[OpenIndiana-discuss] multiple IP addresses, same NIC
Edward Ned Harvey (openindiana)
openindiana at nedharvey.com
Wed Mar 6 12:25:21 UTC 2013
> From: Robbie Crash [mailto:sardonic.smiles at gmail.com]
>
> If you're not accessing clients on the remote 192.168.1.0 subnet, why are
> you adding the second network?
>
> Why are you not handling this on the router instead of the client? Static
> routes on a client are bad mojo. It's the router's job to route, let it do
> that. All you should need to do is tell the router to route all traffic for
> 192.168.10.0/24 to use whatever the VPN interface is.
The problem is at the remote side. If they have a huge internal corporate network that happens to include 192.168.10.x/24 and 192.168.1.x/24 ... When I VPN to them and my LAN is 192.168.1.x/24, I have a subnet that overlaps with their pre-existing subnet. They can't route traffic to me without breaking one of their internal subnets.
The most elegant solution (aside from renumbering my network) would be NAT. It would be nice to eliminate 192.168.2.x/24 from my house, and configure the firewall so when I send a packet to the VPN network, let my source IP be NAT'd to 192.168.2.x/24. However, I have not yet had any luck configuring pfsense to NAT the traffic first and then route it, NAT'd across the VPN.
At present, I have two problems I'm trying to solve in parallel. If I can either make OI behave as expected, then I can use the multiple-subnets-on-a-single-LAN solution and move forward. Or if I can get the firewall to NAT as expected, then I can scrap the multiple-subnets idea and move forward.
> The issue here sounds like since the OI box already knows that it has a
> route to 192.168.10.10 over its default route, it doesn't need to use the
> secondary IP.
That's not quite correct. Sure, if I didn't add the static route 192.168.10.x via 192.168.2.1, then OI would try to reach 192.168.10.x via the default gateway. But that's irrelevant - By adding the 192.168.2.1 route, the system does in fact know it's supposed to reach 192.168.10.x via 192.168.2.1. The evidence is when a packet leaves the NIC destined for 192.168.10.x, its destination MAC corresponds to 192.168.2.1. But unfortunately, the source IP is wrong.
> If you can't configure the router, PCI NICs are $9 these days, and that'll
> work for sure.
I might do that. The main obstacle is knowing I would have to wait for it to arrive, and it will require downtime on the VM host, to solve something that should be solvable in software.
More information about the OpenIndiana-discuss
mailing list