Overlapping IPs in a bridged network



  • Hi, I want to set up a bridge to pool together two subnets into a single, larger subnet with two bridged segments. The IP ranges of both existing subnets are subsets of the new one. To make this more concrete, let's say that the two existing subnets are MYNET.0/26 and MYNET.64/26, and the new subnet (after bridging) will be MYNET.0/25. Also, lets say that the default routes for the two existing subnets are MYNET.1 and MYNET.65. My question is, what happens to the default routes once bridging is implemented?

    As I see it, there are at least two possibilities: via DHCP or manual configuration, the two segments are assigned different defaults (these could be the same IP addresses as in the current, two-subnet configuration: MYNET.1 & MYNET.65). Or, I could change the address of the router currently at MYNET.65 to be MYNET.1, assuming that the bridge's filtering operation would cause each segment to use only the local instance of MYNET.1. To me the second approach appears to be simpler, but it makes me nervous to have two resources in the same subnet with the same IP address (even though there wouldn't be a collision due to the bridge's filter). It seems to me that this approach could also be applied to other strictly local resources, maybe a printer, maybe a backup server or DNS server. But the immediate question is about default route addresses.

    In general, is it viable to have overlapping IP addresses in two or more bridged segments that correspond to functionally identical versions of strictly local resources such as the default route address for the segment?

    Thanks,
    Greg Shenaut



  • To my way of thinking a bridge will not do what you are attempting.

    Check out: http://en.wikipedia.org/wiki/Network_bridge

    I may have this totally incorrect but from what I understand bridging acts more like a switch…. you can have different sub-nets existing on a physical network but they will be separate from each other due to the network mask of each sub-net. (the network submask is your friend!).

    Bridging occurs at OIS lvl-2 and can not perform any form of "routing" which would be required to handle the situation where you have two sub-nets that are sub-nets of a network - you would still need a router or OSI-lvl-3 functionality to handle the packets destined to one IP address in one sub-net to an IP in the second sub-net (remember - it all has to do with the sub-net mask!)...

    Just my thoughts...

    gm...



  • Well, the way I think it works is that when you have interconnections among groupings of machines in the world of routing, each grouping is called a "subnet", each with its own range of IP addresses as defined by an IP base address and netmask. But when you talk about these groupings in the world of bridging, each group is called a "segment", and the entire network usually is given a single shared range of IP addresses and a single netmask. The bridged network also has a base IP address and a netmask, and it can be routed as a whole. The wikipedia article you linked to (which is good, btw), makes the statement:

    Bridging and Routing are both ways of performing data control, but work through different methods. Bridging takes place at OSI Model Layer 2 (Data-Link Layer) while Routing takes place at the OSI Model Layer 3 (Network Layer). This difference means that a bridge directs frames according to hardware assigned MAC addresses while a router makes its decisions according to arbitrarily assigned IP Addresses. As a result of this, bridges are not concerned with and are unable to distinguish networks while routers can.
    When designing a network, you can choose to put multiple segments into one bridged network or to divide it into different networks interconnected by routers. If a host is physically moved from one network area to another in a routed network, it has to get a new IP address; if this system is moved within a bridged network, it doesn't have to reconfigure anything.

    Let's say that you set up two segments A and B, each with an IP base address of IP.0 and the same netmask, and each with its default route at IP.1, and have a pfsense box in each one with its LAN port set to that address. If each one connects to the Internet via a NATing router, there would be no conflict, since there would be no direct connection possible between the two. The two LAN ports will have the same IP address (IP.1), but different ethernet addresses (let's call them ETH-A and ETH-B). Let's also say that none of the other machines in the two segments share the same IP address; the only overlapping IP address is the default gateway address in both segments.

    Now, you bridge these two segments. None of the ethernet-level addressing presents any difficulty, because there is no shared ethernet address. At the level of IP addressing, though, you now get to what I was trying to talk about: there is one shared IP address, IP.1, the default route. Hosts in both segments will send things to (1) IPs in their own segment, (2) IPs in the other segment, and (3) IP.1 (for addresses outside of the range define by the IP base address and netmask). Now, the bridges, based on their tables of ethernet addresses along with the lack of conflict at the IP level, will handle cases 1 and 2 without question. Based solely on the underlying ethernet addresses, I think they would also handle case 3. My lack of confidence comes from the apparent conflict between the two IP-to-ethernet mappings for IP.1.

    Greg



  • The problem is: If a client within a subnet sends something to the broadcast-address it sends it only to the addresses in his own subnet.
    If you bridging these two networks together it wont change anything since the second subnet will recieve the packages on Layer1/2 but because they're not addressed to them on layer3 the packages will be discarded.

    If you want to bridge them together you have to change in both subnets the netmask so they match each other.
    You have two /26 nets.
    If you want to connect them together in a bigger /25 net you have to change the subnet-mask on every single machine. If you give the IP's out via DHCP that shouldnt be a problem. BUT you shouldnt have 2 DHCP's in the same subnet.
    An exception could be if your bridge filters out DHCP-requests and you have two DHCP-request-broadcast-domains (what a word O_o).

    Am i right if i assume you want to do something like this?

    
    ------------         ------------          -----------
    |          |         |          |          |         |
    |   /26net |         |   /26net |     -->  | /25net  |
    |          |         |          |          |         |
    ------------         ------------          -----------
         |                     |                  |    |
         |                     |                  |    |
        WAN1                  WAN2              WAN1   WAN2
    
    while the single /25 is internally like this:
    ------------         ------------        
    |          | bridge  |          |            
    |   /26net |---------|   /26net |     
    |          |         |          |               
    ------------         ------------         
         |                     |                             
         |                     |                   
        WAN1                  WAN2            
    
    

    you put the bridge in place and change the netmask in both /26nets to /25.
    If you can configure your bridge so that it filters out DHCP-requests you can have 2 WAN's.
    Otherwise the whole broadcast-domain needs a single gateway.



  • I've been told that by default, a filtering bridge will not pass broadcasts, so if each segment had its own DHCP, it would stay local. But I also have heard that it's possible to change a rule so that broadcasts do pass through, so a single DHCP server could work in both segments.

    Also, yes, both netmasks would be the same, or as you say, at least some of the packets will be discarded. I know that without DHCP, this means changing every machine.

    But once either through DHCP or manually, all of the machines at both locations have IPs in the same network, the question is whether I can use the same IP address in both segments as their default gateway, depending on the bridge filter to prevent packets from going to the "wrong" instance of the default gateway IP.

    Greg



  • Whatever you've been told about filtering bridges: it does what you tell it to do :D
    If you create a filtering bridge with pfSense per default NOTHING is passed between the two interfaces unless you create rules on an interface that allows traffic.

    Yes you can have in both segments the same address as gateway. But then the whole traffic of one segment will flow over the bridge to the segment in which the gateway is.
    Or do you mean that pfSense itself is bridge and gateway at the same time?
    I have such a setup running here right now:
    1 DHCP ; WLAN bridged to LAN ; IP of LAN as gateway

    But back to your original question:
    You asked if its viable to have the same IP on multipled devices that do the same in different collision-domains within the same broadcast-domain.

    I'm not sure if this is possible.
    You would have to be able to tell the bridge that it should stop processing certain MAC's
    And i really dont know if there are any bridges where you can configure Layer2 rules.



  • @gshenaut:

    Also, yes, both netmasks would be the same, or as you say, at least some of the packets will be discarded. I know that without DHCP, this means changing every machine.

    But once either through DHCP or manually, all of the machines at both locations have IPs in the same network, the question is whether I can use the same IP address in both segments as their default gateway, depending on the bridge filter to prevent packets from going to the "wrong" instance of the default gateway IP.

    Greg

    From my understanding of networking….

    If you have two different sub-netted networks (or segments since you still use the netmask to differentiate) you would need to have a gateway for each one - the netmask on the host machine would stop any attempt to connect to a gateway outside it's netmasked network unless there was a router to pass the packet through on the host's local sub-network (segment).

    One very easy test to see if the method you are contemplating might actually work would be to setup a couple of host machines with one sub-network and a couple with the second sub-network then connet them to a switch and see if you can use one gateway for both - I suspect not...

    It still all boils down to the netmask settings as that controls weather the tcp stack will accept or reject an IP packet (at least at level 3).

    Now - working down in level-2 is a different beast entirely and you can use MAC address only (which is exactly what a switch or bridge does - maintains a table of mac addresses and the port where the mac address resides) but I do not know "how" you would tell the host machines to use a specific MAC address for the gateway.  The host machine's gateway settings are in IP form - not MAC address form so unless there is a method to set the MAC address of the gateway on the host machines I can not see a method to do what you are wanting.

    At least that is how I preceive it (IMHO).... YMMV :)

    gm...



  • @gmckinney:

    From my understanding of networking….

    If you have two different sub-netted networks (or segments since you still use the netmask to differentiate) you would need to have a gateway for each one - the netmask on the host machine would stop any attempt to connect to a gateway outside it's netmasked network unless there was a router to pass the packet through on the host's local sub-network (segment).

    that is right if you have two different subnets.
    but he wants to join two different subnets into one biger subnet –> all clients change their netmask to the bigger netmask.



  • I must be mis-reading what was questioned at first - I got the impression the original sub-nets would stay the same (including the sub-net masks) but he wanted to use just one gateway…

    If so then - never mind :)

    gm...


Log in to reply