Adding Netgate 3100 to existing network

phreed

@Phizix
There are other people currently using the EERO mesh.
Eventually, I may want the following but I need to get there in a way that does not inconvenience the other people.
Also, I want to be able to take this setup to be portable (Everything from the Netgate down goes in a travel case.)

Internet

phreed

@Phizix said in Adding Netgate 3100 to existing network:

This looks like a double NAT situation.

Yes, it seems like it should be pretty common.

Phizix

@phreed,

OK, I see you just updated the original post image. This is clearer.

I assume your "misc" is able to access the internet fine. What are the rules on the LAN side of the 3100?
Phizix

P.S. forgot to ask, what gateway is the LAN pointed to and what gateway is the WAN pointed to?

stephenw10

I don't see the RasPi on your diagram but I assume it's behind your 3100.

Your outbound NAT rules show that you have a subnet conflict. You have set the 3100 LAN to 172.16.0.0/12 (1048574 hosts) and that conflict with the WAN subnet being passed via DHCP.

You should almost certainly have your LAN subnet set to /24. 172.16.0.0/12 as the entire available private IP range from 172.16 and you only need a small part of that.
It still have to be a different subnet to the eero LAN so for example setting the 3100 LAN to 172.16.100.1/24 will work.

Steve

stephenw10

Mmm, just noticed your diagram shows an IP that doesn't conflict but no subnet so it just correcting that to /24 may be enough. So the LAN should be 172.17.1.1/24

phreed

Here is a more complete picture.

Yes, misc is able to reach the internet without issue.

From 172.17.1.111

ip route
default via 172.17.1.1 dev enx9cbf0d001279 proto dhcp src 172.17.1.111 metric 20100 
blackhole 10.1.100.0/26 proto 80 
10.1.100.17 dev calieb72027faf7 scope link 
10.1.100.18 dev cali3867c773915 scope link 
169.254.0.0/16 dev enx9cbf0d001279 scope link metric 1000 
172.16.0.0/12 dev enx9cbf0d001279 proto kernel scope link src 172.17.1.111 metric 100

stephenw10

@phreed said in Adding Netgate 3100 to existing network:

172.16.0.0/12 dev enx9cbf0d001279 proto kernel scope link src 172.17.1.111 metric 100

Fix that. The subnet should be /24 to avoid a conflict.

phreed

@stephenw10 said in Adding Netgate 3100 to existing network:

@phreed said in Adding Netgate 3100 to existing network:

172.16.0.0/12 dev enx9cbf0d001279 proto kernel scope link src 172.17.1.111 metric 100

Fix that. The subnet should be /24 to avoid a conflict.

I deleted the route and pinged; then restored it as 172.16.0.0/24 dev enx9cbf0d001279 proto kernel scope link src 172.17.1.111 metric 100 and pinged again.
That did not seem to help

stephenw10

That subnet is defined in the 3100 in the LAN config. You need to set it there.

phreed

@stephenw10
Do you mean in Interfaces / LAN (mvneta1)?

If I make that change when I save I get...

The following input errors were detected:
IPv4 address 172.17.1.1/24 is being used by or overlaps with: WAN (172.16.0.22/12)

stephenw10

Ah, Ok, then both segments are incorrect you definitly don't need a /12 subnet anywhere.

Ok, use a different private subnet on the 3100 LAN like: 192.168.100.1/24

phreed

@stephenw10
That seems to correct the problem.

There can be no overlap between the subnet and its parent?
I guess that makes sense.

stephenw10

Yes you cannot have the same subnet on more than one interface it breaks routing.

But you shouldn't have a /12 subnet on any interface. That's >1M hosts! If you're using the 172.16.0.0/12 private range you should choose a smaller subnet from inside that.

So I recommend you change the subnet the eero is using on it's LAN at some point.

Steve

phreed

@stephenw10
That makes sense.
Thanks