[7.450][QUESTION][OPEN] Static routes not working?

chow11 · #1 (**permalink**) 06-15-2009, 06:05 PM

I know very little about routing, but it seems to me that what I am trying to do should be legal.

I have 2 interfaces, one WAN (external), one LAN (internal). On the LAN side, one of the machines is running a Cisco router in emulation (dynamips) which sits between the LAN and a lab network.

Ex: LAN 192.168.1.0/24, LAB 10.8.5.0/26, Router LAN IP 192.168.1.29

On a windows machine on the LAN I can access the LAB subnet by creating a static route: route add 10.8.5.0 mask 255.255.255.192 192.168.1.29, but I would much rather have ASG (which is my default GW for the LAN) to the routing to the LAB router.

I configure a static route in ASG:
Route Type: Gateway Route
Network: 10.8.5.0/26
Gateway: 192.168.1.29 (bound to internal)

Now when I try tracert from LAN to LAB, hop 1 is the ASG (192.168.1.1) but hop 2 and beyond go out the WAN rather than going to 192.168.1.29.

BAlfson · #2 (**permalink**) 06-15-2009, 07:34 PM

It's clear to me how to do this with the LAB connected to a different interface on the Astaro, but not the way you have it connected. I'm not one of the routing wizards though.

Maybe you could SNAT 'Internal (Network) -> Any -> LAB' traffic from 'Internal (Address)'. I'd be curious to know if that works...

Cheers - Bob

trollvottel · #3 (**permalink**) 06-15-2009, 08:40 PM

Hello, I'll try to help you.

I assume your setup looks like this:

WAN (Red) -- [ASG] -- LAN INT-- [Cisco] -- LAN LAB

Your Routing setup (LAN LAB via Cisco) on ASG looks nearly correct but you should remove the "bound to internal" from the Gateway Network Definition. Also please check the packetfilter settings on the ASG (ICMP traffic is limited per default - which is needed for traceroute).

Be aware that response-traffic for LAN INT coming from LAN LAB will be directly delivered to the Clients in LAN INT by the Cisco.

Your setup will also trigger ICMP redirect messages because there is a better route for LAN LAB (directly through the cisco).

This is not a secure setup if you really want to securely limit communication between LAN INT and LAN LAB.

chow11 · #4 (**permalink**) 06-15-2009, 09:11 PM

VERY much appreciated! I will give this a try.

chow11 · #5 (**permalink**) 06-16-2009, 07:09 PM

I removed the bound to internal part of the Lab Network definition, and checked all of the ICMP/PING/tracert options, but I am still unable to get the ASG to route from the LAN to the LAB.

from 192.168.1.112 I can ping, telnet, whatever to 10.8.5.30 only if I put in a local route:

route add 10.8.5.0 mask 255.255.255.192 192.168.1.29

Without the local route, the GW on the 192.168.1.112 host is 192.168.1.1 (the ASG) so it seems clear to me that the ASG is not then sending the traffic on the 192.168.1.29. Nothing shows in the packed filter log. Tracert shows 192.168.1.112->192.168.1.1->WAN ISP ips.

BAlfson · #6 (**permalink**) 06-16-2009, 10:34 PM

Like I said, the SNAT might work (you still need the correction recommended by Mario). The real answer is to have the lab on a different Astaro interface instead of in the LAN.

Cheers - Bob

chow11 · #7 (**permalink**) 06-17-2009, 01:39 AM

Ahh, but then all the lab IPs would eat into the 10 user license.

Still, looking at the tracert vs the static route, it seems the route is never triggering when it should be.

chow11 · #8 (**permalink**) 06-17-2009, 01:45 AM

I put in the SNAT you suggested. It stops the tracert at the ASG, but then they go nowhere. I do have a packet fileter rule that says Lab Network (Any) -> Any

Astaro Beta Bot · #9 (**permalink**) 06-24-2009, 07:03 PM

Code:

Astaro Beta Report
--------------------------------
Version: 7.450
Type: QUESTION
State: OPEN
Reporter: chow11
Contributor: 
MantisID: 
--------------------------------