Question: Multiple unsafe routes with the same IP and subnets

[spacehitchhiker42]

I'm working on trying to set up remote access for some industrial machinery. Each machine has a private internal network, and changing any of those I.P. addresses would be unfeasible. The intent here is that the machine builder has their own overlay network for monitoring, and the integrator has an overlay network with access to the internal subnets for troubleshooting. How would I avoid collisions in the 192.168.1.x subnet? Is there a way to set things up so that the troubleshooting laptop can only see the private subnet of a certain machine whenever necessary? Is it even possible for a single node to be a member of two networks at the same time?

[bfranske]

Without thinking about the exact mechanics too hard I think this is possible to do but inadvisable. If I absolutely had to do this I would probably do it by shifting the conflicting subnets to alternate address ranges through the use of NAT. In other words, even though locally they are all 192.168.1.0/24 when accessed via the overlay network they would be mapped to non-conflicting addresses.

There are many good reasons not to do this. A few I can think of:

• If something in the applications you are using to access over the overlay requires the addresses to be 192.168.1.0/24 that will break.
• Troubleshooting will become much more difficult and complex
• You are essentially connecting things together that were not intended to connect together.
• You are making what were isolated networks with limited attack vectors much more accessible.

There are probably some reasons that things were setup this way and you will potentially be inserting a number of gaping security holes by doing this. You need to thoroughly understand the security issues involved with all of the systems, networks, and overlay networking before doing this. You also need to understand the network engineering challenges and potential pitfalls involved.

A better, but less convenient choice, is to use a totally separate overlay network for each isolated network and to only connect to one at a time. Some of the potential issues still exist but the are much more manageable with less complexity.

[jasikpark]

One answer is that you can use any cidr range that is a valid private range like https://en.wikipedia.org/wiki/Private_network

so you could use unique cidr ranges for each overlay network

[jasikpark]

From what I've heard, it sounds like the best solution for this problem is for each of the computers running unsafe_routes (or maybe it's the HMI integrator computers?) to use IP masquerading as a simple form of NAT to translate the duplicate IP addresses into unique IP addresses that can be addressed in your nebula network

[monoidk]

We have a similar fleet, with lots of identical IPv4 networks. It is quite useful, as it makes devices and configs identical and interchangeable.

Currently we use openvpn and IPv6 ULA for remote access, so addresses do not conflict with anything, ever - it is quite freeing. Unfortunately, nebula doesn't support IPv6 overlay addresses (#6). With IPv6 one could setup whatever 6to4 translator is appropriate (or add IPv6 addresses to devices) and have routeable direct access.

In practice, services on direct-connected VPN hosts manage data collection and we use ssh -D socks forwarding for debugging so we don't actually need IP forwarding, and IPv6 is not technically necessary, though IPv4 can create issues with conflicting range reuse and complicated routing and NATs in disparate networks.