The importance of subnets

Geschreven op 2008-12-17
Leestijd: 2 minuten

(Bericht overgenomen van Blackskad’s blog)

When I became an active member of zeus, we inherited a little network. It contained some desktops and several servers. They all had an ip in the subnet, and were connected to the internet using a single IP. (well, not completely true, there was a spare gateway. But that didn’t make any difference.)

We had a problem though: we couldn’t reach our webserver from internal clients using the normal url. When we wanted to surf to, it just hang on “connecting to server”.

Well, tcpdump and wireshark to the rescue! Using those tools, we noticed this problem:

external ip= -> ACK     -> -> ACK     -> <- SYN/ACK <- -> RST     ->

So what happened? The gateway at notices that the traffic has to be send to the webserver. So it forwards the packets, but doesn’t apply address translations. Then the webserver answers to the client directly, instead of going throught the gateway. As the client doesn’t expect any answer from but from, it sends a reset to the webserver.

After being unable to come up with a solution using iptables, we decided to use a more radical tactic: change a part of the network layout. The whole network is still located in the subnet, but we’ve split it up in two: the clients in and servers in Using this setup, the gateway applies it’s address translation correctly, and we are able to surf to the website internally without problems! :)

While fixing this, we’ve set up a “new” gateway. During the years, both the iptables, the dns-rules and the dhcp-config gathered a lot of cruft - so we got rid of that too. Yay for clean configs :)