Answer the question
In order to leave comments, you need to log in
R
R
Roman2019-08-05 06:39:54
Roman, 2019-08-05 06:39:54
How to get access from one subnet to a host of another?
Good day.
I ask for help in setting up a Zyxel Keenetic Giga III router.
There are two LAN ports: 1 and 2
- LAN 1 is part of the subnet 192.168.1.0/24 (Home)
- LAN 2 is on subnet 11.11.0.0/23 (VNet)
The subnet 11.11.0.0/23 has a host with a static IP issued by DHCP: 11.11.0.1
DHCP has an address pool: 11.11.1.0-11.11.1.127
There are static routes:
- 11.11.0.0/23; 0.0.0.0; VNet (created automatically by the router)
- 11.11.0.1/32; 0.0.0.0; VNet (created by me)
Private interface isolation is disabled
VNet interface has a private security level
VLAN3 interface (bound to physical LAN 2) also has a private security level
I want to access from any of the 192.168.1.0/24 subnet addresses to the 11.11. .0.1.
Access is via http.
Tracing reaches 11.11.0.0, this gateway reports that the resource 11.11.0.1 is not responding.
I tried to transfer to the home segment, everything works like clockwork: everything opens, pings and traces.
Network interfaces configuration:
spoiler
interface GigabitEthernet0
up
!
interface GigabitEthernet0/0
rename 1
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/1
rename 2
switchport mode access
switchport access vlan 3
up
!
interface GigabitEthernet0/2
rename 3
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/3
rename 4
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/Vlan1
description "Home VLAN"
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
up
!
interface GigabitEthernet0/Vlan2
security-level public
ip dhcp client dns-routes
ip dhcp client name-servers
up
!
interface GigabitEthernet0/Vlan3
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
up
!
interface GigabitEthernet1
rename ISP
description "\xd0\x97\xd0\xb5\xd0\xbb\xd1\x91\xd0\xbd\xd0\xb0\xd1\x8f \xd1\x82\xd0\xbe\xd1\x87\xd0\xba\xd0\xb0"
mac address factory wan
security-level public
ip address dhcp
ip dhcp client hostname Keenetic_Giga
ip dhcp client dns-routes
ip dhcp client name-servers
ip mtu 1500
ip global 700
igmp upstream
ipv6 address auto
ipv6 prefix auto
ipv6 name-servers auto
up
bandwidth-limit 54602
!
interface GigabitEthernet1/0
rename 0
ipv6 address auto
ipv6 prefix auto
ipv6 name-servers auto
up
!
interface WifiMaster0
country-code RU
compatibility N
channel width 40-below
channel auto-rescan 00:00 interval 1
power 10
tx-burst
rekey-interval 3600
up
!
interface WifiMaster0/AccessPoint0
rename AccessPoint
description "Wi-Fi access point"
mac access-list type none
security-level private
authentication wpa-psk ns3
encryption enable
encryption wpa2
ip dhcp client dns-routes
ip dhcp client name-servers
ssid zxhmnw
hide-ssid
wmm
up
!
interface WifiMaster0/AccessPoint1
rename GuestWiFi
description "Guest access point"
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
ssid Guest
wmm
down
!
interface WifiMaster0/AccessPoint2
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster0/AccessPoint3
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster0/WifiStation0
security-level public
encryption disable
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster1
country-code RU
compatibility N+AC
channel width 40-above/80
channel auto-rescan 00:00 interval 1
power 25
tx-burst
rekey-interval 3600
band-steering
band-steering preference 5
up
!
interface WifiMaster1/AccessPoint0
rename AccessPoint_5G
description "5Ghz Wi-Fi access point"
mac access-list type none
security-level private
authentication wpa-psk ns3
encryption enable
encryption wpa2
ip dhcp client dns-routes
ip dhcp client name-servers
ssid zxhmnw
hide-ssid
wmm
up
!
interface WifiMaster1/AccessPoint1
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster1/AccessPoint2
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster1/AccessPoint3
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster1/WifiStation0
security-level public
encryption disable
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface Bridge0
rename Home
description "Home network"
inherit GigabitEthernet0/Vlan1
include AccessPoint
include AccessPoint_5G
mac access-list type permit
mac access-list address fc:19:10:0f:5f:db
mac access-list address 00:7e:59:8e:2d:d3
mac access-list address 24:df:6a:4c:b7:e4
mac access-list address dc:85:de:00:b2:29
mac access-list address d4:25:8b:50:9e:ca
security-level private
ip address 192.168.1.1 255.255.255.0
ip dhcp client dns-routes
ip dhcp client name-servers
ip access-group _WEBADMIN_Home in
up
!
interface Bridge1
rename Guest
description "Guest network"
traffic-shape rate 5120
include GigabitEthernet0/Vlan2
include GuestWiFi
mac access-list type none
peer-isolation
security-level protected
ip address 10.1.30.1 255.255.255.0
ip dhcp client dns-routes
ip dhcp client name-servers
up
!
interface Bridge2
description VNet
include GigabitEthernet0/Vlan3
mac access-list type none
security-level private
ip address 11.11.0.0 255.255.254.0
ip dhcp client dns-routes
ip dhcp client name-servers
ip access-group _WEBADMIN_Bridge2 in
up
!
ip route 11.11.0.1 11.11.0.0 Bridge2
ip dhcp pool _WEBADMIN_BRIDGE2
range 11.11.1.0 11.11.1.127
lease 25200
bind Bridge2
enable
!
ip dhcp host 2c:4d:54:d7:ad:f5 11.11.0.1
ip host server.vm 11.11.0.1
!
interface GigabitEthernet0
up
!
interface GigabitEthernet0/0
rename 1
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/1
rename 2
switchport mode access
switchport access vlan 3
up
!
interface GigabitEthernet0/2
rename 3
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/3
rename 4
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/Vlan1
description "Home VLAN"
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
up
!
interface GigabitEthernet0/Vlan2
security-level public
ip dhcp client dns-routes
ip dhcp client name-servers
up
!
interface GigabitEthernet0/Vlan3
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
up
!
interface GigabitEthernet1
rename ISP
description "\xd0\x97\xd0\xb5\xd0\xbb\xd1\x91\xd0\xbd\xd0\xb0\xd1\x8f \xd1\x82\xd0\xbe\xd1\x87\xd0\xba\xd0\xb0"
mac address factory wan
security-level public
ip address dhcp
ip dhcp client hostname Keenetic_Giga
ip dhcp client dns-routes
ip dhcp client name-servers
ip mtu 1500
ip global 700
igmp upstream
ipv6 address auto
ipv6 prefix auto
ipv6 name-servers auto
up
bandwidth-limit 54602
!
interface GigabitEthernet1/0
rename 0
ipv6 address auto
ipv6 prefix auto
ipv6 name-servers auto
up
!
interface WifiMaster0
country-code RU
compatibility N
channel width 40-below
channel auto-rescan 00:00 interval 1
power 10
tx-burst
rekey-interval 3600
up
!
interface WifiMaster0/AccessPoint0
rename AccessPoint
description "Wi-Fi access point"
mac access-list type none
security-level private
authentication wpa-psk ns3
encryption enable
encryption wpa2
ip dhcp client dns-routes
ip dhcp client name-servers
ssid zxhmnw
hide-ssid
wmm
up
!
interface WifiMaster0/AccessPoint1
rename GuestWiFi
description "Guest access point"
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
ssid Guest
wmm
down
!
interface WifiMaster0/AccessPoint2
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster0/AccessPoint3
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster0/WifiStation0
security-level public
encryption disable
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster1
country-code RU
compatibility N+AC
channel width 40-above/80
channel auto-rescan 00:00 interval 1
power 25
tx-burst
rekey-interval 3600
band-steering
band-steering preference 5
up
!
interface WifiMaster1/AccessPoint0
rename AccessPoint_5G
description "5Ghz Wi-Fi access point"
mac access-list type none
security-level private
authentication wpa-psk ns3
encryption enable
encryption wpa2
ip dhcp client dns-routes
ip dhcp client name-servers
ssid zxhmnw
hide-ssid
wmm
up
!
interface WifiMaster1/AccessPoint1
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster1/AccessPoint2
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster1/AccessPoint3
mac access-list type none
security-level private
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface WifiMaster1/WifiStation0
security-level public
encryption disable
ip dhcp client dns-routes
ip dhcp client name-servers
down
!
interface Bridge0
rename Home
description "Home network"
inherit GigabitEthernet0/Vlan1
include AccessPoint
include AccessPoint_5G
mac access-list type permit
mac access-list address fc:19:10:0f:5f:db
mac access-list address 00:7e:59:8e:2d:d3
mac access-list address 24:df:6a:4c:b7:e4
mac access-list address dc:85:de:00:b2:29
mac access-list address d4:25:8b:50:9e:ca
security-level private
ip address 192.168.1.1 255.255.255.0
ip dhcp client dns-routes
ip dhcp client name-servers
ip access-group _WEBADMIN_Home in
up
!
interface Bridge1
rename Guest
description "Guest network"
traffic-shape rate 5120
include GigabitEthernet0/Vlan2
include GuestWiFi
mac access-list type none
peer-isolation
security-level protected
ip address 10.1.30.1 255.255.255.0
ip dhcp client dns-routes
ip dhcp client name-servers
up
!
interface Bridge2
description VNet
include GigabitEthernet0/Vlan3
mac access-list type none
security-level private
ip address 11.11.0.0 255.255.254.0
ip dhcp client dns-routes
ip dhcp client name-servers
ip access-group _WEBADMIN_Bridge2 in
up
!
ip route 11.11.0.1 11.11.0.0 Bridge2
ip dhcp pool _WEBADMIN_BRIDGE2
range 11.11.1.0 11.11.1.127
lease 25200
bind Bridge2
enable
!
ip dhcp host 2c:4d:54:d7:ad:f5 11.11.0.1
ip host server.vm 11.11.0.1
!
Explain what I did wrong?
In general, I would like to set everything up so that isolate-private is enabled, and access is carried out only to the necessary addresses from the necessary segments and using allowed protocols.
I would be very grateful if you tell me how to make such a setting in a human way.
Thanks for the help.
2 answer(s)
@Verdoga
The second route is meaningless.
In such a record, 1 is enough, which is created by the router.
It is necessary to look at access lists on a router.
@iontzev
D
DDwrt100, 2019-08-05 @Verdoga
Имеются статические маршруты:
11.11.0.0/23; 0.0.0.0; VNet (создан автоматически роутером)
11.11.0.1/32; 0.0.0.0; VNet (создан мною)The second route is meaningless.
In such a record, 1 is enough, which is created by the router.
It is necessary to look at access lists on a router.
M
Maxim Iontzev, 2019-08-05 @iontzev
You need to add a rule to the access-list _WEBADMIN_Home that allows traffic to host 11.11.0.11 on ports 80 and 443
read
Similar questions
A
R
D
S
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question