Broadcast between subnets


#1

Hi everyone, I’m hopinh I can gather you all for some assistance on a little project I’m working on.

I have a simple setup with two interfaces, the internal interface containing 2 vifs:

eth0.1: “VLAN 1” - 192.168.1.0/24
eth0.2: “VLAN 2” - 192.168.2.0/24

eth1: “WAN”

Upstream of eth0 is a managed L2 switch, with the two VLANS trunked from physical ports. I have a dhcp server and dns forwarder assigned for each vlan, along with the appropriate snat and dnat config, plus some basic firewall. I’m using two separate VLANS for a number of topology (and security) related reasons.

Everything I need works well - devices which connect to the VLAN 1 ports on the managed switch get the correct IP for that VLAN and can connect to devices on VLAN 2 etc through the default routing etc.

Ideally, what I would like, is for both of these subnets to “interact” as if they were one big single subnet.
For the most part this is currently the case, until it comes to udp broadcasts :frowning: For instance, if I have a printer on VLAN 1, I can’t auto-discover it on VLAN 2. Likewise for any number of “automagical” discovery applications that are used to set up and interact with devices these days.

Is there any way known, to allow a udp packet sent to the broadcast address of either of these vlans to be propagated across to the other vlan?

I think it’s something similar to ip-directed-broadcast but what I actually want to do is tell the router to identify any broadcast received for one subnet, and drop it on both subnets (rather than to be allowed to point the broadcast directly to another subnet). So I don’t think this is what I’m after, but it seems to come up a lot in searches.

I know that subnets should (by default) not allow this behavior, but in a small controlled environment such as this, there’s no reason I can think of for this function not to exist. So I’m hoping there is a switch I can turn on somewhere to enable it.

This question is not about whether the topology is correct for the scenario etc, I just want to know if it can be done this way.

Any ideas gurus?


#2

It’s not that it’s being blocked, it’s that it doesn’t work that way :slight_smile:

The initiating device is responsible for the type of packet it generates. Unicast, broadcast or multicast. A device generating a normal broadcast will be limited to the broadcast domain it is attached to.

Directed broadcast is a special kind of packet that is generated with a destination set to the broadcast IP of a non-local broadcast address. The packet will be routed like any other packet but when it arrives at the router directly attached to the target broadcast address. the router by default will disallow these types of packets without additional configuration (e.g authorizing the source-IP).

If it has to be a Xcast method, then multicast is probably your only option. Although I would suggest just find another way (group policy if it’s Windows domain, logon script / batch file if it’s a small personal network).

Hope that helps clarify things a bit.


#3

Worth trying…(NAT to the rescue)

  1. Create destination nat rule
    source LAN1
    original destination IP 255.255.255.255
    protocol UDP
    original destination port 12345
    new destination IP 10.0.0.255 (=LAN2 broadcast IP)

#4

Thanks, understood… However, unfortunately I don’t have any control over the methods used by product manufacturers.

I know that a lot of devices use the broadcast address 255.255.255.255, which routers may choose to forward on if configured to do so. This is why i figured that ip-directed-broadcast would theoretically be close to what I’m after, because essentially what I’m trying to do is tell the router that I want to broadcast this packet into its local network from outside.

You seem to understand what I mean though - send a broadcast to 192.168.1.255 and the router copies that packet and also sends it to 192.168.2.255.

Thanks for the suggestion, and I tried the NAT method as follows:

nat destination rule 10
destination {
address 192.168.1.255
}
inbound-interface eth0.1
protocol udp
translation {
address 192.168.2.255
}

No dice. Any other ideas?

I know it’s possible, because in my last job the guys had a network set up with a handful of subnets which appeared to work in this way - I could use discovery services such as bonjour across the subnets like they weren’t even segmented. I just have no idea how they did it.