0

I have two subnets.

192.168.232.0/28
192.168.232.16/28

The Cloudprovider(Hetzner) gives me a gateway 192.168.232.17 for the subnet 192.168.232.16/28. I have a windows client 192.168.232.19 in this subnet. I have a Mikrotik/Firewall/Gateway on 192.168.232.2 in subnet 192.168.232.0/28.

If i use on 192.168.232.19 the default gateway 192.168.232.17 I can ping 192.168.232.2 and the other way around.

But I want 192.168.232.2 to be the default gateway.

I tried these routes on the windows client:

192.168.232.0/24 via 192.168.232.17
0.0.0.0/0 via 192.168.232.2

ROUTES

But its not working. What am I missing?

Wulf
  • 69
  • 7
  • If the traffic is not going to 192.168.232.2, what destination is it attempting? – Greg Askew Feb 12 '22 at 19:22
  • @GregAskew With routes added in the image: `ping 8.8.8.8` ends with `192.168.232.19 host not reached` – Wulf Feb 12 '22 at 19:30
  • That's what I would expect. The interface 192.168.232.19 is on a different subnet than 192.168.232.2. That isn't a valid next hop for a router. – Greg Askew Feb 12 '22 at 20:14
  • @GregAskew So I have no possibility to use `192.168.232.2` as Default Gateway, because I have no direct interface in that subnet? – Wulf Feb 12 '22 at 20:30
  • 1
    @Wulf You cannot use a gateway that is in another subnet. Either you use the gateway in your subnet or you move over to the other subnet. – Zac67 Feb 12 '22 at 22:09
  • @Zac67 1. Can you sent some resources that I could grasp that? 2. I'm connecting a dedicated server and cloudserver from Hetzner. I can't move the client into an other subnet, because the provide me the gateway in that network... – Wulf Feb 12 '22 at 22:18
  • Network 101. A gateway forwards packets from your subnet to another. How do you expect to send packets to a gateway when it is in another subnet? https://networkengineering.stackexchange.com/questions/50352/network-gateways-vs-interfaces should explain it in more detail. – Zac67 Feb 12 '22 at 22:24
  • @Zac67 That's fine. I get that point. My thought was like: I could say the OS "You can reach gateway 192.168.232.2 via gateway 192.168.232.17 but that seems not possible... – Wulf Feb 12 '22 at 22:27

1 Answers1

1

A gateway can only be used when it is located in the same subnet as the sender. IP routing works by sending an IP packet to the gateway and the gateway forwarding it on.

On MAC-based networks like Ethernet that is done by addressing the encapsulating Ethernet frame to the gateway's MAC address. The MAC address is determined by an ARP request for the gateway IP address. ARP uses Ethernet broadcast to send the request to all nodes in the broadcast domain. Accordingly, a gateway MUST be located within the sender's broadcast domain.

Usually, the sender only attempts to ARP the gateway address when it is part of its own subnet. You could trick this part by forcing an address to be "on-link" (similar to what you've tried) but you can't trick the broadcast domain.

Forcing a gateway that your local gateway should use was initially an IP option called source routing. It didn't gain wide adoption and is today generally deprecated for severe security issues. The option is either ignored or the whole packet is dropped.

As mentioned in the comment: you need to use your local gateway or move the host to the other subnet.

Zac67
  • 10,320
  • 2
  • 12
  • 32