Highlighted
New Member
Posts: 7
Registered: ‎02-06-2018
Solutions: 1
Accepted Solution

Routing between subnets

Hi,

 

I have a test VMWare server that has been transplanted to my home from a hosted location and is likly to be moved to a different location at some point.  The server has a whole Active Directory (AD) network on it (DC, DNS, DHCP, etc) thus I do not want to change any of the IP addresses it currently has.

 

My end objective is to be able to RDP into any of the Virtual servers running on it.

 

I have used some firewalls to segregate it from my home network, but I always hit the same issue, which is that I have to port forward (using a different port) to each server, But a, this is clunky and b, I run out of port forwarding slots.

 

I have purchased an EdgeRouter X, with a view to being able to access servers on the test subnet without the having to set up port forwards.

 

But I cannot get it to work.

 

The set up is:-

 

Internet - ISP Router - Main Home Lan

              192.168.0.1  - 192.168.0.0/24

                     |

              Managed Network Switch   - 192.168.0.5  My PC

                     |

              192.168.0.206 - eth0

                   ERX

              192.168.50.206 - eth2

                     |

              UnManaged Switch

                      | |

                ESxi Server

        Network servers - 192.168.50.0/24

 

I have a route on my PC that directs traffic to the 192.168.50.x  network to 192.168.0.206

All the servers have a def gateway of 192.168.50.206

 

But I cannot RDP to to any of the VM's

 

On odd thing is that I CAN connect to the ESxi server using VMware's Managment software and I can connect to both sides of the router from My pc.

 

Any Ideas appreciated


Accepted Solutions
New Member
Posts: 7
Registered: ‎02-06-2018
Solutions: 1

Re: Routing between subnets

Found the config Man Wink

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.0.206/24
        description Internet
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.50.206/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
protocols {
    static {
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on LISTENONPORT
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    gateway-address 192.168.0.1
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password $6$WKGSIQ./zYcL6NH$LemjFS.AStG5wosdnvosdnvosdn0AFlFijvbsEQEUz30s6X.FLgp.HBRXJV0DTaxy9F.Vm7AN9.v0YMJbRcoejb0
                plaintext-password ""
            }
            full-name Administrator
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password $6$c5H3byQYOU$USM8fM0V3WNbKK4asdasdsdrhbTvHTbt6OJo0hyOUS9ObgbCyi/9wijqCjKX03Nu28Nnl9OYxHpATafIqHhpsaz1rji8y/
                plaintext-password ""
            }
            full-name ""
            level admin
        }
    }
    name-server 192.168.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}

View solution in original post


All Replies
Established Member
Posts: 1,593
Registered: ‎07-07-2014
Kudos: 373
Solutions: 105

Re: Routing between subnets

[ Edited ]

Can you post your config?

 

Have you checked to see if the VMs you are trying to RDP to have their own firewall preventing access from a different subnet? You seem to indicate you can reach other hosts on the same subnet?

 

Edit

 

I have a route on my PC that directs traffic to the 192.168.50.x  network to 192.168.0.206

 

 

I don't think that route should be necessary, since your router knows how to route to that subnet.

 

 

 

New Member
Posts: 7
Registered: ‎02-06-2018
Solutions: 1

Re: Routing between subnets

[ Edited ]

The route is neccesary as the ERX is not my intenet router/dhcp server/def gateway on my home network.

 

This is a bit of an embaracing, slap myself moment as I remembered that I had been messing with one off the servers and had changed the IP set up.  I must have fixed it last night and not realised, as I had broken the test server while trying to get it to work.

 

[addendum - There is still somthing wrong as my DC (and by extential all servers) can no longer see the internet!!]

 

 

Can I change my question to a, how do I get a print out of the config?  Is it just a case of opening the tarball and extracting it?  or is there a simpler way?  also, b, I think my config is now

 

eth0 - main network

eth1 - This may be on the main network

eth2 - Test network

eth3 - This may be on the test network

eth4 - This may be on the test network

 

I am going to confirm that now.

 

is it possible to configure it so that it is as follows

 

eth0 - main network

eth1 - main network

eth2 - main network

eth3 - main network

eth4 - test network

 

as ports on the main network are of more use to me

 

Excuse the basic questions, this is my 1st EDx

 

Thx

 

Cosma

 

New Member
Posts: 7
Registered: ‎02-06-2018
Solutions: 1

Re: Routing between subnets

Found the config Man Wink

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.0.206/24
        description Internet
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.50.206/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
protocols {
    static {
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on LISTENONPORT
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    gateway-address 192.168.0.1
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password $6$WKGSIQ./zYcL6NH$LemjFS.AStG5wosdnvosdnvosdn0AFlFijvbsEQEUz30s6X.FLgp.HBRXJV0DTaxy9F.Vm7AN9.v0YMJbRcoejb0
                plaintext-password ""
            }
            full-name Administrator
            level admin
        }
        user ubnt {
            authentication {
                encrypted-password $6$c5H3byQYOU$USM8fM0V3WNbKK4asdasdsdrhbTvHTbt6OJo0hyOUS9ObgbCyi/9wijqCjKX03Nu28Nnl9OYxHpATafIqHhpsaz1rji8y/
                plaintext-password ""
            }
            full-name ""
            level admin
        }
    }
    name-server 192.168.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}

SuperUser
Posts: 8,565
Registered: ‎01-05-2012
Kudos: 2259
Solutions: 1141

Re: Routing between subnets

If you need only your pc (eg 192.168.0.100), and not the whole 192.168.0.0/24 network, try

configure
edit service nat
rename rule 5000 to rule 5020
exit
set service nat rule 5010 exclude
set service nat rule 5010 destination address 192.168.0.100
set service nat rule 5010 outbound-interface eth0
set service nat rule 5010 type masquerade
commit;save

Cheers,

jonatha

New Member
Posts: 7
Registered: ‎02-06-2018
Solutions: 1

Re: Routing between subnets

Ok, Some progress.  I can now RDP into the servers from the main network.

 

Now for some reason I cannot get to the internet from the test network.

 

I can, however, browse to the router in the main network!!

 

This is maddening!

 

Beer o'clock

SuperUser
Posts: 8,565
Registered: ‎01-05-2012
Kudos: 2259
Solutions: 1141

Re: Routing between subnets

Can you post the output of

configure
show service nat

If, on the edgerouter, you issue

sudo tcpdump -ni eth0 host 8.8.8.8 and icmp

And then from an host on the test network you ping 8.8.8.8, what's the output of the tcpdump ?

New Member
Posts: 7
Registered: ‎02-06-2018
Solutions: 1

Re: Routing between subnets

[ Edited ]

Hi,

 

admin@OfficeRouter# show service nat rule

 

 rule 5000 {
description "masquerade for WAN"
log disable
outbound-interface eth0
type masquerade
}


This now makes no sense. The 1st time I did sudo tcpdump -ni eth0 host 8.8.8.8 and icmp

 

I got

 

0 packets captured

0 packets received by filter

0 packets dropped by kernel

 

Then I restarted the router and now I get

 

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:52:12.842468 IP 192.168.0.206 > 8.8.8.8: ICMP echo request, id 1, seq 21, length 40
10:52:12.875373 IP 8.8.8.8 > 192.168.0.206: ICMP echo reply, id 1, seq 21, length 40
10:52:13.854902 IP 192.168.0.206 > 8.8.8.8: ICMP echo request, id 1, seq 22, length 40
10:52:13.878047 IP 8.8.8.8 > 192.168.0.206: ICMP echo reply, id 1, seq 22, length 40
10:52:14.866139 IP 192.168.0.206 > 8.8.8.8: ICMP echo request, id 1, seq 23, length 40
10:52:14.888068 IP 8.8.8.8 > 192.168.0.206: ICMP echo reply, id 1, seq 23, length 40
10:52:15.878012 IP 192.168.0.206 > 8.8.8.8: ICMP echo request, id 1, seq 24, length 40
10:52:15.898147 IP 8.8.8.8 > 192.168.0.206: ICMP echo reply, id 1, seq 24, length 40

8 packets captured
8 packets received by filter
0 packets dropped by kernel

 

 

So it now works, but I am not sure why!!

 

Should I be able to connect to the other ports on the router so that

 

eth0 - To Main network

eth1 - on main network

eth2 - eth4 - on test network

 

I will do some testing...

 

Thanks Cosma

SuperUser
Posts: 8,565
Registered: ‎01-05-2012
Kudos: 2259
Solutions: 1141

Re: Routing between subnets

Before paste the outputs of configs, or tcpdump, click on  the spoiler tag, then code button, and then paste Man Happy

Cheers,

jonatha

New Member
Posts: 7
Registered: ‎02-06-2018
Solutions: 1

Re: Routing between subnets

It should be visible now. Man Happy
New Member
Posts: 7
Registered: ‎02-06-2018
Solutions: 1

Re: Routing between subnets

I am assuming that the above config is correct as it started to work after I rebooted the unit.

Thanks to the pepole that replied.