Linux routing with gateway in different VLAN

Question

On a hosted environment where we do not have control over the routers all we have is a internal network and a DMZ network and a host in each. In the DMZ is a RHEL server running Openswan and terminating a IPsec VPN tunnel to another site.

The system in the internal network needs to access the systems on the other side of the tunnel. The idea is to create a route on the internal host pointing to the DMZ host as the gateway to get to the hosts on the other side of the tunnel.

Based on research, it appears that I cannot have a gateway in another subnet that is not directly connected to me. Is this indeed the case and is there any way to get around this?

This is the command I run on the internal host:

route add -host $hostOnOtherSideOfVPN gw $hostInDMZ dev eth0

I am able to access the host in the DMZ without any issues (ICMP, telnet, etc). Can anyone point me in the right direction?

can you SSH into the remote hosts across the IPSec tunnel? – gravyface Sep 22 '11 at 16:38 — gravyface, Sep 22 '11 at 16:38
yes, from the DMZ system (openswan vpn endpoint) i can. – gdurham Sep 22 '11 at 16:53 — gdurham, Sep 22 '11 at 16:53

score 3 · Accepted Answer · answered Sep 22 '11 at 16:35

3

Routing of end devices (non-routers) works on 3 pieces of information, your IP address, your subnet mask, and your default gateway. The host does math on the IP address and subnet mask to figure out what IPs are "local" and which should be sent to the default gateway for further processing. So, your default gateway must be on the same subnet as you are, otherwise the configuration simply won't work.

answered Sep 22 '11 at 16:35

Aaron

2,968
1
23
36

In this case this is not the default gateway just a gateway to get to a single host/network. – gdurham Sep 22 '11 at 17:07
Sure, most hosts will generally allow you to add additional routes. However, they must point to another IP *on the same subnet*. Remember, all the default gateway (router) knows about a packet is the destination IP address. If you have A-B and then C and D both connecting to B, then there's no way for A to say "I want these packets to go to C and these other ones to go to D". B makes that decision. – Aaron Sep 22 '11 at 17:41

score 1 · Answer 2 · answered Sep 22 '11 at 17:50

You can have a route to another network via your default gateway by adding a route to that network in your default gateway. So the traffic goes through a specific route rather than the default route (which would at that point be the routers default gateway).

So what you need is this:

Local LAN--->DG--->DMZ host--->Local VPN Endpoint--->Remote VPN Endpoint--->Remote LAN

Which should be accomplished by adding a route for the remote LAN in your DG that routes to the local DMZ VPN Endpoint. The local DMZ VPN endpoint then should have a route (it may already be there by virtue of the VPN connection) to the remote LAN in it's routing table.

This would be the way to do it, unfortunately I have no control over the default gw. — gdurham, Sep 22 '11 at 17:58
Gotcha. Any chance that the party that manages the routers can add a route for you? — joeqwerty, Sep 22 '11 at 18:32

score 0 · Answer 3 · answered Sep 22 '11 at 19:28

You could setup an SSH reverse proxy between $DMZHost and $RemoteHost(s) but depending on number of remote hosts and remote host ports you need to access on the other side, this might be a bit unwieldy.

If it's doable, you would then connect to $DMZHost on the forwarded port(s) you specified in your tunnel.

Linux routing with gateway in different VLAN

3 Answers3