Two networks on one VLAN?

S

StarTrek4U

Gawd
Joined
Jan 8, 2003
Messages
1,011
So my understanding is this should be possible, but maybe I'm wrong....

I have two separate public IP ranges from my ISP. The second one was just added. What I'm trying to do is get both address ranges forwarded to the single external interface on my firewall. which will then be setup to do the NAT, etc for both ranges. Here's my setup (IP addresses are for illustration only):

First Public Range: 10.10.31.48 /28
Second Public Range: 10.10.31.160 /27

The devices are setup like this:

Internet --> ISP Router --> External Switch --> Firewalls --> Internal Network

The external switch is there to do some vlans for other external devices we have.

The initial public IP range is setup on VLAN 11 and everything works great. My ISP is sending both subnets to our switch. I added a secondary IP address to VLAN 11 to accept traffic from the second range. My firewall limits me to one IP on an external interface but will do additional NAT, so I setup a static route to forward the second public IP range to the external interface on my firewall (which has an address on the first IP range).

My problem is I can't get the switch to pass traffic from the second public IP range to the firewall. I can get as far as pinging the secondary IP address of the switch from an external source but when I try to ping a different address on that subnet that the firewall is supposed to NAT for, it doesn't go any farther.

Any ideas? Or does this make no sense at all...
 
I had a router (a hotbrick) that supported what it called "IP-Anywhere" - which let you put any range behind it - it would forward or NAT as appropriate.

Something in the routing is off perhaps - I don't have time to inspect right now, but you did right to put in the static route. I'm willing to bet the router is sending reply packets over to the first network for some reason.

Wireshark will tell you.
 
Can you summarize the new ranges at the router? Then you would only be sending one range into your switch for VLAN11.

Just a thought.
 
So your two address ranges are coming from your ISP, addresses in range B are statically routed to the firewall, but where to from there? Draw out little boxes for every device and trace things through by asking at every step:

What does this do when it receives this packet? where is it coming from?
Where does it send it?
Does it know how to send it?

Does your ISP send things 802.1q tagged on VLAN 11 and you're preserving that? If not, I'd just throw both ranges into their own VLAN and then have static routing between them on the switch, but that's mostly because I haven't dealt with two subnets on a VLAN much and it just seems easier to split them up.
 
If your public ranges are close enough you could try fudging the range by supernetting, keeping in mind that you will not be able to access any hosts in the overlapping range.

For example if your external ranges are 10.10.31.48/28 (10.10.31.48-64) and 10.10.31.160/27 (10.10.31.160-168) you could make your external interface 10.10.31.48/25 (10.10.31.48-176). Just know that you effectively black-holed external hosts from 10.10.31.65-159, and .169-176 on your own network.

The best option if you can't replace hardware is to ask your ISP to assign you a single contiguous block of addresses to replace your 2 blocks.
 
You must log in or register to reply here.
Back
Top