August 7th, 2005 10:23 AM
bad network configuration
I have here a problem of a bad network configuration.
I have 3 diferent networks
My problem is, if someone from 192.168.0.x tries to comunicate with 192.168.1.x or even 192.168.2.x, he can't, unless he add a route in command line, such, route add <ip> <mask> <ip>
this is for all the networks that need to comunicate to each other, how can i solve this?
I have a firewall, that is also my gateway.
August 7th, 2005 01:30 PM
OK, you've got me stumped.
I haven't the foggiest idea. So I will ask some questions.
Who set up these subnets? ( oh, sorry, networks )
You want all the hosts on the subnets to be able talk to all other hosts on all other subnets with no restrictions?
What is the netmask? Why was it chosen?
If a host can communicate directly with another just by adding it to it's own routing table, I'm guessing there are no gateways set up for the subnets. Is this by design?
How are the hosts administered, how many are you talking about, and ( to bring this thread into an area where it might fit in a security forum ) do you actually allow users to manipulate the routing tables?
Maybe someone with more networking experience then me can answer your question, but I would start by answering these questions.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
August 7th, 2005 09:01 PM
It sounds to me like you've most likely got all three subnets plugged directly into a switch, this would explain the inability to communicate.
IKnowNot has asked some good questions and the answers to them would be beneficial to answer this.
If you could provide a diagram of your network layout (Visio would be awesome, but text will work) and as well the output of route print at the command line
It will look similar to this
Do it without the route added and then give us the exact command that you use to add the route.
D:\Program Files\Support Tools>route print
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 c0 00 08 ...... VMware Virtual Ethernet Adapter for VMnet8
0x3 ...00 50 56 c0 00 01 ...... VMware Virtual Ethernet Adapter for VMnet1
0x10005 ...00 0c 6e ca 72 4a ...... VIA Rhine II Fast Ethernet Adapter - Virtual Machine Network Services Driver
0x10006 ...00 e0 29 99 87 c5 ...... SMC EZ Card 10/100 PCI (SMC1211TX) - Virtual Machine Network Services Driver
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
192.168.60.0 255.255.255.0 192.168.60.1 192.168.60.1 20
192.168.60.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.60.255 255.255.255.255 192.168.60.1 192.168.60.1 20
192.168.254.0 255.255.255.0 192.168.254.1 192.168.254.1 20
192.168.254.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.254.255 255.255.255.255 192.168.254.1 192.168.254.1 20
22.214.171.124 240.0.0.0 192.168.1.100 192.168.1.100 20
126.96.36.199 240.0.0.0 192.168.60.1 192.168.60.1 20
188.8.131.52 240.0.0.0 192.168.254.1 192.168.254.1 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
255.255.255.255 255.255.255.255 192.168.60.1 192.168.60.1 1
255.255.255.255 255.255.255.255 192.168.60.1 10006 1
255.255.255.255 255.255.255.255 192.168.254.1 192.168.254.1 1
Default Gateway: 192.168.1.1
We'll find you an answer,
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
August 7th, 2005 11:52 PM
If you want all the hosts on all three subnets to talk to each other without restrictions - I am guessing this is some sort of home network maybe one or two clients on each subnet (dont ask me why just the impression i get) - Is there a specific need for these 3 subnets? - if not just have them all on the same network and have no subnets?
If you do need three subnets what hardware do you have, routers, switchs etc? These are what need to be configured to allow subnets to talk.
August 8th, 2005 02:03 AM
these networks are connected to each other by routers, with the subnet mask 255.255.255.0
I don't have any gateway configured, i have smoothwall firewall, but i don't know how to reconfigure the firewall so that he can manage all the request to one privet network to other.
To "patch" this situations, i have created a script, for each computer that needs to have access to other privet network, this script will add a route to the correct router, so the users don't have access to the route table on there computers
I would like your opinion, how should i solve this. I guess that is possible using the firewall to manage the requests, the firewall would have a route table, for all the privet networks.
Im using Smoothwall, but im thinking to change to IPCOP, its much simpler, and less bugs. Any opinion on this?
Thanks for all the replys.
August 8th, 2005 10:34 AM
What routers do you have?
If you have cisco ones a possible solution would be to send all traffic addressed to 192.168.1.x 255.255.255.0 to what ever the ip address is of the port on the router that the subnet concerned is "attached to". Do this for each induvidual network on all the routers.
Let me know if you have cisco routers and I can give you the exact comands you need to do this.
Or if you have a lot less than 254 clients in total on all three networks put them all on the same ip range i.e 192.168.1. 0 -254.
August 8th, 2005 10:49 AM
There are all Cisco Routers. and i have separate in to diferent networks, because they are in diferent locations, and this way its much easyer to to differentiate the networks.
If i execute that command, what happends when a client is trying to access the web?
I have a DHCP Server on the firewall , my guess is, the firewall manages all the request, if anyone from 192.168.0.x asks a request to 192.168.1.x, then the firewall, will route the request, to the correct router that have access to the 192.168.1.x network.
But i don't know how to do this on this firewall, since im going to change the firewall, i have not asked how to do it, in the smoothwall forums.
Thanks for the replys
August 8th, 2005 11:21 AM
I cant really help on the firewall side of it but I would have thought that internal traffic would be allowed? Unless the firewall is either physicaly in between the routers or the routers have been configured to send everything to the firewall first?
However depending what routing protocol you are using, RIP, OSPF etc, if you havent told your router(s) to send all traffic addressed to 192.168.1.x 255.255.255.0 to the ip address of the router port that it is on, your networks wont talk to each other as in essence they are three different networks in three different domains.
You need to tell all the routers where is should send the traffic addressed for all three networks so it knows what to do. dont forget to use the subnet maks though!
Hope this is helping?