Routing Private IP Addresses??

[Fred Marshall]

It appears that IP addresses in the private ranges are routing - which seems
contrary to the rules. Maybe someone can explain how this might be
happening:

I'm working on a LAN (LAN#1) with a private IP address in the range
192.168.x.x.
LAN#1 is connected to the internet through a router with NAT.

I have set up a firewall computer whose "outside" is on LAN #1
and whose "inside" is LAN#2 using 10.0.0.x addresses.

I can ping from LAN#2 to addresses on LAN#1 but I'm not completely sure why.
The firewall computer is running WinProxy. Shouldn't the routing it is
doing prevent
routing private IP addresses?

Even more strange:
If I trace route to 10.0.0.2 from LAN#1 - trying to test routing through the
firewall in the other direction, instead of reaching the internal computer,
I get servers that are outside on the internet with the final IP address
being 10.0.0.2.
How in the heck can this be happening?
I thought such IP addresses would not route.
Not through a Linksys router.
Not through other servers on the internet.

Thanks,

Fred

 

[Steve Winograd [MVP]]

It appears that IP addresses in the private ranges are routing - which seems
contrary to the rules. Maybe someone can explain how this might be
happening:

I'm working on a LAN (LAN#1) with a private IP address in the range
192.168.x.x.
LAN#1 is connected to the internet through a router with NAT.

I have set up a firewall computer whose "outside" is on LAN #1
and whose "inside" is LAN#2 using 10.0.0.x addresses.

I can ping from LAN#2 to addresses on LAN#1 but I'm not completely sure why.
The firewall computer is running WinProxy. Shouldn't the routing it is
doing prevent
routing private IP addresses?

LAN#2 computers can ping LAN#1 computers because the firewall computer
is in both LANs and has routes to both of them. Here's what happens
when a LAN#2 computer pings LAN#1:

1. The LAN#2 computer (proxy client) sends the ping to the firewall
computer (proxy server).

2. Because it's a proxy server, the firewall computer replaces the
LAN#2 computer's IP address (10.0.0.x) with its own LAN#1 IP address
(192.168.0.x) in the ping and sends it out on LAN#1.

3. The LAN#1 computer replies.

4. The firewall sends the reply to the LAN#2 computer.

Routers belonging to Internet backbones don't have routes to 10.0.0.x
or 192.168.x.x, so they drop packets that are sent to those addresses.

Even more strange:
If I trace route to 10.0.0.2 from LAN#1 - trying to test routing through the
firewall in the other direction, instead of reaching the internal computer,
I get servers that are outside on the internet with the final IP address
being 10.0.0.2.
How in the heck can this be happening?
I thought such IP addresses would not route.
Not through a Linksys router.
Not through other servers on the internet.

I'd have to see the trace to comment.

Thanks,

Fred

--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Fred Marshall]

I'd have to see the trace to comment.

Steve,

I've sent the trace to our ISP. The trace is even stranger than you might
think in that it gets into a loop!

Thanks for the reply.

I get from this that one would have to manually filter out Private IP
addresses on any internal router if this were the behavior desired.

Fred

 

[Steve Winograd [MVP]]

Steve,

I've sent the trace to our ISP. The trace is even stranger than you might
think in that it gets into a loop!

Thanks for the reply.

I get from this that one would have to manually filter out Private IP
addresses on any internal router if this were the behavior desired.

Fred

A loop? I hope that your ISP can fix that before your packets bring
down the whole Internet.

I've seen an ISP use private 10.x.x.x IP addresses inside its own
network.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com