routing problem

mir

Famous Member
Apr 14, 2012
3,568
127
133
Copenhagen, Denmark
Hi all,

I am having a bit of a problem with some routing topology on a Layer 3 switch.

VLAN1 192.168.2.254/24 default gateway 192.168.2.1
VLAN10 172.16.1.254/24

Rules on switch allows routing from VLAN1 to VLAN10

On VLAN resides another gateway 172.16.1.1 connected to an upstream firewall and hosts on this VLAN has 172.16.1.1 as default gateway.
What I would like to have is that packages with source 192.168.2.0/24 should access hosts on VLAN10 via 172.16.1.254 while hosts on VLAN10 should use 172.16.1.1 as default gateway. (If I configure 172.16.1.254 as default gateway for all hosts on VLAN10 it of course works but hosts on VLAN10 must use the upstream firewall as default gateway)

Does anybody have an idea to how I can configure this?
I guess this will require iptables.
 
Hi all,

I am having a bit of a problem with some routing topology on a Layer 3 switch.

VLAN1 192.168.2.254/24 default gateway 192.168.2.1
VLAN10 172.16.1.254/24

Rules on switch allows routing from VLAN1 to VLAN10

On VLAN resides another gateway 172.16.1.1 connected to an upstream firewall and hosts on this VLAN has 172.16.1.1 as default gateway.
What I would like to have is that packages with source 192.168.2.0/24 should access hosts on VLAN10 via 172.16.1.254 while hosts on VLAN10 should use 172.16.1.1 as default gateway. (If I configure 172.16.1.254 as default gateway for all hosts on VLAN10 it of course works but hosts on VLAN10 must use the upstream firewall as default gateway)

Does anybody have an idea to how I can configure this?
I guess this will require iptables.
Hi,
if I understand you right, it's enough to define "ip route add 192.168.2.0/24 via 172.16.1.254" on 172.16.1.1 ?

Udo
 
Hi,
if I understand you right, it's enough to define "ip route add 192.168.2.0/24 via 172.16.1.254" on 172.16.1.1 ?

Udo
Upstream firewall already has an interface on 192.168.2.0 so using your command gave the following result:
RTNETLINK answers: File exists
 
I have tried the solution described in your link. Although the commands is accepted and the rules is applied the route does not seem be applied so the expected routing does not occur.
 
ip ru add from 192.168.2.254 lookup 4
ip ro add 0.0.0.0/0 via 192.168.2.254 table 4
ip ru add from 172.16.1.254 lookup 5
ip ro add 0.0.0.0/0 via 172.16.1.254 table 5

ip rule show
0: from all lookup local
32764: from 172.16.1.254 lookup 5
32765: from 192.168.2.254 lookup 4
32766: from all lookup main
32767: from all lookup default

To complete both route tables:
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 4 $ROUTE; done
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 5 $ROUTE; done



ip route show table 4
192.168.2.0/24 dev lan-1 proto kernel scope link src 192.168.2.1
PUBLIC NET/23 dev wan-1 proto kernel scope link src PUBLIC IP
172.16.0.0/16 dev dmz-1 proto kernel scope link src 172.16.1.1
default via 192.168.2.254 dev lan-1

ip route show table 5
192.168.2.0/24 dev lan-1 proto kernel scope link src 192.168.2.1
PUBLIC NET/23 dev wan-1 proto kernel scope link src PUBLIC IP
172.16.0.0/16 dev dmz-1 proto kernel scope link src 172.16.1.1
default via 172.16.1.254 dev dmz-1
 
Yikes, ok, that's not what you want. I'm not 100% clear from your initial post, but let me tell you what I think you want based on what I read:

ip ru add from 192.168.2.0/24 lookup 4
ip ro add 172.16.1.0/24 via 172.16.1.254 table 4

What that does is it takes packets from 192.168.2.0/24 destined for 172.16.1.0/24 and routes them to 172.16.1.254.

Note that if 172.16.1.254 is bound to proxmox (I can't figure out from your post), this isn't what you want to do, and you need to step back and better explain your configuration (post /etc/network/interfaces to start).

 
ip ru add from 192.168.2.0/24 lookup 4
ip ro add 172.16.1.0/24 via 172.16.1.254 table 4

What that does is it takes packets from 192.168.2.0/24 destined for 172.16.1.0/24 and routes them to 172.16.1.254.

Note that if 172.16.1.254 is bound to proxmox (I can't figure out from your post), this isn't what you want to do, and you need to step back and better explain your configuration (post /etc/network/interfaces to start).

This looks more like what I want. And no, the 172.16.1.254 is not bound to proxmox it is the vlan interface for a vlan on a layer 3 switch. To keep packages routed by the switch internally every host needs to have the switch as their default gateway.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!