Using default Gateway for same subnet!!!

Dark

Senior member
Oct 24, 1999
639
0
0
Hi, I was wondering if it's possible to use the default gateway to communicate with IPs in the same subnet? Ips in the same subnet shouldn't be able to communicate directly. (Forget the proxy arp, it's no use for me) My first idea was to add a static route to the routing table (using win2k) but it doesn't seem to work. Any ideas?
 
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
I can't see any reason why you would want to. The purpose of a local network is for machines to NOT have to use their router.

You could set the mask on the PCs to 255.255.255.255 making them a one node network, then they would use the default gateway. Problem is the router (gateway) will send an ICMP redirect to the host telling him to go directly do the other host and not bother the router.

you could also turn off icmp redirects on the router.
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
If you are attempting to communicate to a completely different physical network, but it has the same IP address block that your network is using, the only way to get the two to talk through a router would be "Network Address Translation" (NAT).

With either or both networks Nat'd (to different network numbers) the router would be able to route from one network to the other.

Example: (Network 192.168.1.0) ---> (transit network/ one or more routers) ------> (another 192.168.1.0 network) won't work

(Network 192.168.1.0 >>>NAT to some valid IP address)----> (transit network / one or more routers) -----> (another 192.168.1.0 network) will work

Toss in some additional details if we're missing something here......

Good Luck

Scott
 

Dark

Senior member
Oct 24, 1999
639
0
0
Why? Security reasons. The default gateway is a firewall that do a stateful filtering. The hosts even if in the same subnets are isolated using private vlan so the only way for them to communicate would be through the firewall.
Does this information change the equation? I dunno if the firewall can use icmp redirect...does it depend on the os?
 

Dark

Senior member
Oct 24, 1999
639
0
0
Spidey: using 255.255.255.255 would not work for me because hosts in the same community (private VLAN) should be able to communicate without going through the gateway.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
one way to get around this is to use a single /30 subnet for each host on routed, private vlan hosts.
 

Dark

Senior member
Oct 24, 1999
639
0
0
So the route trick would not work? I haven't had time to test that...

Spidey: I don't get that. Can you elaborate? Do I have a limitation on the number of hosts by PVLAN? I would appreciate an example with say a 192.168.0.0 and two PVLAN.
 

Santa

Golden Member
Oct 11, 1999
1,168
0
0
I think what Spidey is getting at is by making them their own seperate /30 block you are forcing them through the router to get to a differnt host because it is beyond its own wire so it must go through a router to get to the next subnet.

/30 would mean it there are 4 IP (2 Usable 1 Broadcast and 1 Network) to the Subnet and everything else is some other subnet.

Gets quite hairy with VLANs with this type of Subnetting but in theory it works.
 

Dark

Senior member
Oct 24, 1999
639
0
0
Santa: That would assume that I have only one hosts per PVLAN which is not the case. I may have up to 5-6 hosts per PVLAN that should not use the gateway to "inter" communicate. Besides that would assume multiple ips for the gateway...
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
What kind of equipment are you going to try to do this with? Commercial stuff (i.e., Cisco, Nortel, 3COM...) or SOHO stuff.

Bad question I guess: IF you want to do this, you'll "fer sher" need commercial-grade equipment. The question is: Whose?

You might be able to swing it with BVI interfaces and ACLs on Cisco routers, which can do most of the firewalling for you as well. You'd probably do better with an L3 switch (and ACLs).

A couple grand minimum and yer all set to go.

JM.02

Scott
 

sml

Member
Dec 26, 2001
193
0
0
Sorry to interject so late in the game, but the reasoning for this 'security' seems illogical to me. If this is a flat logical network we're talking about, and you're trying to have EVERY system relay through a gateway to talk to another system on the same network, you're talking about a major performance issue. If your security concerns lie in traffic traveling between two systems, security best practice dictates that you should solve this at the host level rather than forcing the network to deal with it; no matter how you slice it, your network security comes down to 'who can i trust?' if you can't trust systems on your local network, it's time to harden your host security, set up some static ARP entries on your switch, span the VLANs you have in question and keep close tabs on them with a sniffer to watch what's going on; your router/firewall will thank you for it, especially if it's a device that's prone to start dropping packets with intensive ACLs a la CBAC or even extended ACLs *cough26XXcough* :)
 

Dark

Senior member
Oct 24, 1999
639
0
0
sml: actually it's not "every system" that would need to go through the gateway/firewall. Inter-community communication would go through the gateway/firewall; otherwise hosts in the same community can communicate at layer2 level as usual. Inter-community traffic is not heavy at all so the performance impact is very minimal. All the hosts hardening, static arp, host IDS is already there...

 

Dark

Senior member
Oct 24, 1999
639
0
0
ScottMac: I proposed a 2950 with Enhanced Image that can do Asic ACL but it was refused because the security team wants stateful firewalling between internal hosts instead of the basic packet filtering that the ACLs would offer. In order to use the Private VLAN feature we would have to go with some Catalysts 4000...The firewall would a be FW-1
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Stateful filtering on every host???!!!

They'd better pony up for all the firewall interfaces then. That is not a realistic security requirement, they've been reading too many trade rags.
 

Dark

Senior member
Oct 24, 1999
639
0
0
Spidey: I should have written stateful firewalling for each communication between hosts. You mean that with this scenario, there is no other alternative than using VLAN and multiple interfaces in the firewall?
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
I'm thinking dark,

I'll think out loud for a sec. To get stateful inspection you need to go through a firewall. To go through a firewall you'll need to be on separate networks.

yeah, sounds like you need a firewall interface for every host.
 

Dark

Senior member
Oct 24, 1999
639
0
0
NOOOO!!!! :) That what's basicaly I wanted to avoid because it is not scalable. For each new VLAN we would need a new interface. A 16 NIC Sun servers costs up to 50K US...and we will need to change it for that 17th VLAN.
Hmmm it seems I am screwed if I don't convince them to lower their security expectations.
 

Dark

Senior member
Oct 24, 1999
639
0
0
I wanted to correct something I posted in the first thread. Maybe Proxyarp is not such a bad idea. The FW-1 would answer the ARP broadcast, then would process the IP packet and reroute it to the correct host.
/I am thinking out loud: disable ARP on the hosts, add arp static entry for every host on the network (just a few anyway), all entries would be the mac address of the gateway...so we would avoid the use of proxy arp...just another option.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Sounds VERY messy. Any chance you can use some kind of host based firewall with appropriate logging on each host? Combine this with a /30 on each host going through a layer3 switch before the firewall interfaces and that is pretty damn solid. Almost too complicated as well.

You could also try giving the hosts a /32 mask and disable icmp re-directs under check points security policy. Run some traces to see if it works as you wish. combine this with private vlans as well, meaning the only mac a host can talk to would be the firewall and yet the firewall mac can transmit to all hosts.