[Firehol-support] Routing between virtual interfaces

M. O. mofog at hotmail.com
Sun Jan 25 11:59:28 GMT 2009

Oh, I'm sorry, I think there was a little misunderstanding at my side. The solution you described here:

> >> If you cannot go the VLAN way, the only way to deal with this is just
> >> do your configuration using just "eth0". You can have a route where
> >> the in and out interfaces are the same, and you can control the flow
> >> of traffic between subnets using "src" and "dst" with the "route"
> >> commands.

is actually what I tried to achieve so far. My understanding of subnets was right then, but thanks for the very good explanation, which confirmed my theorie.

Here's what I've done so far and what used to work on the old server:

router alpha2delta src dst
    route     all    accept
router beta2delta src dst
    route     all    accept

Again: it works "sometimes". For example alpha can ping delta, but beta can't. Wait a few minutes and the behaviour may be vice versa. Even more interesting is that delta happens to be a network printer with a web interface. Even when I'm able to reach the printer by ping, I may not be able to access it's web interface (things are getting spooky here, don't they?).

There's no real security policy, but it would just be nice to seperate the two networks from each other: business/office and home. Besides, I'd like to find the root of this problem. So if you do have any ideas what might be causing it, and you've got some minutes to answer, I'd be more than happy to hear from you.

Thank you so far,


> > Would this really work? If all computer are situated in the very same subnet
> > and they are connected by just one switch, how does the server have an
> > influence on the flow of data? If there's a package coming from A directed
> > to B, the switch will just put the package on the particular port B is
> > connected to and the server (being conntected to the same switch on another
> > port) won't even notice. Or am I mistaken?
> For the switch, A and B are the source and destination mac addresses
> contained in ethernet frames, which may or may not be the mac
> addresses of the hosts you are calling "A" and "B".
> Let me give you two examples:
> 1. Hosts A and B are on the same subnet. Host A sees that B's ip
> address is on the same subnet, so it sends an ARP request to find B's
> mac address. It then sends ethernet frames with B's mac address as
> destination, containing ip packets with B's ip address as destination.
> The switch sends these frames/packets to host B.
> 2. Hosts A and B are on different subnets. Host A sees that B's ip
> address is on a different subnet, so it goes to the routing tables and
> finds its default gateway (server C). Then it sends and ARP request to
> find C's mac address. It then sends ethernet frames with C's mac
> address as destination, containing ip packets with B's ip address as
> destination. The server C receives these frames and basically does the
> same as example 1.
> So, when two hosts are on different subnets, it doesn't matter if the
> physical link is the same or not, traffic will flow through C, so it
> can be controlled there.
> But, like I said before, without VLANs this separation is easily
> broken by a malicous host, which only needs to change its ip address
> to circumvent any controls imposed by the server.  But in your case
> this risk may not be of concern, only you can tell.
> -- 
> Carlos Rodrigues

Videosuche - Ganz einfach mit der Live Search
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20090125/3a61554f/attachment-0003.html>

More information about the Firehol-support mailing list