Static route to subnet

adwordsmac · 3 August 2021 19:39

hello everyone

so i tried the last few days to setup a libvirt host with routed network, so basically a own virtual subnet.
In ipfire i setup a static route for the subnet, but unfortunatly it doesnt fully work-
i can ping from inside the green zone to the kvm guests and get a response.
i can ssh from the kvm guests to any other computer inside the green zone, access the the web, ping google servers, basically they just work.
I can access the virtual machines from the outside via traefik.

But: inside the green zone, using ip directly, i cannot ssh into the machines, i cannot access different ports via the ip… so somehow the route doesnt propagate.

running a “ip route add subnet kvm_host_ip” on any pc in the green zone solves the problem - but is not a really elegant solution for this problem.

is there a way to configure ipfire dhcp with more than the “static-route” additional dhcp option and static route setup for the firewall?

I hope i make some sense, ill try to add a diagram tomorrow.

cfusco · 4 August 2021 09:29

If I understood correctly, you want the DHCP server to pass a static route to your clients in the green network.

I have no idea how to do that, however this is what I would do if I had to solve that problem.

According to the wiki page you can create an entry in /var/ipfire/dhcp/dhcpd.conf.local. Therefore maybe you could enter there a static route as directive. I would consult the man page of dhcpd to see the exact syntax.

theunicornxxl · 4 August 2021 20:23

Could you please give us the IP Ranges with subnet masks for Green and the extra subnet?

adwordsmac · 5 August 2021 06:42

If I understood correctly, you want the DHCP server to pass a static route to your clients in the green network.

exactly, thats the idea. From orange to green via traefik works fine, since the static route is in the routing table

Could you please give us the IP Ranges with subnet masks for Green and the extra subnet?

10.0.221.0/24 - green
10.0.222.0/24 - the extra subnet

According to the wiki page you can create an entry in /var/ipfire/dhcp/dhcpd.conf.local .

I found an example and modified it a bit, i still need to figure out the right values for the option i think. Somehow i stopped reading in the wiki way before i should have, thanks so much!

# Publish static a route to 10.0.222.0/24 via 10.0.221.99

subnet 10.0.221.0 netmask 255.255.255.0 { # green
  range 10.0.221.0 10.0.221.254; 
  option routers 10.0.221.1;  # the ipfire i guess=
  option rfc3442-classless-static-routes 24, 10, 0, 222, 10, 0, 221, 99; # this
  option ms-classless-static-routes 24, 10, 0, 222, 10, 0, 221, 99; # and this is probaly not right yet
}

theunicornxxl · 14 August 2021 20:51

I think the point is that IPfire is a firewall and not an routing device.
Did you take a look at the log files to see if there are blocked packets?

puls · 24 August 2021 12:21

adwordsmac:

10.0.221.0/24 - green
10.0.222.0/24 - the extra subnet

According to the wiki page you can create an entry in /var/ipfire/dhcp/dhcpd.conf.local .

I found an example and modified it a bit, i still need to figure out the right values for the option i think. Somehow i stopped reading in the wiki way before i should have, thanks so much!
# Publish static a route to 10.0.222.0/24 via 10.0.221.99

subnet 10.0.221.0 netmask 255.255.255.0 { # green
  range 10.0.221.0 10.0.221.254; 
  option routers 10.0.221.1;  # the ipfire i guess=
  option rfc3442-classless-static-routes 24, 10, 0, 222, 10, 0, 221, 99; # this
  option ms-classless-static-routes 24, 10, 0, 222, 10, 0, 221, 99; # and this is probaly not right yet
}

Using DHCP Option 121 (rfc3442-classless-static-routes ) is quite a pita. But nevertheless it might be the best option you have.

#121 has some caveats you should know. Most important: If a client fetches #121 from a DHCP server it must ignore the given default route (option routers)! So you have to define the default route within this option. This is done with a special entry, consisting of 00 (double zero) and the gateway address.

Next important thing is: Usually you can’t use decimal numbers but have to write down the length and addresses in hexadecimal notation. This is where the real pain begins.

And the length for the target address is set as the number of bits (like in the CIDR notation), but in steps of 8 bit, as you must omit the zero-only octets in the address.

An example:
When defining 192.168.10.1 as default gateway and setting a route for 10.0.0.50/32 via 192.168.10.100 you would have this entry:

00:C0:A8:0A:01:20:0A:00:00:32:C0:A8:0A:64

00:C0:A8:0A:01
This is the default route (00) pointing to 192(C0).168(A8).10(0A).1(01)

20:0A:00:00:32:C0:A8:0A:64
This is the route for a single host i.e. netmask /32 (20) with address 10(0A).0(00).0(00).50(32) using the gateway 192(C0).168(A8).10(0A).100(64).

A route for a /24 network would look like this:
18:0A:00:14:C0:A8:0A:64
This is a route to the network 10.0.20.0/24 via 192.168.10.100.
10.0.20.0/24 gets shortened to 10.0.20 with length prefix 0x18.
A /16 network would have length 0x10 an be shortened to first two octets.

There are some calculators on the internet but I found none of them really useful for my needs so I created my own spreadsheet. It makes life a little bit easier but the pain still continues.