We have two subnets
Router 1
192.168.2.1
255.255.254.0
Router 2
192.168.1.1
255.255.255.0
Modem >> switch
>> router1 wan port >> from lan port to switch >> Different computers
>> router2 wan port >> from lan port to switch >> Different computers
Please note two different static public ips(of same subnet) for both routers.
I would like to know how I can access a host from Router 1 to a host in Router 2 or vice-versa.
use a single router:
Modem >> router >> switch >> lan1 >> computers in lan1
>> lan2 >> computers in lan2
You don't even need two LANs formally, since the PCs don't need a special routing rule to reach all local systems in this case.
You use two address sets: 192.168.1.xxx and 192.168.2.xxx and a network mask of /23 or even /16, no difference there. This way all PCs know they can simply send out packages to everything inside 192.168... Whereas for packages outside they need a rule routing those packages through the router. The routing of packages between the two areas on the LAN side is done automatically by the switch. That is what a switch is build for.
This is an explanation of how you would do it assuming that you must keep these as two separate subnets!
That is, you'll have to set up access for each IP address in the other router's firewall, and then specify to which internal system it will connect.
Note: It's only safe to do this because you have two static IP addresses! There really isn't an easy, safe way to do this with dynamic IPs.
In that case, Router 1 will have to grant access to Router 2's public IP address and vice versa. How you do this completely dependent on the make and model of the router.
The routers will know how to route to each other, because they'll be using the public IPs.
So, the data path will be: System1 (subnet1)->Router1->Internet->Router2->System2
Since different routers have you specify addresses in different ways, make sure you know how yours expects you to input the address or range of addresses.
However, that's not enough. Because you have multiple systems on each subnet, all sharing the same public IP address, you also have to specify which inbound traffic goes to what subnet host.
That is, you start on System1 in the above data path. The data goes out Router1 and back into Router2. How does Router2 know where to send it? It only has ONE external IP address.
Again, there are different ways of doing this for different routers. On some, you can specify that data on certain ports gets sent to certain systems. (Port Forwarding)
Using Telnet as an example (you shouldn't! Telnet isn't secure. It's just easy to use as an example)...
You want to get from System1 (on subnet1) to System3 (subnet2).
On Router1 you specify that incoming data on Port 23 (Telnet port) should go to System1. On Router2 you send all Port 23 data to System3.
Port Forwarding, however, is somewhat limited insofar as, in the setup above, only System1 and System3 can receive Telnet data.
The other common way to do this is to have all data from a particular IP sent to one particular system on your subnet. That won't work for you, because you have multiple systems on each subnet!
I hope this isn't too non-specific! (Or too rambling! :-) ) I'm trying to be as non-specific as possible, but it makes it difficult to explain things! Unfortunately, since each company's routers use different interfaces, it's impossible for me to exactly what you need to do!
Let us know what your routers are. Then I can possibly be more specific.
In the meantime, however, look for the sections in your router to 1) the other router's data in, and 2) specify what data goes to which system on the subnet!
I hope this helps!
Related
We have developed a hardware device that doesn't have a screen. It uses TCP/IP to communicate with the network. Currently this is configured by DHCP.
However, we'd like a way to configure it's IP statically by some app I'll have to develop. I notice for some devices like printers there are custom apps that they use to set such information. But how do they talk to the device when the device hasn't been assigned an IP already?
Are they using RAW sockets and a custom protocol? or is there a simpler method. For example, I recall many years ago using a Linux device that somehow received it's initial IP by running an arping. But I don't understand how that sets the IP for other hosts on the network. Nevertheless it seemed to work. Could I mimick that?
e.g. arp -s 191.168.2.2 00-40-9d-22-23-60
So I've got an idea how it works, but I'd like to know what is the common method of setting IP to an embedded device that has no physical screen to configure this.
To be clear, this device does not use Linux.
The standard-conformant way of doing this goes (for IPv4, but IPv6 is similar) along the lines of:
Try to obtain an IP address via DHCP, skip step (2) if that worked. This should be the default.
If no DHCP server responded, use a unique link-local address (These are addresses from the block 169.254.0.0/16 reserved for this purpose. Some parts of the chosen address should be based on something unique to the device, like the MAC address, to make sure the device always chooses the same LL address. Or, to make it fully RFC-compliant: choose a truly random address from this range and probe it - Re-use it when possible) The chosen LL address should be checked against any other use in this network before usage with an arp request on that address (That's probably what you have read). If someone responds to that request, choose a different IP and retry.
Now that you have a temporary IP address, you can use one of the various IP-Multicast-based service discovery protocols to advertise your device to the network.
After 20 pages of SO results about Mikrotik and some more google results, I'm come here, down on my knees to request some enlightment.
I have a network with static IP and some public IP (248 mask).
So far I've configured the network to use one of those public IP and use it for 2 subnets (192.168.85.X and 192.168.5.X) wich are isolated from each other and both can access internet.
What I'm trying to achieve is to add a second WAN ip to the router, and route traffic to a specific server to use that IP.
What i mean is:
Any PC from 192.168.85.X should use WAN IP1 and use internet with it.
Any PC from 192.168.85.X trying to access www.facebook.com should use WAN IP2 to browse and navigate to that website (while all the rest of the traffic goes through WAN IP1).
The device that gives me the WAN link only has 1 "out" port, so there is no way to put 2 cables from the "modem" to the Mikrotik, right now there is 1 cable going from the modem to the Mikrotik device. I've seen some forum post where the first part can be solved by just connecting 2 cables and then assign different IP for each interface.
As you may notice, I'm really raw in networking and routing, so any GUI/Winbox instruction is appreciated, but CLI commands would be just fine.
This info is for reference for anyone who may want to do this in the future:
1.- If you assing the IP to the WAN interface using the same notation X.X.X.X/29, the router will know that you want to use all the IP but set the default route to use the given IP as the prefered. This can be looked up in IP > Routes.
2.- If you want to use different IP for different traffic, you have to a) Mark that traffic and b) Force that traffic to go out by an specific IP. You do this in IP > Firewall > Mangle to mark the traffic and IP > Routes to add the new route for that traffic. There are contradictory info about if you need or not to add NAT (IP > Firewall > NAT) rules for the traffic and i'm really lost about it (it doesn't work with or without, but sometimes does work).
This is all i can contribute to this, i'll keep trying to find and answer in serverfault as #SergGr suggested.
I'm exploring alternate multiplicities between IP subnets and VLANs, outside the recommended 1-to-1 implementation. My understanding is as follows:
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), but would ignore traffic lacking an IP that targets them.
Question: Would I be able to communicate across subnets without a layer 3 device if I could manually insert a destination MAC address in the frame header? My understanding is that the layer 2 switch is oblivious to the differing subnets, and assuming it knows the location of the destination MAC address, would forward the packet in its direction. The destination PC, seeing its IP and MAC addresses, would accept the packet, effectively letting it cross subnets without ever being routed.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same subnet (but unknowingly in another VLAN) would send out an ARP request that would never be responded to.
This would effectively create separate, identical address pools for each of the VLANs, though I'm not sure how a router would differentiate between the two when interVLAN communication is attempted. I'm a little bit unsure about the pros/cons of this configuration..
Why would we ever want to do this?
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), > but would ignore traffic lacking an IP that targets them.
This actually has it's use case in modern DCs. Not in a way you suggest it (w/o a L3 device), but with a VEPA switch.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same subnet (but unknowingly in another VLAN) would send out an ARP request that would never be responded to. This would effectively create separate, identical address pools for each of the VLANs, though I'm not sure how a router would differentiate between the two when interVLAN communication is attempted. I'm a little bit unsure about the pros/cons of this configuration..
A single subnet across multiple VLANs, also called Transparent subnet gatewaying (RFC 1027) is a somehow archaic approach. It uses Proxy ARP, but proxy ARP has it's own set of problems.
Multiple subnets to a single VLAN (connected via a switch):
Hosts across both subnets would receive layer 2 broadcasts (such as ARP), but would ignore traffic lacking an IP that targets them.
Question: Would I be able to communicate across subnets without a
layer 3 device if I could manually insert a destination MAC address in
the frame header?
You will need to replace the MAC address, and need to recalculate FCS over the whole frame, else the switch will reject it as a damaged frame. This must happen after your ethernet driver does this.
A single subnet across multiple VLANs:
Broadcast traffic would be isolated to the individual VLANs. This would break ARP, as a host targeting another machine in the same
subnet (but unknowingly in another VLAN) would send out an ARP
request that would never be responded to. This would effectively
create separate, identical address pools for each of the VLANs,
though I'm not sure how a router would differentiate between the two
when interVLAN communication is attempted. I'm a little bit unsure
about the pros/cons of this configuration..
Why would we ever want to do this?
Hosts in the same subnet would not be able to communicate with each other. Most routers will not let you assign the same network to multiple interfaces, unless they are bridged interfaces, in which case, you haven't accomplished anything except sending the traffic the long way around.
Some switches have something similar to this, called Private VLANs, where hosts can only communicate with a gateway. This is a security feature used in some situations.
Gonna use 'ROUTER ONE' and 'ROUTER TWO', for my examples.
I have two routers, one on wireless one on ethernet. Both have different names. I want windows to just use the internet connection on ROUTER ONE and not use the connection on ROUTER TWO, but I still want to access ROUTER TWO's IP. At the moment to use the network I have to unplug the cable, as I get on the site I want, then the OTHER router takes me too another network saying that the connection is unavailable.
So then, what do I do?
The router names are irrelevant, all that matters is their IP addresses. You can tell a computer which router to use by setting it gateway address to that router's internal IP address. You can do that in the DHCP settings if you want it applied network wide.
As far as accessing both routers it all depends on how your network is set up both physically and its IP scheme. If both routers are on the same physical network and IP scheme you should be able to access them. If they are on the same physical network but on different IP schemes you can assign a second IP address to a computer that is compatible with the second scheme so you will be able to access the second router.
I am trying to achieve double NAT working with UPNP. My PC connection is as follows:
Internet -> Router 1 -> Router 2-> PC
I have successfully done port forwarding on the Router 2, but not able to do on router 1. Due to which packets from the server(which is on Internet) are not able to reach PC.
Gone through few document how to tackle but mostly found manual way like bridge the network or put the lan wire.
I am rather looking for the some recursive solution using UPNP protocol to do the port forward on both routers. I guess torrent, skype does the same.
How to get the network interface related to router 1 and then port forward on that Network ?
Any help would be highly appreciated.
Thanks,
Pawan
There is an IGD-PCP IWF specification that tries to solve similar problem, although it assumes PCP support on your "Router 1", not UPnP. So let's try to approach this issue from a pure theoretical point of view with two plain UPnP routers/NAT devices.
There are several distinct steps of UPnP communication as per UPnP Device Architecture version 2.0:
addressing
discovery
description
control
eventing
presentation
Addressing is of little interest for us, let's assume proper DHCP everywhere and be done with it. Eventing and presentation are also almost useless in our case. So the main things to be concerned about are discovery, description and control.
Discovery works via SSDP message exchange. SSDP uses UDP for its transport with port number 1900 (by default) and well-known multicast address.
Description starts with URL provided by the device at discovery phase, the control point (that is PC in our case) needs to issue an HTTP GET request on this URL and that means it uses TCP as a transport protocol with devices IP address (unicast).
Control starts with URL provided by the device in its description, and it uses SOAP on top of HTTP on top of TCP which in turn also means unicast IP for us.
So, what all of that means for double NAT is that in description and control steps of UPnP interaction we have zero problems communicating from PC to Router 1 as all of that is just standard TCP with unicast IP addresses. But to get to the description step we need to have a URL of Router 1, so let's take a closer look at how this URL is acquired the normal way.
There are two main mechanisms for discovery — advertising (when the device periodically multicasts some information about it) and search (when the control point sends multicast search message and the device answers to that with unicast response). Obviously, by default our PC behind the Router 2 can't get multicast advertisements from Router 1 and the Router 1 can't get multicast search messages from PC, so we have a problem here and the question now is whether there is a possibility for communication without multicast.
Luckily, the same architecture document says:
In addition, a control point is allowed to unicast a discovery message to a specific IP address on port 1900 or on the port specified by the optional SEARCHPORT.UPNP.ORG header field (which supersedes port 1900 for this use), searching for a UPnP device or service at that specific IP address.
...
All devices shall listen to incoming unicast search messages on port 1900 or, if provided, the port number specified in the SEARCHPORT.UPNP.ORG header field and shall respond if any of their root devices, embedded devices or services matches the search criteria in the discovery message.
And this means that if you know the Router 1 IP address (from Router 2 side, of course), you can (and most importantly, allowed by specification to) communicate with it with unicast UDP messages and that is also NAT-friendly, so not an issue to be done from PC behind the Router 2.
The only thing left is getting Router 1 IP address. Unfortunately, there is no easy standard way to do that, but you have at least two options: tracerouting (in whatever fashion you want) and brute force IP scanning (most probably, the potential set of IPs for Router 1 is limited).
Now you can communicate with the Router 1, but there is still one minor thing you should always remember while communicating with it — in any internal UPnP messages you should use Router 2 IP address (as seen from Router 1 side) and its ports. Like in NewInternalClient parameter of AddPortMapping action on Router 1 you should use Router 2 IP. This, BTW, raises a question of Router 2 IP, but you can get that via Router 2 UPnP ExternalIPAddress variable of WANIPConnection service (this service is required for IGDs to implement).
So, to summarize:
this technically can be done, although I doubt that any standard library would do that for you
two things you need are:
Router 2 "external" IP and you get that via ExternalIPAddress variable of WANIPConnection UPnP service
Router 1 "internal" IP (from Router 2 side), that requires tracerouting or scanning
given Router 1 IP you just need to use unicast messaging at discovery step instead of multicast
everything else should just work, with only caveat of using Router 2 "external" IP instead of PCs IP in the UPnP messages
With the upnpc cli tool I've been able to get Double NAT port forwarding working.
For my example, let's say I want port 6667 to be forwarded to my machine, 192.168.50.123, behind a double NAT. The first layer of NAT has the IP range 192.168.1.1-255, and then 2nd layer has IP range 192.168.50.1-255.
On a machine inside the 2nd layer of NAT, just setup port forwarding with upnpc like normal.
$ upnpc -a 192.168.50.123 6667 6667 tcp
...
$ upnpc -l # this will confirm the rule is in place
...
Now for the slightly tricky part. I now issue UPNP requests to the outer layer NAT. Since the usual SSDP discovery won't work, I have to specify the XML root description URL manually. It's often something standard like http://192.168.1.1:5000/rootDesc.xml, though on some hardware the port number is randomized. I find just port scanning the gateway address will eventually reveal it.
Now that I have the rootDesc url, http://192.168.1.1:5000/rootDesc.xml, I then issue UPNP command to the outer layer NAT:
$ upnpc -u "http://192.168.1.1:5000/rootDesc.xml" -a 192.168.1.XX 6667 6667 tcp
...
$ upnpc -u "http://192.168.1.1:5000/rootDesc.xml" -l # this will confirm the rule is in place
...
With the -u option instead of discoverying the rootDesc, it just uses the URL provided.
The address 192.168.1.XX should be the 2nd layer network's IP address on as seen by the 1st network. When running the first set of UPNP commands this will be shown since it's the "external" address from that NAT's perspective.
With that now setup, traffic will go like this:
<INTERNET> --> MY_PUBLIC_IP -> 192.168.1.XX -> 192.168.50.123