How to combine two subnets?

[alm4ric]

Hi,

I´m setting up a single host vSphere home lab. The home network is a 192.168.1.0/24 subnet. I want my vSphere machine (with only one physical NIC) and the virtual machines in another subnet: 10.10.10.0/24. See the image below:

Now, from the 'Test VM' (which is connected to a vSwitch) I can ping the Sophos UTM firewall appliance (10.10.10.1 and 192.168.1.4) and routers (192.168.1.1 and 192.168.1.2). The Linksys which is physically connected to the ESXi host, has the DD-WRT firmware installed. This device functions as a client bridge to another router which provides the Internet.

From the 192.168.1.0 subnet I can ping the 10.10.10.1 only without the bridge installed. The test VM with IP 10.10.10.10 I can't ping. With the client bridge installed I can't ping 10.10.10.1. I tried adding a route add both routers (in all forms): 10.10.10.0/24 via 192.168.1.4, but I can't get this to work.

How can I get this setup to work that both subnets can communicate with each other?

 

[/usr/home]

You need static routes on BOTH routers. If you only have it on one, the traffic will get there but they won't be able to return.

 

[alm4ric]

I've added a static route on the 192.168.1.2 (10.10.10.0/24 via 192.168.1.4) and from this client bridge I can ping the 10.10.10.1. I can't get this to work on the 192.168.1.1 with the same static route...

 

[/usr/home]

Do you have any other PCs on the 192.168.1.x network? You need to have the static route on your gateway which I'm assuming is .1 and not the .2 bridge. You could also create static routes on each client but that's a PITA and really isn't the correct method.

192.168.1.1 router static route: 10.10.10.0 0.0.0.255 192.168.1.4

If you want to locally add a route to a Windows PC: In cmd - "route add 10.10.10.0 mask 255.255.255.0 192.168.1.4"

Looking over this again, you shouldn't need any route added to the UTM as 192.168.1.0/24 is a directly connected network.

 

[alm4ric]

Yes there are more PCs on the 192.168.1.x network.

I removed the static route from the .2 and added one at .1: 10.10.10.0 255.255.255.0 192.168.1.4. From the .1 I can't ping 10.10.10.1. And I tried the same route on my PC.

Unfortunately this doesn't work which I really don't understand. I think it has to do with the bridge because pinging from the bridge to 10.10.10.1 does work...

 

[gatekeep]

Silly but pertinent question .. how is the "client bridge" 192.168.1.2 attached to the 192.168.1.1 router?

 

[TCM2]

Stop putting hosts in the transfer segment of 2 routers. Either connect hosts to a router or another router to a router, not both.

 

[goodcooper]

Stop putting hosts in the transfer segment of 2 routers. Either connect hosts to a router or another router to a router, not both.

^

as was mentioned, you'd need a static route in 192.168.1.1 to show you where the 10.10.10.x network is... but you have a UTM there, which is blocking all the incoming traffic anyway...

you really want a simple no nat, no fw router there if you want the traffic to flow freely between those two networks...

 

[alm4ric]

Time for an update:

Had a static route in the 192.168.1.1 (10.10.10.0/24 via 192.168.1.4). This was not working. From the 192.168.1.2 I could ping the 10.10.10.1 but from the 192.168.1.1 I couldn't (only the 192.168.1.4).

So... Time for an update. I've said goodbye to the bridge. Now I can access 10.10.10.1 from 192.168.1.0/24 and vice versa. The only thing that doesn't work is ping the test VM (10.10.10.10) from the 192.168.1.0 subnet. From the firewall I can ping the test VM. The firewall is (temporarily) configured to allow any traffic from 192.168.1.0/24 to 10.10.10.0/24 and vice versa.

The test VM is a Windows Server 2012 box with inbound ICMP enabled.

Anyone?

 

[TCM2]

So you have the route for 10.10.10/24 only on the firewall? Basically, all hosts on 192.168.1/24 don't know anything about 10.10.10/24 so traffic for that subnet goes to their default route (192.168.1.1).

Now I don't know for sure, but since the firewall is basically routing packets from 192.168.1/24 back to 192.168.1.4 which is in the same subnet, it might emit ICMP redirect packets which no host that I know of accepts by default anymore.

"Stop putting hosts in the transfer segment of 2 routers. Either connect hosts to a router or another router to a router, not both."

If your firewall can't even handle 2 subnets, throw it in the trash and buy a real one. There's absolutely no reason to build such ugly networks. The amount of time you waste and the bandaids you need are absolutely unnecessary.

 

[alm4ric]

So you have the route for 10.10.10/24 only on the firewall?

No, the route in the 192.168.1.1 still exists.

If your firewall can't even handle 2 subnets, throw it in the trash and buy a real one. There's absolutely no reason to build such ugly networks. The amount of time you waste and the bandaids you need are absolutely unnecessary.

The ESXi host with the virtual firewall, etc. is only for lab testing.

But I'm considering to buy an extra NIC, put the cable modem in bridge-mode and connect it with the virtual FW via the ESXi and the new NIC. Then throw the router (192.168.1.1) away.

 

[TCM2]

Nevermind, I mistook the firewall for 192.168.1.1.

One thing you could do is - depending on which services you need from the VMs - just enable NAT on the firewall and forward all needed ports into the VMs. All hosts on 192.168.1/24 would simply connect to 192.168.1.14. This is less ugly than what you have now.