2

We are attempting to route all traffic from a certain machine to a gateway. This works ok for traffic destined for subnets outside of the machine's subnet. However, traffic to machines in the same subnet as the source machine goes through an On-Link gateway in Windows. This means that the default gateway is ignored, and traffic in a subnet (for example, 192.168.50.10 -> 192.168.50.11) flows.

Destination Netmask     Gateway     Interface   Metric
192.168.50.0    255.255.255.0   On-link     192.168.50.214  276
  1. This route can be deleted from Windows, but when the machine is rebooted it always comes back.
  2. Adding a persistant static route to the gateway with a lower metric doesn't work, since it will still try the On-Link gateway after the persistant route fails.
  3. Adding each machine in a VLAN isn't an option due to the setup we have
  4. Adding a startup script to delete the gateway isn't a great option either, since users will have full admin access to the machine and might disable the script.
  5. We cannot transperantly intercept all network traffic on the subnet using Gratuitous ARPs or transparent proxying, since there are other machines on the subnet which use a different gateway

The only way we have gotten it to work is by adding a persistant route to the gateway for the subnet traffic, and deleting the On-link route on reboot.

The question is then.

  1. Is there a way to permanently remove this On-link route
  2. If not, is there a way to otherwise force even local subnet traffic to go through a gateway?
Beerey
  • 252
  • 1
  • 4
  • 10
  • can i ask..what are you trying to do? – The Unix Janitor Feb 18 '11 at 14:34
  • We are trying to isolate a virtual machine on a network. We're using RHEV so we can't make a host only environment or change the network adapter mode (Bridged, NAT, etc) ala VirtualBox or VMWare. We can't use a few other options for the reasons described above. Essentially, we'd like it so a VM can't see any other VM or machine on the same subnet. – Beerey Feb 20 '11 at 23:43

3 Answers3

3

There's a difference between forcing traffic through a gateway, and preventing devices from seeing each other on a subnet. I think what you're trying to do is the latter. Probably because you want to host servers for multiple external customers. You're looking in the wrong place if you're editing the routing table to achieve this goal.

My recommendation would be to handle this at the switch using ACLs. What specifically you can block/allow will depend on your switch's capabilities. Another alternative is to block ARP broadcasts, and then set static ARP entries for the default gateway (Technically someone could add more static entries to talk to other devices still).

Also, keep in mind that unless the gateway is set to block traffic from-to that segment it will happily route traffic right back into the same network.

Ryan
  • 912
  • 6
  • 12
  • We are trying to host servers for multiple external customers, that's correct. We are trying to prevents devices from seeing each other, the gateway was just our possible solution to the problem. The gateway we have set up is a linux box running iptables which drops any packets destined for an internal network address, and allows the rest. This prevents the machines from seeing or accessing each other. We have had to take this route since the switch is pretty dumb and doesn't have ACL support. I didn't think about blocking ARP broadcasts, +1 for that. I'll have to investigate further. – Beerey Mar 04 '11 at 02:19
  • FYI, if you're concerned at all about bad actors. A routing table only handles layer3 routing decisions. ARP will handle layer2. Given your current setup someone could easily intercept traffic from/to the other nodes using a ARP flood. This is a well known MITM attack and has been in the wild for years. DHCP is broadcast based as well, and someone could cause havoc if you have any DHCP clients (but this is not as commonly seen in the wild). – Ryan Mar 04 '11 at 18:21
  • Thanks for that, I completely forgot about ARP floods. Ultimately I think we're going to have to move to an ACL and replace the router, but in the meantime I'll follow your suggestions here re: ARPs and lock down the routing table as well. – Beerey Mar 07 '11 at 01:47
3

Well, your host is probably getting its default route from a DHCP server. If so, set a DHCP reservation. I suppose you could set the subnet mask for that hosts reservation to 255.255.255.255, which would technically prevent the host from delivering packets directly to other hosts in the subnet. All traffic would go through the default gateway. Hacks still have to follow the rules of networking, and this one will break a lot of rules unless your network is appropriately segmented. Its usually not enough to just pretend the subnet mask is /32 in a /24 segment and hope the user doesn't change it. Its not actually secure.

Imagine a datacenter hosting thousands of servers. Admins do not simply trust that everybody has configured their ip addresses and subnet masks just right, not causing a conflict etc. Anytime hosts are on the same network segment, they can talk to each other. The challenge in this case seems to be forcing the host onto the correct network segment, a lone segment void of any other nodes but the port on your switch.

The best solution is a managed switch, probably Layer 3. Like a Cisco 3550. The switch will behave like a router, routing traffic between all of its local subnets. As previously advised, use ACLs to prevent cross network communication. But, you mentioned vlans were not an option, so you probably dont control the switch.

More creatively:

Establish a real or virtual network segment, like 10.x.y.z/30 with only a single gateway and no default route offered by dhcp. /30 cidr block requires a good understanding of network subnetting. allow the hosts on the subnet you control to tunnel to your vpn gateway, authenticate, and only then obtain a default gateway. OpenVpn at least allows limiting host to host communication, as all traffic is of course routed through the vpn server. This is analogous to using wifi on a public hotspot, where they block traffic between wireless hosts.

Or, you may be able to use a transparent proxy, again with acl rules to prevent host to host communication. Not sure if this would meet your needs.

Summary, the real challenge is prevent host to host communication on the same subnet. Discrete subnets are simply a way to filter arp packets. Possible some arp hack could accomplish this.

dylan
  • 31
  • 1
0

Ultimately we did not find a way to do either of these things without a startup script. Removing the On-Link route would not persist no matter what we did, and we couldn't use any of the other options (transperant proxy, VLAN, etc) for the reasons stated above.

In the end we added a startup script to run 

 ROUTE DELETE 192.168.50.0

on startup. The script was put in a directory restricted only to our user (not admin), and run on startup. We also added a custom Nagios script which ran this command and checked that the routing table didn't change after that point.

Beerey
  • 252
  • 1
  • 4
  • 10