his routing table, there is the route to connect to me. Ping for some reason already works, even though I haven't made any modifications here. They're really pings to me, since it doesn't work anymore when I pull out the cable.

What needs to be done, is find a way to send packets meant for 1.1.1.1 (which falls in the same subnet as my routers wan interface) to the ISPs router, 217.121.236.1, instead of sending it to the host directly. If that poses difficulties because the ISP router is in the same subnet, sending to the alternative one, 213.51.151.45, should also be an option.

The difficulty I see here (which I mentioned above), is that even if I can somehow achieve it to add a routing-rule which lets me send packets to the router, packets always have to pass through my own router. When they do, the router sees the destination address and tries to send it directly to the host intended. My friend obviously doesn't have this limitation, since he has the luxary of a linux router, in which he can modify routes.

Any ideas...?

----------

## NeddySeagoon

halfgaar,

First, your friends rule to send to your IP is redundant, because it says exactly teh same thing as his defualt route.

Further, ping needs traffic in both directions or you don't see ang responses. You don't have any special route to your friend.

I'm fairly sure its not a routing problem (or ping would fail) its a firewall problem, with either you, your friend or your ISP, or even a combination of the three.

What traffic are you trying to send and on what port ?

Since you have NAT you will almost certainly need some port forwarding in both routers route tables.

----------

## halfgaar

First, let me begin by saying that it all worked perfectly, with all the portforwarding etc, until my friend got his new modem. Now we are both part of the DOCSIS cable platform of our ISP, and because we live close to eachother, that puts us in the same subnet. And traffic within a subnet is not allowed, the ISP told me so themselves. Adding a route to send the data to the ISPs router instead of just sending it out in the subnet is their idea.

 *Quote:*   

> First, your friends rule to send to your IP is redundant, because it says exactly teh same thing as his defualt route.

 

No, it's not. My IP ( 217.121.237.58 ) is part of subnet 217.121.236.0/255.255.254.0. Mind the 254, it's a 23 bit subnetmask. Because we are both part of the same subnet, any traffic that I try to send is just sent out on the subnet, not first to any router or anything, because normally it doesn't need to be routed. But because the ISP doesn't allow traffic from one host to the other within a subnet, you have to force it to go the router first. That's what the first rule does.

 *Quote:*   

> Further, ping needs traffic in both directions or you don't see ang responses. You don't have any special route to your friend.

 

I know. Without the first rule in his route table, ping doesn't work. I don't understand why it does work with the route, since (as you pointed out) I don't have anything specified to send data to him. It probably has to do with how the ISP implemented the block, I think they made a small mistake there.

 *Quote:*   

> I'm fairly sure its not a routing problem (or ping would fail) its a firewall problem, with either you, your friend or your ISP, or even a combination of the three. 

 

I'm pretty sure that it's not, since it all worked before, and since the ISP stated themselves the problem is inner-subnet-communication.

 *Quote:*   

> What traffic are you trying to send and on what port ?
> 
> Since you have NAT you will almost certainly need some port forwarding in both routers route tables.

 

That's not really imported. I know what I'm doing, and, as I said, it all worked my friend got his new modem.

So, with that said, how can I force data to go the ISPs router without my own router thinking "hey, packet for local subnet, let's just unicast it on my subnet".

----------

## NeddySeagoon

halfgaar,

I hear what you say but you will need to get to tier 1 support before you get to speak to anyone at your ISP who knows anything about routing, so I remain skeptical. However, there is a fairly simple test. If subnet traffic is supposed to be denied, your WAN netmask may as well be 255.255.255.255.  That will force all WAN traffic to go via the ISPs router.

Its probably enough to change both of your public netmasks so that you appear to be on different subnets.

The default route will then route traffic properly.

----------

## halfgaar

 *Quote:*   

> I hear what you say but you will need to get to tier 1 support before you get to speak to anyone at your ISP who knows anything about routing, so I remain skeptical.

 

Tier 1? Do you simply mean someone at support who knows more than how to reboot a computer, or actually a tier1 internet provider? The latter doesn't make much sense to me, because the part of the internet I'm dealing with here, is under my ISP's control. The tier1 networks are unrelated. In fact, as soon as a tier1 network is involved, no problem exists at all, because then I wouldn't be affected by the block my ISP causes.

 *Quote:*   

> However, there is a fairly simple test. If subnet traffic is supposed to be denied, your WAN netmask may as well be 255.255.255.255. That will force all WAN traffic to go via the ISPs router.
> 
> Its probably enough to change both of your public netmasks so that you appear to be on different subnets.
> 
> The default route will then route traffic properly.

 

I'll try, but this of course means overriding the home-routers DHCP-gotten setup. For testing it's OK, but I can't permently keep it on manual, because my ISP won't like that.

I'll report back when I have test-results.

----------

## halfgaar

OK, done with testing. I first tried to ping and ssh again, nothing worked. Setting everything manually, and setting the public netmask of my router to 32 bits, causes the connection to work. Ping and ssh worked perfectly. Setting the router back to DHCP caused the connection to seize working.

So, back to square 1. How to circumvent my routers routing table...? I can't override the netmask setting, it's either all manual, or all automatic.

----------

## NeddySeagoon

halfgaar,

Tier 1 is someome in your ISPs support who understands whats going on and is allowed to think, not someone reading a script or a fault tree.

I agree its as you say, traffic on the same subnet is blocked, which is just silly. There is no point in having a local subnet at all.

As you say, you will upset your ISP with a static setup if the expect you to be using DHCP, well, if you use and IP address thats already allocated anyway.

Dirty hack of the day.

Your ISP must operate nameservers at static IPs What happens if you try to use one of them as a gateway, as long as its not on your subnet. Will they give you another gateway you can use?

----------

## halfgaar

Using a nameserver as gateway? Your assuming that they have router/nameserver in one host? According to the IP's they're seperate machines. But, I do have another router I discovered with traceroute. It's the alternative one in the image I posted. The point is, how to get traffic to it? My own e-tech router will route packets to it's own subnet when it sees the destination as being on it's own subnet, no matter what the routingtable on my PC looks like.

I think I must try to convince my ISP to give each customer on their network a 32 bits netmask. It will allow them to block services like SMB and SMTP between hosts on the same subnet as well as the entire internet, without completely blocking traffic within a subnet. That's why I think they implemented this block in the first place. Their routers block things like SMTP, but to avoid hosts on the same subnet from being able to communicate with eachother, which is beyond the control of the routers, they simply block all traffic...

----------

## NeddySeagoon

halfgaar,

I hope you have a sympathetic ISP.

----------

## halfgaar

There's only one dutch ISP which is considered sympathetic, and it isn't mine...  :Sad: 

Time to read the end user license agreement and see if anything covers it. If not, I can demand it.

----------

