Firewall – Routing between subnets on different vlans connected by a router/firewall

I have two networks that I'd like to connect with a router/firewall to filter traffic between the two. One network is on a public subnet, let's say 64.22.12.192/27 and the other network is on a private subnet 192.168.0.0/24. The are connected via a router which has three Ethernet ports, one connected to the internet, the other two connected to the public and private subnets and are on their own VLANS. How do I make the private subnet visible to the public network? Here's the network diagram:

Router1 >eth0 — Connected to Internet
Router1 >eth1 — 64.22.12.193/27 Connected to VLAN 64 Subnet 64.22.12.193/27
Router1 >eth3 — 192.168.0.1/24 Connected to VLAN 192 Subnet 192.168.0.0/24

I tried static routing 192.168.0.0/24 to 64.22.12.193 on the router
I also tried routing it to 192.168.0.1.
Neither worked.

I want traffic between the two subnets to pass through the router because I want to be able to setup firewall rules on the router between the subnets.

I tried static routes but couldn't get it to work, am I doing something wrong?
I realize I could use NATing but in order to access individual private IP machines, I would have to set up a one-to-one NAT which would eat up my precious limited public IPs
Do I have to setup a Tunnel to accomplish this? Wouldn't a tunnel bypass the firewall rules?

IP route show:

default via 66.22.32.137 dev eth0  proto zebra 
192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.1
64.22.12.192/27 dev eth1  proto kernel  scope link  src 64.22.12.193
66.22.32.136/29 dev eth0  proto kernel  scope link  src 66.22.32.141
127.0.0.0/8 dev lo  proto kernel  scope link  src 127.0.0.1

Best Answer

I tried static routes but couldn't get it to work

You shouldn't need static routes, your system already has all the routes it should need. Linux automatically configures routes for every network that is locally attached. Assuming you have ip_forward enabled, and no firewall rules in place currently blocking traffic, everything should just work.

Do I have to setup a Tunnel to accomplish this?

No, you shouldn't need any tunnels.

I realize I could use NATing but in order to access individual private IP machines,

You shouldn't need any NAT rules. In fact if you already have an overly-broad SNAT/MASQ setup that might be your problem.

Assuming all the clients on 64.22.12.192/27 and 192.168.0.0/24 are using your linux box as the their default gateway, and you don't have any SNAT/MASQ rules setup to change the source address of traffic going from eth3 -> eth1 communication should just work.

Best Answer

Related Solutions

Linux – iptables NAT/Forwarding with external ADSL router; PCs on the network can’t access the internet

Security – What are the security issues in creating a firewall between two subnets

Related Topic