static routing question (cent os 4.x server)

foilpan · 04-12-2009, 07:40 PM

i have a client who has a need to route traffic from one server back to the lan, apparently, and wants to do it via static routes. i most likely don't have all the details on this, but it seems something like this (fictitious IPs):

cable modem/gateway: 180.0.0.10
-> hub
server: 180.0.0.90
router: 180.0.0.89
router lan ip: 192.168.40.1
lan range: 192.168.40.0/24

the cable modem connects to a small hub with at least the router and this one server attached.

client wants to set a static route from the server (180.0.0.90) to the lan IP of the router (192.168.40.1).

first, is this even possible?

second, is it advisable?

i tried looking at setting a static route with something like the following but am hesitant to leave it in place. i'm not even convinced it will work.

Code:

ip route add 192.168.40.0/24 via 180.0.0.10 dev eth0

i've also looked into using /etc/sysconfig/network-scripts/route-eth0 to do this with similar parameters.

thanks for any tips.

rossonieri#1 · 04-13-2009, 06:15 AM

hi foilpan,

ok, from your provided information here

Quote:

cable modem/gateway: 180.0.0.10
-> hub
server: 180.0.0.90
router: 180.0.0.89
router lan ip: 192.168.40.1
lan range: 192.168.40.0/24

actually - your server is at the internet 180.0.0.0, hence there is no need to create a static route to reach it from your router (or LAN) perspective - because it has been included on the default routing table 0.0.0.0/0 in the router, and both the router and the server are still on the same subnet (i assume).

and you cant directly accessing LAN behind NAT router from the servers view - so, i hope the answer is clear.

HTH.

foilpan · 04-13-2009, 08:15 AM

thanks for the reply. as i suspected, i didn't have all the details, but it still can't happen the way they want. aside from not being able to route to RFC 1918 networks from the WAN side, there are some other things in the mix.

rossonieri#1 · 04-13-2009, 10:39 AM

hi,

Quote:

but it still can't happen the way they want.

aside from not being able to route to RFC 1918 networks from the WAN side

no, they are correct. it is doable - but from the server and LAN/router perspective it is useless.

by using overlapping NAT - or let us say iptables DNAT in linux - you can make that server which resides on the net "become" the member of the LAN - but, that only goes from the server perspective.

so the route probably :
server :
ip route LAN next-hop via router

router :
iptables -t nat -I POSTROUTING here ...
iptables -t nat -I PREROUTING here ...

LAN :
ip route 0/0 next-hop via router

so - from there you can see that it become useless

and, it really needs a special/careful design to do it.

HTH.

foilpan · 04-13-2009, 01:03 PM

thanks, rossonieri#1. that makes a bit more sense, though i'm unsure of what the router/firewall is running and if it's capable.

regardless, i think the simpler approach would be to keep the server behind the firewall and otherwise resolve the issues that prompted them to place it outside in the first place. we'll see…

it's an interesting situation, nonetheless.