# routing - firewall different subnet

## nove

Hi,

ive got a problem. my router/firewall is on a different subnet then the clients!

Subnets:

1.)132.147.150.xxx

2.)132.147.151.xxx

3.)132.147.160.xxx

Subnet Mask 255.255.0.0

(Dont blame me for the Adress ranges of that network, that was the crime of my forrunner)

The Router

192.168.0.254 SubnetMask 255.255.255.0

The Firewall:

eth0=132.147.151.254 Subnet Mask 255.255.0.0

eth1=132.147.151.3 Subnet Mask 255.255.0.0

my firewall script is as simple it could be:

```

#!/bin/bash

IPTABLES='/sbin/iptables'

# Set interface values

EXTIF='eth0'

INTIF1='eth1'

# enable ip forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains

$IPTABLES -F

$IPTABLES -X

# enable masquerading to allow LAN internet access

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF

$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

# forward LAN traffic from $INTIF2 to Internet interace $EXTIF

#echo -e "       - Allowing access to the SSH server"

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

#echo -e "       - Allowing access to the HTTP server"

$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

# block out all other Internet access on $EXTIF

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP

$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

```

my /etc/conf.d/net

```

config_eth0=( "132.147.151.254 netmask 255.255.0.0" )

routes_eth0=( "default gw 192.168.0.254" )

config_eth1=( "132.147.151.3 netmask 255.255.0.0" )

```

is there an easy way to route from one subnet to the other?

----------

## tuxmin

You cannot have a router that has no IP on your subnet.

Besides, what kind of router would that be with only one IP address!?

Could you please give more details on your setup -- I don't get it...

Alex!!!

----------

## nove

its an simple Hardware-Router with one IP Adress

----------

## tuxmin

So I assume you simply don't know what a router does, do you?

A router trasmits packets between subnets. So per definition it must have at least two interfaces with two IP addresses. One in each subnet. In your special case I see you have two subnets:

1. 132.147.0.0/16 (your LAN I assume). The gateway address in not in this net, so no routing is possible!

2. 192.168.0.0/24 (the LAN subnet of your router). Let's assume further it has some public IP on the outbound interface.

Again, I have no idea how your FW and router are connected. But judging from what you posted it's a total mess.

Please elaborate.

Alex!!!

----------

## misc

And why have you got eth0 and eth1 in the same subnet? Doesn't make sense...

You say you  have three subnets with a /16 - they're all on the same subnet as each other. If it was a /24 then that sounds more like it.

----------

## lesourbe

that seems unclear ... 

so let's state that a subnet mask like 128.0.0.0 on every piece of hardware should do the job.

well, I DO NOT recommend it ...

---

the net address of your lan is 132.147.X.X  --- the 3 LAN are on the SAME network, unless you change the subnet mask of them to /24  (255.255.255.0) 

There MUST be a piece of hardware on the same network than your LAN(s) for routing sake.

nove, you should try to draw us a map of your network ... with the NIC and their addresses.

----------

## nove

no there isnt a other piece of any hardware in this network. The Router is normaly on the Adress of the Firewall. And normaly (but plz dont tell to anyone) there isnt a firewall. My plan is to migrate all of the client to the 192.168.xxx.xxx network (a private one not the one of SCO). But for some reasons i cant do that at once so i have to decide where to begin. Therefor i want to start with the firewall and the router. The Router i want to change from 132.147.151.3 to 192.168.0.254, the firewall has two interfaces eth0 with the IP 192.168.0.253 and eth1 with the IP 132.147.151.3 

The rest of the network is like the description above.

The Problem is that the internal routing in the firewall from eth1 to eth0 and inverse does not work. 

if i put one client(192.168.0.1 Gateway: 192.168.0.254), the firewall(eth0=192.168.0.2,eth1=192.168.0.254) and the router(as default gateway in the firewall on 192.168.0.15 in one subnet it works fine, because they are all in the same network.

But i want that the firewall translate from one net to the other.

----------

## lesourbe

well I am puzzled ... sorry ...

will you mind to draw some map of your network ?

----------

## nove

http://www.novellogic.de/network.png

----------

## lesourbe

Cheers !

well the question was:

 *nove wrote:*   

> is there an easy way to route from one subnet to the other?

 

you won't have to route between your lan subnet cause their are all in the same network

but I suspect what you really want to know is:

if you want to migrate your LAN from 132.147.X.X to 192.168.X.X not at the same time...

I bet you'll have to add a nic to your firewall... there s no way for you to end without a router with 3 nics (well unless it becomes complicated  :Smile:  )

----------

## tuxmin

You have to NAT all outbound traffic from 132.147.0.0/16 to eth0 on your

Firewall. Apparently your Router only NATs addresses from 192.168.0.0/16

What happens is that your packets from 132.147.0.0/16 pass your router

but the replies get routed to the real net which is owned by SCO according

to whois! Hence any connection fails...

OK, I guess SCO doesn't have much sympathy in the Linux community but 

you better switch to public addresses as soon as possible, as no real IP

within this range is reachable from your LAN.

Alex!!!

----------

