HOME NETWORKING with multiple-subnets and NAT
INTERNET
^
|
|
V
tun0
[ ROUTER-1 + NAT ]
254
^
| 192.168.1.0/24
|
V
252
[ ROUTER-2 ]
254
^
| 172.16.0.0/16
|
V
253
[ ROUTER-3 ]
254
^
| 10.0.0.0/8
|
|
Problem 1.
How to configure network so that a machine located on the
172.16.0.0/16 LAN can ping 192.168.1.254 (the Internal
interface of the ROUTER situated between the Internet and
the Internal LAN). IP address of machine is 172.16.0.201.
a. Configure ROUTER-2 to forward all IP packets
b. Set default route of ROUTER-2 to 192.168.1.254/24
c. Set default route of 172.16.0.201/16 to 172.16.0.254/16
d. Ensure 172.16.0.201/16 can ping 172.16.0.254/16
e. Now try to ping 192.168.1.254; it will not work. Why?
When 192.168.1.254 receives a ping packet from 172.16.0.201,
it consults its routing table. The routing table tells it that
its default route is whatever its PPPoE connection tells it it
is. In otherwords, it will send the ping response out through
tun0 and on to the Internet. To see this use tcpdump:
tcpdump -n -i tun0 host 172.16.0.201 and icmp
Nonetheless, we need to add a static route to ROUTER-1.
route add -net 172.16.0.0/16 192.168.1.252
Here we are telling ROUTER-1 to send packets destined for
the 172.16.0.0/16 network back to ROUTER-2. 192.168.1.252 is
the second interface of ROUTER-2.
Now ping should work.
Now try to ping an IP address on the Internet from the machine
at 172.16.0.201. It should not work. Run tcpdump again to see if
you can work out why. The problem is subtle.
tcpdump -n -i tun0 host 172.16.0.201
Actually the tcpdump command gives an important clue.
172.16.0.201 is not a routable packet as far as the
Internet is concerned. When the targeted Internet IP
address sees this packet it does not where to send it
to or rather it simply drops it.
What is required is that Nat'ing of packets from 172.16.0.201.
Add the following to your NAT configuration file:
nat on tun0 from 172.16.0.0/16 to any -> tun0
Problem 2.