IP & MAC splitter with a VLAN switch


Recommended Posts

So it works and this is all for reference about it but first let me say what this is meant to accomplish and what it can and can't do with end point firewalls and a bridge firewall.

What is this setup meant to do?

Much like a old hub works but allows for the same IP & MAC to simultaneous send/receive or receive/send at the same time (with limitations I will post about), to run a IPSec server without it being NAT-T with a PC or hardware NAT on the other connection not going through the server on a single IP without the need for a hardware VPN and to run other open port services.

Note about setting up a VPN on a WAN IP with no NAT and connecting clients using the VPN as a gateway because what will happen is this for say a VPN in the 192.168.1.1-192.168.1.2 :

192.168.1.2:S 3821 - > - 74.125.230.147:R 80

192.168.1.2:S 3821 - > - 74.125.230.147:R 80

Which is not going to work because the VPN is on the main IP 2.2.2.2 so the gateway for this IP will drop packets from 192.168.1.2. The way around this is to NAT the VPN clients off of 2.2.2.2 by ICS on a loopback adapter which dose not need a IP its just to NAT VPN clients so this happens:

192.168.1.2:S 3821 - > - 74.125.230.147:R 80

2.2.2.2:S 53847 - > - 74.125.230.147:R 80

2.2.2.2:S 53847 - < - 74.125.230.147:R 80

192.168.1.2:S 3821 - < - 74.125.230.147:R 80

What this setup not meant to do?

Its not to do NAT at the connection level, have two local ports that are the same or allow two PC's to use the web even if it looks to work there are limitations without some source port offsetting at each end or before it splits the IP. This is the reason why the setup is for a server & PC setup as you block incoming to the PC but allow for the server.

TCP can ------ S=source port R=remote port L=local port (- > - = out) (- < - = in)

(out to in)

Same remote IP different source port same remote port

VLAN 2 = 2.2.2.2:S 3467 - > - 74.125.230.147:R 80

VLAN 2 = 2.2.2.2:S 3467 - < - 74.125.230.147:R 80

VLAN 1 = 2.2.2.2:S 3460 - > - 74.125.230.147:R 80

VLAN 1 = 2.2.2.2:S 3460 - < - 74.125.230.147:R 80

Different remote IP same source port same remote port

VLAN 2 = 2.2.2.2:S 3467 - > - 74.125.230.147:R 80

VLAN 2 = 2.2.2.2:S 3467 - < - 74.125.230.147:R 80

VLAN 1 = 2.2.2.2:S 3467 - > - 74.125.230.144:R 80

VLAN 1 = 2.2.2.2:S 3467 - < - 74.125.230.144:R 80

Same remote IP same source port different remote port

VLAN 2 = 2.2.2.2:S 3467 - > - 74.125.230.147:R 80

VLAN 2 = 2.2.2.2:S 3467 - < - 74.125.230.147:R 80

VLAN 1 = 2.2.2.2:S 3467 - > - 74.125.230.147:R 8080

VLAN 1 = 2.2.2.2:S 3467 - < - 74.125.230.147:R 8080

TCP can (in to out)

Same or different remote IP different local port same or different remote port

VLAN 2 = 2.2.2.2: L 23 - < - 4.4.4.4:R 50334

VLAN 2 = 2.2.2.2: L 23 - > - 4.4.4.4:R 50334

VLAN 1 = 2.2.2.2: L 26 - < - 4.4.4.4:R 50334

VLAN 1 = 2.2.2.2: L 26 - > - 4.4.4.4:R 50334

TCP can't ------ S=source port R=remote port L=local port (- > - = out) (- < - = in)

(out to in)

Same remote IP same source port same remote port

VLAN 2 = 2.2.2.2:S 3467 - > - 74.125.230.147:R 80

VLAN 2 = 2.2.2.2:S 3467 - < - 74.125.230.147:R 80

VLAN 1 = 2.2.2.2:S 3467 - > - 74.125.230.147:R 80

VLAN 1 = 2.2.2.2:S 3467 - < - 74.125.230.147:R 80

TCP can't (in to out)

Same or different remote IP same local port same or different remote port

VLAN 2 = 2.2.2.2: L 23 - < - 4.4.4.4:R 50334

VLAN 2 = 2.2.2.2: L 23 - > - 4.4.4.4:R 50334

VLAN 1 = 2.2.2.2: L 23 - < - 4.4.4.4:R 50330

VLAN 1 = 2.2.2.2: L 23 - > - 4.4.4.4:R 50330

UDP can ------ S=source port R=remote port L=local port (- > - = out) (- < - = in)

(out to in) & (in to out)

Same remote IP different source/local port same or different remote port

VLAN 2 = 2.2.2.2: S/L 6666 - >< - 4.4.4.4:R 9897

VLAN 2 = 2.2.2.2: S/L 6666 - <> - 4.4.4.4:R 9897

VLAN 1 = 2.2.2.2: S/L 7066 - >< - 4.4.4.4:R 9897

VLAN 1 = 2.2.2.2: S/L 7066 - <> - 4.4.4.4:R 9897

UDP can't ------ S=source port R=remote port L=local port (- > - = out) (- < - = in)

(out to in) & (in to out)

Same remote IP same source/local port same or different remote port

VLAN 2 = 2.2.2.2:S/L 6666 - >< - 4.4.4.4:R 9897

VLAN 2 = 2.2.2.2:S/L 6666 - <> - 4.4.4.4:R 9897

VLAN 1 = 2.2.2.2:S/L 6666 - >< - 4.4.4.4:R 9890

VLAN 1 = 2.2.2.2:S/L 6666 - <> - 4.4.4.4:R 9890

Same or different remote IP same source/local port same remote port

VLAN 2 = 2.2.2.2:S/L 6666 - >< - 4.4.4.4:R 6666

VLAN 2 = 2.2.2.2:S/L 6666 - <> - 4.4.4.4:R 6666

VLAN 1 = 2.2.2.2:S/L 6666 - >< - 7.4.4.2:R 6666

VLAN 1 = 2.2.2.2:S/L 6666 - <> - 7.4.4.2:R 6666

This was done with a NETGEAR GS105E but any VLAN switch should do this.

Detailed%20Packet%20View%20IP%20splitter.jpg

With a switch that can mirror both send and receive packet you are able to monitor the server on VLAN 2 the bridge firewall is to stop packets not needed to be seen by the server from what VLAN 2 is doing with any of the sent packet from VLAN 2 sent out of port 5. As you might expect for received packets being needed to be sent down both ports 1 & 2 this causes a flood to happen so the bandwidth is 1Gb shared (500Mb by 500Mb if both are sending & received at the same time).

Link to comment
Share on other sites

This topic is now closed to further replies.