I have my office network that looks like this:
My office network looks like this:
- the office network (wifi and wired) has the subnetwork
192.168.88.0
. - I have some server machines on the subnetwork
192.168.2.0
(NODE_1,…. NODE_10). - I have a machine (it is a Mac mini) with 2 subnetwork interfaces that acts as:
- the gateway for all machines in subnetwork
192.168.2.0
. - exposes a VPN service (the Mac server app default one)
- and provides extra services, such as a DNS)
- the gateway for all machines in subnetwork
The Mac mini configuration is my big problem. This is how it looks:
Ethernet interface en0
- address:
192.168.88.10
- netmask:
255.255.255.0
- gateway:
192.168.88.1
Ethernet interface en2
- address:
192.168.2.1
- netmask:
255.255.255.0
- gateway:
192.168.88.10
I need routing from machines in 192.168.88.0
to those in 192.168.2.0
.
To do so I have activated the "Internet sharing" feature of Mac OS: actually I do not know what happens under the hood, but the machines NODE_1 …NODE_10 go to internet.
Then, when I'm connected to the office network, so that I get an IP such as: 192.168.88.33
I add a routing rule such as:
sudo route -n add 192.168.2.0/24 -gateway 192.168.88.10
So far so good: everything works fine!!!!!
The big problem is when I connect through the VPN.
VPN Connection
I connect successfully to the VPN exposed at: 192.168.88.10
, then I add the routing rule.
sudo route -n add 192.168.2.0/24 -gateway 192.168.88.10
I'm not able to reach the machines in subnet 192.168.2.0
.
Sniffing the packets I see that the packets follow the hops:
- -> 192.168.88.10
- -> 192.168.2.1
- -> 192.168.2.110
- <- 192.168.2.1
- <- 192.168.88.1
The packet goes to the gateway 192.168.88.1
instead of the 192.168.88.10
. Looking into the Mac mini routing tables I see:
192.168.88.202 192.168.88.10 UH 2 93 ppp1
192.168.88.202 40:6c:8f:3:d5:e7 UHLS2 0 0 en0
40:6c:8f:3:d5:e7
is the mac address of 192.168.88.1
.
I would like to change the routing without using the internet sharing in order to allow internet access for 192.168.2.0
, and cover both the VPN and local scenario, but I don't know the steps I need to do, and how to hand write the rules.
Thanks a lot.
Best Answer
It should be possible to create a bridge with en0 and en2 and enable net.inet.ip.forwarding to get rid of all routing problems. The bridge acts more or less as another switch between en0 and en2.
ifconfig
On the server create a file bridge:
with the content
sudo chmod +x nano /usr/local/bin/bridge
Create a launch daemon usr.bridge.plist:
with the content
Load the plist