Community discussions

MUM Europe 2020
 
pedja
Long time Member
Long time Member
Topic Author
Posts: 684
Joined: Sat Feb 26, 2005 5:37 am

Interconnection two LAN's in the same IP range.

Fri Apr 06, 2007 10:20 am

This is an issue not directlz related to MT, but since MT is used by networking gurus, I guess there may be some hope.

Situation is this, we have two LAN's wihich use the same private IP address ranges which we want to interconnect. Lans are geographicaly distant and we want to make VPN conection to interconnect them. Both lans are totaly independent and it is not possible to adjust IP addresses to avoind conflicts.

I know, this is impossible to do, but I am thinking is it possible to create some kind of routing protocol that would allow this. My idea is to do some kind of transponding (IP network range mapping), so when packet from one network is routed to another, it's source IP is transponded to other, predefined IP range, and otherwise, received packet from other network transponses to right IP range.

Let me draw simple example:

If we have two networks A and B that

A uses 10.10.0.0/16 and
B users 10.10.0.0/16

tranponding protocol should do this:

Network A should see network B as 11.10.0.0/16 and network B should see network A as 12.10.0.0/16. IP ranges are arbirtary. For example, packet sent from network A from ip 10.10.0.1 to 11.10.0.1 would arrive in network B as sent from 12.10.0.1 to 10.10.0.1.

Why this is needed? Well, public IP addresses are not widely available and they are expensive. This kind of transpondig would allow LANs to use private addresses but still be able to interconnect with each other avoiding IP conflicts.
 
yakcora
newbie
Posts: 25
Joined: Sun Mar 04, 2007 9:22 am

Re: Interconnection two LAN's in the same IP range.

Fri Apr 06, 2007 11:08 am

if the ip addresses are uniqe you may be able to bridge these two networks but I can assure you you'll have hell of a time with that kind of network

your best bet is going to be trying to change one of the networks to 10.11.0.0/16

Much much less headache
 
pedja
Long time Member
Long time Member
Topic Author
Posts: 684
Joined: Sat Feb 26, 2005 5:37 am

Re: Interconnection two LAN's in the same IP range.

Fri Apr 06, 2007 8:45 pm

Are you maybe mathematician? :)
 
yakcora
newbie
Posts: 25
Joined: Sun Mar 04, 2007 9:22 am

Re: Interconnection two LAN's in the same IP range.

Sat Apr 07, 2007 6:07 am

Are you maybe mathematician? :)
nope just good with IPs:
 
cmacneill
Member Candidate
Member Candidate
Posts: 294
Joined: Sun Apr 01, 2007 10:51 pm
Location: Christchurch, New Zealand

Sat Apr 07, 2007 4:32 pm

Really without knowing the number of hosts invoived it's difficult to give advice. How many hosts are there in total on each LAN? How many hosts are there on each LAN that need to communicate with one another? This may be a much smaller number than the total.

You could put a router between the two networks and setup source and destination NAT rules to map addresses, but I think that would be a nightmare to administer and setup. It gives me a headache just thinking about it! If you have too many hosts to change the IP addresses, then I would say you have too many to setup some kind of mapping, the amount of effort would be similar.

Most hosts can support multiple IP addresses, I would say a simpler approach would be to leave the existing IP addresses as they are and add a second address to each host that needs to communicate between LANs, making sure the new addresses are in different subnets, e.g. allocate addresses in the range 172.16.0.1/13 to 172.23.255.254/13 to one network and 172.16.24.1/13 to 172.31.255.254/13 to the second network.

Next setup the VPN routers between the networks so that they only have IP addresses on the 172.16.0.0/13 and 172.24.0.0/13 networks. The clients that need to communicate between LANs will do so over the new addresses, but will still be able to communicate with their peers on the local LAN over 10.10.0.0.

11.x.x.x & 12.x.x.x are public addresses so if you used this method of mapping you would be potentially stopping users from accessing these public networks. You should use something like 172.16.0.0/13 and 172.24.0.0/13. However, I would choose a higher subnet value, i.e. more networks, less hosts, just in case you need to add further networks at a later date. Work out how many hosts you need on each network, then set the netmask accordingly.

Using the 172.16.0.0/12 private address range, assuming 3 addresses are lost in each subnet for the network, broadcast and router addresses:-

30 bits = 1 host, 262,144 netowrks
29 bits = 5 hosts, 131,072 netowrks
28 bits = 13 hosts, 65,536 networks
27 bits = 29 hosts, 32,768 networks
26 bits = 61 hosts, 16,384 networks
25 bits = 125 hosts, 8,192 networks
24 bits = 253 hosts, 4,096 networks
23 bits = 1,021 hosts, 2,048 netowrks
22 bits = 2,045 hosts, 1,024 netowrks
21 bits = 4,093 hosts, 512 netowrks
20 bits = 8,189 hosts, 256 networks
19 bits = 16,381 hosts, 128 networks
18 bits = 32,765 hosts, 64 networks
17 bits = 65,533 hosts, 32 networks
16 bits = 131,069 hosts, 16 networks
15 bits = 262,141 hosts, 8 networks
14 bits = 524,285 hosts, 4 networks
13 bits = 1,048,573 hosts, 2 networks
12 bits = 2,097,149 hosts, 1 network

Ideally you should renumber one of your networks, e.g. if you all your hosts on one network are in the range 10.10.0.1 to 10.10.127.254, then migrate all hosts on the other network to 10.10.128.1 to 10.10.255.254.

If you move all the users first and then the last thing you do is change netmasks, although potentially a lot of work, this would give minimal disruption, i.e. netmasks are originally 16 bit, once hosts are migrated change the netmask for all hosts on both networks to 17 bits.

You could setup a DHCP server with static leases for each user that is to be migrated to a new address, then all the clients need to do is to change to DHCP, then hey presto they get the IP address and netmask you've defined for them.


Regards

Chris Macneill
Educated Guesswork Ltd. (http://www.eguesswork.co.uk)
 
pedja
Long time Member
Long time Member
Topic Author
Posts: 684
Joined: Sat Feb 26, 2005 5:37 am

Mon Apr 09, 2007 10:42 am

Cmacell thanks for your effort. I know this is not possible with MT, except as you mentioend to make manual entry to forward each IP, which is, fo course out of question.

My post was not asking for a solution, just asking if there is something similar possible, maybe with some other router, or, at least, in theory.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Mon Apr 09, 2007 11:14 am

My post was not asking for a solution, just asking if there is something similar possible, maybe with some other router, or, at least, in theory.
Conceptually this can be solved with address translation of both networks in both directions. To recite your example with networks A and B both using 10.10.0.0/16 internally you could translate both networks such that for example network A appears as 10.20.0.0/16 to network B and network B appears as 10.30.0.0/16 to network A. The address mapping needs to be bidirectional for both networks, that is both source- and destination addresses need to be translated back and forth.

Solutions like this are possible as I have done this many times with Cisco routers and Netscreen firewalls (for a Cisco description see http://www.cisco.com/en/US/tech/tk648/t ... 3f30.shtml)
and looking at the RouterOS packet flow diagram at http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php I think that it should also be possible to implement with MikroTik routers because from that diagram it can be seen that both source- and destination NAT are applied at the right places in relation to IPsec encryption and decryption, though I must admit that I never tried to do it myself with RouterOS yet.

--Tom
 
pedja
Long time Member
Long time Member
Topic Author
Posts: 684
Joined: Sat Feb 26, 2005 5:37 am

Tue Apr 10, 2007 8:13 pm

Tom, thanks, that is exactly I was thinking of. Right to the point :)
 
pedja
Long time Member
Long time Member
Topic Author
Posts: 684
Joined: Sat Feb 26, 2005 5:37 am

Tue Apr 10, 2007 10:40 pm

I tried dstnat with action netmap and it seems to work.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Tue Apr 10, 2007 10:59 pm

I tried dstnat with action netmap and it seems to work.
Yep, thought so. Good job! Maybe you can document your solution in the Wiki once you're completely sure that it works as intended.

--Tom

Who is online

Users browsing this forum: fusa and 102 guests