networking - using a gateway outside your subnet but on the same switch, with no router

06
2014-04
  • waldo22

    I have set up a network in a non-standard way, and would like to know if what I did is technically correct, or if I just got lucky.

    The setup works fine with my $20 5-port Linksys switch, but not with my $1200 Allied Telesys Fiber SFP/GigE switch :|

    We have dedicated Internet access through AT&T via Ethernet, and have been assigned an IP block like: 12.12.12.224/27*

    32 bit IP address minus 27 bit mask = 5 bits, so we have 5 bits worth of IPs in our subnet, 2^5 = 32 addresses, making our subnet mask is 255.255.255.224.

    This means that our 'network' is 12.12.12.224, and we have 30 IP addresses, from 12.12.12.225 through 12.12.12.254, with 12.12.12.255 being the 'broadcast' address for our network.

    We were told that the AT&T gateway is 12.90.119.213, and our gateway should be 12.90.119.214.

    Normally to provide access to the Internet you would have a router with the IP address 12.90.119.214 on the ISP side, and 12.12.12.225 on our side, then use 12.12.12.226 - .254 for local devices or other routers.

    The router is what allows communication between devices on the 12.12.12.x subnet and the 12.90.119.213 gateway, which is clearly a different subnet. (This is the extent of my networking knowledge; past this, I don't have a clear understanding.)

    However, since we're using multiple NAT routers on our side of the connection, each serving a different location with Internet access, I am bypassing the "main" router entirely.

    We plug the AT&T Ethernet connection directly into a switch, then the WAN interface of the router for each location plugs into the same switch. Each router uses the AT&T gateway of 12.90.119.213 and a subnet mask of 255.255.255.224 with an IP from our range of 12.12.12.226 - .254 for its WAN interface.

    My understanding is that this should still work fine even though the IP of our router is 12.12.12.227 and the IP of AT&T's gateway is 12.90.119.213, and they are on separate subnets, because they are on the same switch, and an ARP request would find that they can communicate with each other directly, without a router...

    ...and it does work, when the AT&T Ethernet and the Ethernet from each of our routers are all plugged into my cheapo Linksys 5-port desktop switch. But when I try to plug them in through my expensive Allied Telesyn (layer-2) switch, it works "fine" for 4 hours, then our routers lose communication with the Internet and have to be reset. The routers don't freeze or hard-lock, you can still log in to them locally, you just can't reach them from the Internet, or reach the Internet from behind them - not even pings.

    Does anyone have an academic answer for why this may be?

    Is what I've done completely ridiculous? Or is there just some setting I'm missing. The expensive switch is just a layer-2 switch, so I'm not sure what "settings" there could be on it. Maybe it's too smart, and doesn't like my hack-y configuration.

    Should this type of set-up theoretically work?

    Interested in your thoughts!

    *some IPs have been changed to protect the innocent

    • Answers
  • mgorven

    That setup isn't correct (and I don't know how it's even working). You're supposed to have a router on your side which has a point-to-point link to a router at the ISP. The network should look something like this:

    (clients) 12.12.12.226-254/27 <-switch-> 12.12.12.225/27 (your router) 12.90.119.214/30 <-AT&T link-> 12.90.119.213/30 (ISP's router) <---> The Internet

    The clients should have an address of 12.12.12.226/27 with a gateway of 12.12.12.225 (which is attached to your router). Your router then takes care of forwarding those packets to the ISP's router, as well as forwarding the responses back to the clients.


    • Related Question

    ip - Do machines connected to the same switch belong to the same subnet?
  • fineTuneFork

    When we talk about a subnet - do we mean all the systems connected to the same switch?

    If I have an assigned IP address of 10.0.2.1, am I in the same subnet as that of 10.0.1.39?

    When we talk about Wireshark and others capturing packets from the same subnet, will I be able to capture all the data of 10.0.0.0/8 or only 10.0.2.0/24?

    Does the machine with IP 10.0.1.39, when GETting www.google.com , send a packet for 10.0.0.1 (the gateway) and any system on the whole 10.0.0.0/8 network will see the packet, probably because the switch 10.0.2.1 will forward the packet to its network 10.0.2.0/24?


    • Related Answers
  • Flexo

    But, when we talk about a subnet - do we mean all the systems connected to the same switch?

    A switch (or interconnected set of switches operating at together at layer 2) defines a broadcast domain (give or take some VLAN configurations). You can run one, many or no IP subnets on the same broadcast domain. You can run a subnet that spans several broadcast domains if you add tunneling at a higher layer. The switch operates on a much lower level than IP networks though.

    If I have an assigned ip address of 10.0.2.1, am I in the same subnet as of 10.0.1.39?

    It depends entirely what your subnet mask is. If you're on a /24 (i.e. 255.255.255.0) then the answer is no. If you're on a /8 or /16 (i.e. 255.0.0.0 or 255.255.0.0) then the answer is yes.

    When we talk about wireshark and others capturing packets from the same subnet, will I be able to capture all the data of 10.0.0.0/8 or only 10.0.2.0/24?

    It depends on the interface and the networks it is connected to. If you're on 10.0.0.0/8 then you'll see packets for 10.0.0.0/8. If you're on 10.0.2.0/24 then you'll see packets for 10.0.2.0/24. You might also see extra packets flying around if there are other subnets on the same physical network, but this isn't guaranteed. A switch will try and selectively forward only packets that are either addressed to you specifically, or addressed to everybody on the network, but those addresses are at a lower level than the IP layer.

    Does the machine with ip 10.0.1.39, when GETting www.google.com, send a packet for 10.0.0.1 (the gateway) and any system on the whole 10.0.0.0/8 network will see the packet, probably because the switch 10.0.2.1 will forward the packet to its network 10.0.2.0/24?

    Under normal circumstances a request from a client on a switched network will only be seen by the switches in between it and the default gateway.

  • ultrasawblade

    Assuming we are talking about IP version 4, the IP address contains 32 bits. In the standard X.X.X.X notation, each octet X is 8 bits. (Note that there is nothing "special" about grouping them into 4 octets other than to make it easier for humans to write - machines have no issue dividing anywhere within the 32 bits.)

    A subnet mask splits that address into two parts, the network (left) and host (right) portion.

    Realize also that IP addresses are assigned to INTERFACES (NICs, etc.) and not individual MACHINES.

    Basically everything on the same subnet can talk to each other without going through a router. Anything on different subnets, a router needs to be in the middle forwarding for traffic to move back and forth.

    If a machine wants to talk to another machine through a given interface, and the network part on that interface is the same as that of the other machine, it should just be able to shove what it wants to say out on the wire, tagged with its own address (source) and who it wants to talk to (destination), and the other machine will pick it up. In the old days of 10BaseT, etc. all were physically connected to the same physical wire and this would literally happen. Now hubs and switches have replaced that.

    If a machine wants to talk to another machine through a given interface, and the network part on that interface is NOT the same as that of the other machine, the traffic needs to go through a router. The machine will need to have a record of what the router's IP address (in this case the router is usually called the gateway) for that subnet is and will then send the traffic there. The router/gateway is then expected to forward the traffic to the destination or another router closer to it.

    On most home networking equipment, all machines connected to a switch will usually be configured to be on the same subnet, since the point of connecting all of them to the same switch is to allow all of them to talk to each other. Should one be misconfigured, it won't be able to participate in any communications. However, if the device was a hub and not a switch, the hub would forward all traffic to it (since hubs do not remember MAC addresses and just forward or flood everything out of all ports), and the connected system could "snoop" on all traffic if the NIC was put into promiscuous mode. If that system would send traffic back, if it was not on the same subnet, no other NIC would pick it up (unless it was in promiscuous mode as well.)

    Advanced networking equipment can be "partitioned" into VLANs, the machines connected which don't see each others traffic. For machines on different VLANs to communicate, forwarding/a router needs to be involved.