Jump to content


Photo
- - - - -

Setting Up Multiple Subnets


  • Please log in to reply
20 replies to this topic

#1 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 16 July 2010 - 07:29 PM

I was hoping to see a show or if no show, then perhaps someone has this well documented somewhere? Here is what I have setup and what I'm trying to do.

Cable Internet Connection into Linksys E3000 Router.

Secondary Linksys router (WRT54GS) for the additional RJ-45 connections. (It is what I had laying around).

Server A is running VMWare ESXi 4.0 Runs a VM with my DNS, AD, DHCP server. Plus a few other VM's.

Server B is running VMWare ESXi 4.0 Runs a few Windows Server VM's.

I am currently running on the 192.168.1 subnet. I would like to add a secondary subnet into my network. I want do do this mainly for some specific software testing.

As I understand it, I have to buy at least two additional NIC cards. Ok can do that.

Then, from that point, I am lost at how to start. What server do I put the two NIC cards into? Server B I guess?

The ultimate goal is everything on Server B is using the new subnet. We will say 10.23.5 (Yes I just made that up).

Everything on server A will continue using 192.168.1.

I would need the VM's running on the new subnet (10.23.5), to also be able to access the internet. Extra points if the VM's can also access the VM's running on the 192.168.1. subnet.

So, there you go. That should fill up a 30 minute show.

-Lery

#2 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 16 July 2010 - 11:22 PM

Server A = Nic 1
192.168.1.1
255.255.255.0

Server B = Nic 2
192.168.2.1
255.255.255.0

I think what you need to do, is break it all down in a form of diagram, so you can have a good picture in your mind of how everything goes together.

That's what I do when I get lost in my set ups.

Let me know how you go.

Edited by Infiltrator, 16 July 2010 - 11:22 PM.

Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#3 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 17 July 2010 - 12:37 PM

QUOTE (Infiltrator @ Sat, 17 Jul 2010 00:22:19 +0000) <{POST_SNAPBACK}>
Server A = Nic 1
192.168.1.1
255.255.255.0

Server B = Nic 2
192.168.2.1
255.255.255.0

I think what you need to do, is break it all down in a form of diagram, so you can have a good picture in your mind of how everything goes together.

That's what I do when I get lost in my set ups.

Let me know how you go.


Thank you, this does help. But the Nic part threw me off a little.

Server A and Server B have their integrated NIC cards already in there. They currently are both on the 192.168.1 subnet.

I was told, but I'm not sure it is fact, that I need to purchase an additional two NIC cards and put them both into one of the servers. In this case I think, I'm not sure, Server B.

It is important that everything on Server A continues to use the 192.168.1 subnet, and server B would use the secondary subnet of say 192.168.2.

I was also told its necessary that the server that is going to have both NIC cards (for a total of three), on it, that I have to not use ESXi 4.0 and instead load Windows Server 2003. I'm sure Linux would work as well, but I'm not familiar with Linux as much as I am with Microsoft OS's.


#4 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 17 July 2010 - 09:14 PM

Or you could have the following:

Server A = Nic 1
192.168.1.1
255.255.255.0

Server B = Nic 2
192.168.1.2
255.255.255.0

Server B = Nic 3
192.168.2.1
255.255.255.0


That is true, you can have more than one nic in the server, for loading distribution, failure over or if you are running virtual machines, you could assign one of those nics to it.

ESXi 4.0 is mainly used for server virtualization, say if you have more than one server at home and you want to reduce running costs, what you could do is consolidate two of those servers into one. So you basically have 1 machine running a host operating system (Windows server 2003) and ESXi 4.0 running the 2 guest operating systems (linux, Windows Server 2003) and all this happening at real time, without need to run dual boot system.

Edited by Infiltrator, 17 July 2010 - 09:16 PM.

Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#5 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 19 July 2010 - 01:29 PM

QUOTE (Infiltrator @ Sat, 17 Jul 2010 22:14:03 +0000) <{POST_SNAPBACK}>
Or you could have the following:

Server A = Nic 1
192.168.1.1
255.255.255.0

Server B = Nic 2
192.168.1.2
255.255.255.0

Server B = Nic 3
192.168.2.1
255.255.255.0


That is true, you can have more than one nic in the server, for loading distribution, failure over or if you are running virtual machines, you could assign one of those nics to it.

ESXi 4.0 is mainly used for server virtualization, say if you have more than one server at home and you want to reduce running costs, what you could do is consolidate two of those servers into one. So you basically have 1 machine running a host operating system (Windows server 2003) and ESXi 4.0 running the 2 guest operating systems (linux, Windows Server 2003) and all this happening at real time, without need to run dual boot system.


Thanks again for the reply. I think I am going to have to just bite the bullet, get the network cards, and go from there. I'm still a little lost on how to approach this.

Remember I already have the two servers running ESXi 4.1 (just upgraded from 4.0) today. I'll toss the two NIC cards in server A and see what I get from there.

#6 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 19 July 2010 - 05:08 PM

Let me know if you need any further assistance.

And good luck bro..
Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#7 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 20 July 2010 - 08:40 AM

QUOTE (Infiltrator @ Mon, 19 Jul 2010 18:08:13 +0000) <{POST_SNAPBACK}>
Let me know if you need any further assistance.

And good luck bro..


Will do and thank. Yesterday I was playing around and found that creating the secondary subnet was simple enough. Getting the clients to access the internet, and resources on the other subnet, not so much.

Since I do not have additional NIC cards yet, what I did was this:

Internet
|
Linksys E3000 Router (192.168.1.1)
|____Server A Connected to this, running 7 Virtual Machines. All on the 192.168.1 subnet.
|
Linksys WRT54GS connected from Linksys E3000. Gave this router an IP address of 192.168.2.2.
|___ Server B connected from here. Virtual machine Win XP running off this client, and changed the IP address of the machine, to something like 192.168.2.15.

That worked for putting the machine on the subnet. I could ping the resources on the 192.168.2 subnet just fine. Of course internet access was a no go.

I was reading about setting up a direct route on the routers, which I tried to do. It would not accept what I was giving it, or would just plainly not work.

I would love to not have to do this with multiple NIC cards. I think doing this with multiple NIC cards, is called Multi-homing, which when I researched that topic, all comments mentioned NOT to do it.

So perhaps there is another way. What about using ESXi or VLAN's? This is really a pain in the butt for something that would seem like a simple task. I'm just trying to test out what my software application does when it has two subnets to work on.

As an example of what I'm trying to do, I found this post http://www.velocityr...one-subnet.html

He got it working, but unfortunately I do not understand the replies, to be able to try it. Too bad they don't give better details there :-)

Edited by Lery, 20 July 2010 - 10:05 AM.


#8 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 20 July 2010 - 05:30 PM

Because you have two different subnets, what you need is a router that supports RIP. (rip is a routing protocol, that is used to exchange information between two network segments)

I am know some Linksys and Netgear routers support this protocol.

You could also use a Vlan switch for this scenario, the only problem is that it needs to be a layer 3 switch, in order to router traffic and the cost is not very cheap.

Or you could use GNS3, which is a virtual router software.
http://www.gns3.net/


Edited by Infiltrator, 20 July 2010 - 05:47 PM.

Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#9 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 20 July 2010 - 06:23 PM

QUOTE (Infiltrator @ Tue, 20 Jul 2010 18:30:33 +0000) <{POST_SNAPBACK}>
Because you have two different subnets, what you need is a router that supports RIP. (rip is a routing protocol, that is used to exchange information between two network segments)

I am know some Linksys and Netgear routers support this protocol.

You could also use a Vlan switch for this scenario, the only problem is that it needs to be a layer 3 switch, in order to router traffic and the cost is not very cheap.

Or you could use GNS3, which is a virtual router software.
http://www.gns3.net/


Yeah I was playing with that part last night and could not get it working. Here is the Linksys router WRT54GS configured with 192.168.2.1 address, which has the clients that would use the 192.168.2 subnet connected to it. This router is then connected to the Linksys E3000 router which is set for the 192.168.1. subnet.



Notice the Dynamic Routing: RIP. So I should be good. This WRT54GS is also configured as a Router.

Now the static routing part, is what keeps driving me crazy. I actually took a virtual machine running on the 192.168.2 subnet, added a virtual network card to it. That card uses the 192.168.1 subnet, and the original virtual card is using 192.168.2. This machine can now access the internet and domain features. Then I went ahead and installed Routing and Remote Access and tried setting up a static route in that. Used my windows xp test machine and for awhile I got on the internet and everything was working. Then I tried backing out what I did so I could pinpoint it, and now its back to not working again. Driving me nuts.

I will go and check out GN3 now, thanks for that.


#10 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 21 July 2010 - 02:04 AM

Could you provide more screen shots of how you configured the dynamic routing? Because if your router supports RIP you should implement it.

Edited by Infiltrator, 21 July 2010 - 02:05 AM.

Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#11 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 21 July 2010 - 08:35 AM

QUOTE (Infiltrator @ Wed, 21 Jul 2010 03:04:45 +0000) <{POST_SNAPBACK}>
Could you provide more screen shots of how you configured the dynamic routing? Because if your router supports RIP you should implement it.



That screenshot is really the only place to configure dynamic routing on the router, so I'm not sure what other screenshots would be helpful. The router shown in the screenshot is a Linksys WRT54GS v1.0 (very old router). Updated firmware of course. Based on the screenshot, RIP is enabled on that router, yes?

The static routing in the screenshot has been removed.

Please let me know anything you need and I will be happy to provide it. I am going to try to remove the router completely, and setup one of the virtual machines as a router using Routing and Remote Access, which has the RIP feature there. We'll see what happens.

#12 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 21 July 2010 - 08:48 PM

QUOTE (Lery @ Wed, 21 Jul 2010 23:35:31 +0000) <{POST_SNAPBACK}>
That screenshot is really the only place to configure dynamic routing on the router, so I'm not sure what other screenshots would be helpful. The router shown in the screenshot is a Linksys WRT54GS v1.0 (very old router). Updated firmware of course. Based on the screenshot, RIP is enabled on that router, yes?

The static routing in the screenshot has been removed.

Please let me know anything you need and I will be happy to provide it. I am going to try to remove the router completely, and setup one of the virtual machines as a router using Routing and Remote Access, which has the RIP feature there. We'll see what happens.


Since you router supports rip, all you need to do is set static routing. Make sure the 2 network segments are connected to the same router. That should work.
Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#13 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 22 July 2010 - 01:11 PM

QUOTE (Infiltrator @ Wed, 21 Jul 2010 21:48:43 +0000) <{POST_SNAPBACK}>
Since you router supports rip, all you need to do is set static routing. Make sure the 2 network segments are connected to the same router. That should work.


Unfortunatley it is not working. How would you setup the static routes, on the router in that screenshot for 192.168.1/24 and 192.168.2/24 addressing? Anyway I try it, it doesn't work.

Today I just went ahead and ordered up a crossover cable and two NIC cards. Going to play with it that way to see what I can get going.

#14 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 22 July 2010 - 07:26 PM

QUOTE (Lery @ Fri, 23 Jul 2010 03:11:21 +0000) <{POST_SNAPBACK}>
Unfortunatley it is not working. How would you setup the static routes, on the router in that screenshot for 192.168.1/24 and 192.168.2/24 addressing? Anyway I try it, it doesn't work.

Today I just went ahead and ordered up a crossover cable and two NIC cards. Going to play with it that way to see what I can get going.


If you click on the link "static routing" on the right hand side of the router page, does it take you to another page?
Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#15 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 23 July 2010 - 07:55 PM

As far as I know, RIP won't enable talking between two separate vlans. Also avoid rip unless its a closed lan. If you try to communicate outside your home lan with RIP, you may not be able to reach certain websites if they are further an 15 hops from your connection point.

From what I recall, you need a router that does the 802.1Q protocol for vlan trunking to talk between multiple vlans, as well as an interface on the router that can be configured with multiple subnets to the switch. If an all in one router/switch, I beleive anything outside of vlan 1, wont be able to see the other vlans, which is kind of the purpose of a vlan, to separate broadcast domains and keep down broadcast storms, as well as one layer of security between subnets/departments, etc(not full proof though - ).

Setup should be something like Router doing 802.1Q -> Switch doing vlans 1,2,3, etc, with the router trunking your vlans together if you want them to be able to speak to each other. Otherwise, the switch set up with different vlans and each machine set to its specific vlan wont see machines on the other vlans, unless they are on vlan1, which on most routers set up as the native vlan, which doesnt do the vlan tagging and can see all traffic coming across its port if placed in vlan1.
@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#16 Infiltrator

Infiltrator

    Gray-Hat Specialist

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,392 posts
  • Gender:Male
  • Location:Over the Atlantic, at a cruising altitude of 70.000 feet.
  • Interests:Wireless and Network Security
    Server Virtualization
    Computer Network Infrastructure
    Server implementation.
    General Aviation
    RC Airplanes and Helicopters
    Scuba Diving
    Sky Diving
    War driving
    Solar battery Systems.
    Pen-Testing
    Command & Conquer

Posted 23 July 2010 - 08:45 PM

@Digip, since RIP has a maximum count of 15 hops. What would be a good protocol to use instead? Would the 802.1Q protocol be ideal in situations where the destination is more than 15 hops away?


Regards,
Infiltrator


Posted Image

Currently studying for my CCE.

#17 digip

digip

    -we're all just neophytes-

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7,655 posts
  • Gender:Male
  • Location:RnVjayBPZmYh 192.168.100.1

Posted 24 July 2010 - 03:22 AM

QUOTE (Infiltrator @ Fri, 23 Jul 2010 21:45:40 +0000) <{POST_SNAPBACK}>
@Digip, since RIP has a maximum count of 15 hops. What would be a good protocol to use instead? Would the 802.1Q protocol be ideal in situations where the destination is more than 15 hops away?

802.1q is strictly for trunking vlans, not exchanging router tables. Im not even sure if RIP on a consumer router works outside of the local lan anyway, so shouldn't be an issue, its probably only for internal network routing if you have multiple routers. It wont however make any difference if all end points are on the same router, its only if you have like say 5 routers on your local lan and need to get different subnets to speak to one another.

Now for his issues, I imagine might have more to do with the addressing assigned to each node, not so much his router setup. Thing is nodes on different subnets in the same lan cant speak to each other either by default because they are on different subnets anyway. (A trick is to set their mask to /16, and then the 192.168.1.0 and 192.168.2.0 should see eachother but will now be on the same subnet)

One way to get this to work is on the nodes themselves, set static routes for the other subnets pointing to your gateway or the interface address directly between the two routers for things outside of their default subnet, then on the router, static routes between each pointing to the others subnet and interfaces directly connected to each other. RIP I imagine would work, but the subnet masks have to also be Classfull(meaning /8 class a, /16 class b, /24 class c) unless using RIPv2 on both, then they can use any subnet mask for super netting and further subnetting. If one is RIP and the other RIPv2, I'm not 100% sure think they will exchange tables, so need to make sure that both routers use the same version.

Also check to see that vmware isnt assinging its own internal network addressing and doing DHCP on its own. I know with something like workstation, my VM's use the 192.168.x.x subnet, but I dont use that on my router or lan itself, yet I can still reach the VM's by IP Address but only locally from the workstation they are on. In order to reach them from another desktop, you have to manually change the VMware adapter settings to configure them to see your router as their gateway, so they can be part of the actual lan. ESXi probably does this anyway, since each NIC adapter can be assigned to a different VM, just make sure that not only the ESXi box, but each VM is part of the same network as your physical router, or they wont be able to reach the other router and other subnet(at least in my mind I envision that being a problem). I think you need the VM NIC's set up as NAT and not bridged as well for this to work.


In the diagram the OP posted, I noticed a few things. #1, you don't have a gateway set, although 0.0.0.0 can be a default route, I don't think that will work in your setup. Make the linksys's router rip default gateway the other routers IP address or RIP Interface settings IP, and make the 192.168.2.0 an IP address on that subnet, not the network ID (at least I think thats what it wants) so that the other router can communicate with it. Do the reverse on the other router, pointing to the linksys in the RIP setup as the gateway, etc, etc. These gateway settings arent the actual routers gateway only for RIP exchanges. Your ISP on whichever one is physically connected to the internet, is the default gateway to the internet and should be doing NAT.

Edited by digip, 24 July 2010 - 03:28 AM.

@xxdigipxx http://www.attack-scanner.com/ | I'm the resident dick around here, or so I am told. Don't take it personally, I just give a shit too much sometimes. respect to all, its the Internet, don't take it to heart.
"Staying quiet doesn't mean I have nothing to say, it means I don't think you're ready to hear my thoughts..."

#18 h3%5kr3w

h3%5kr3w

    Hak5 1337 Fan

  • Active Members
  • PipPipPipPipPipPipPipPipPipPip
  • 1,472 posts
  • Gender:Male
  • Location:your mom's bedroom
  • Interests:stuff

Posted 24 July 2010 - 11:16 AM

For rip to work on separate vlans you have to specifically add for it to do so. I don't think your router will support that.

Can you get dd-wrt for that model? If so you can add it in that O.S.
QUOTE
Humans are at our best when we use our hate and discontent to good effect. - VaKo

#19 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 24 July 2010 - 07:39 PM

@digip, I'll definitely have to take some time and digest what you are saying. I'm still learning most of this stuff. I found a network guy at my work that is going to help me hook this up. We are going with the additional NIC card and one crossover cable route.

So basically I'm going to have Server A with a total of three NIC cards. The integrated one, and the two additional ones. The crossover cable we are going to use from Server A to Server B. Then I'm not sure how he is going to set things up from there. That is the part I'll learn, and of course post here.

@h3%5kr3w, my secondary router (the one not connected to the Internet and daisy chained off the main router) is a WRT54GS, so I can put dd-rt on that.

I was just watching the episode on dd-rt and that is some cool mojo.

At some point next week I should have this setup and will post up a diagram of what we did. I would love to see what you all have to say, and possibly how else we could of accomplished this.

#20 Lery

Lery

    Hackling

  • Active Members
  • Pip
  • 13 posts

Posted 09 August 2010 - 09:32 AM

I finally got this working and thought I would share how I did it. I had a little help from a buddy of mine in setting up the routing tables.

The diagram below will hopefully explain it better than the description.

1) ISP (Cable) coming into E3000 Linksys Router. Linksys router configured with 192.168.1

2) Server A Windows Server 2008 connected to E3000 Linksys Router. Server has two integrated and two additional network cards on it. RRAS installed. Server A's four network cards are configured with 172.22.0., 192.168.2., 192.168.3., 192.168.1.

3) Server B connected to Server A via crossover cable.

4) Linksys WRT54GS connected to Server A. In Router mode. This is for an additional 4 ports.

I am not sure the image will display properly, and you may have to right click and choose view image and then enlarge it. Sorry about that.





I also have the static routes configured on the E3000 router.

I have since removed the 192.168.3 subnet. It was not completely working, which I did not think it would and was using it for testing something.

Edited by Lery, 09 August 2010 - 11:04 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users