Routing

Routing

[tony.chamberlain]

I have a machine, accessible from outside our company, running PPP.
It's local IP address is 10.0.1.29 (the address it gets from PPP).
I also have another machine whose IP address is 10.0.1.3 and also has
an IP address of 192.168.5.88 connected to our local network.

I can get to the 10.0.1.29 machine through an external IP address (which
I won't list here, for security reasons) and from there ssh to 10.0.1.3
and from 10.0.1.3 to the 192 network.

I would like to be able to get right from 10.0.1.29 to the 192 network.
On 10.0.1.3 I set the ip_forard (I forgot exaclty what it is called) to 1
and restarted the network.

On 10.0.1.29 I did an

     ip route add '192.168.5.0/24' via 10.0.1.3 dev ppp0
and
     ip route add '192.168.5.0/24' via 10.0.1.3 

tried both.  It was entered succesfully and showed up in "route -n" but
when I tried from 10.0.1.29 to do for example

     ssh -l root 192.168.5.191

it wouldn't let me and couldn't connect (though it would work from 10.0.1.3).

Did I miss something, or what else do I need to do?

I somehow got this to work earlier between our 192.168.5 nextwork and
our 10.0.0.0 network where a machine (10.0.0.215/192.168.5.15) was on
both networks, and I set its address (192.168.5.15) as default router
for 192.168.5 networks and 10.0.0.215 for 10 networks.

192.168.5 mask is 255.255.255.0 and 10 network mask is 255.0.0.0

Tony

Re: Routing

[Bill Unruh]

On Fri, 30 Jan 2009, tony.chamberlain@lemko.com wrote:

> I have a machine, accessible from outside our company, running PPP.
> It's local IP address is 10.0.1.29 (the address it gets from PPP).
> I also have another machine whose IP address is 10.0.1.3 and also has
> an IP address of 192.168.5.88 connected to our local network.
>
> I can get to the 10.0.1.29 machine through an external IP address (which
> I won't list here, for security reasons) and from there ssh to 10.0.1.3
> and from 10.0.1.3 to the 192 network.
>
> I would like to be able to get right from 10.0.1.29 to the 192 network.
> On 10.0.1.3 I set the ip_forard (I forgot exaclty what it is called) to 1
> and restarted the network.

  192.168.x.x addresses are not forwarded by
routers. They are simply thrown away as private addresses. NOw, you could on
the 10.0.1.29 put in a routing table telling it to send all such packets to
10.0.1.3, but if there are any routers in the way, they may well discard it.

>
> On 10.0.1.29 I did an
>
>     ip route add '192.168.5.0/24' via 10.0.1.3 dev ppp0
> and
>     ip route add '192.168.5.0/24' via 10.0.1.3
>
> tried both.  It was entered succesfully and showed up in "route -n" but
> when I tried from 10.0.1.29 to do for example
>
>     ssh -l root 192.168.5.191

Do a traceroute on the ppp0 to see if the packet is going out (are you sure
that 10.0.1.3 is directly connected to 10.0.1.3 via ppp )

Youneed to tell us exactly what the connection topology is.

>
> it wouldn't let me and couldn't connect (though it would work from 10.0.1.3).
>
> Did I miss something, or what else do I need to do?
>
> I somehow got this to work earlier between our 192.168.5 nextwork and
> our 10.0.0.0 network where a machine (10.0.0.215/192.168.5.15) was on
> both networks, and I set its address (192.168.5.15) as default router
> for 192.168.5 networks and 10.0.0.215 for 10 networks.
>
> 192.168.5 mask is 255.255.255.0 and 10 network mask is 255.0.0.0
>
> Tony

Re: Routing

[James Carlson]

Bill Unruh writes:
>   192.168.x.x addresses are not forwarded by
> routers. They are simply thrown away as private addresses.

That's not true without qualification.  The correct statement is that
those "private" addresses are not forwardable on the open Internet.
The routes for the RFC 1918 address ranges don't exist by
administrative design, and the ranges are (sometimes) filtered at the
edges of provider networks.

However, no known router will discard them arbitrarily, so the
injunction against letting them pass through routers doesn't make
sense here.

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

Re: Routing

[James Carlson]

tony.chamberlain@lemko.com writes:
> I have a machine, accessible from outside our company, running PPP.
> It's local IP address is 10.0.1.29 (the address it gets from PPP).
> I also have another machine whose IP address is 10.0.1.3 and also has
> an IP address of 192.168.5.88 connected to our local network.
> 
> I can get to the 10.0.1.29 machine through an external IP address (which
> I won't list here, for security reasons) and from there ssh to 10.0.1.3
> and from 10.0.1.3 to the 192 network.

Unless that external IP address is actually a system routed on the
inside of some corporate network (where there's an overlay for the RFC
1918 ranges), what you're describing sounds very odd.

Typically, systems with RFC 1918 are accessible from the Internet only
through a NAT device that does some sort of static address and/or port
translation -- meaning that you use a _different_ address to reach it,
not the RFC 1918 address.

Are you perhaps misstating the addresses in use as some sort of
security measure, or is there more going on here than you're telling
us about?

> I would like to be able to get right from 10.0.1.29 to the 192 network.
> On 10.0.1.3 I set the ip_forard (I forgot exaclty what it is called) to 1
> and restarted the network.

You'll also need routes on the 192 network to point back to the 10
network.

>      ssh -l root 192.168.5.191
> 
> it wouldn't let me and couldn't connect (though it would work from 10.0.1.3).
> 
> Did I miss something, or what else do I need to do?

You likely missed the reverse routes I described above.

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

routing

[tony.chamberlain]

I have three machines.  One, Machine A, is in China and acts as a PPP server.  It has an external IP address that I ppp to from machine B.  Machine
B is on our 192.168.5 network and has IP 192.168.5.27.  It can get out 
to Internet.  When B ppp's to A, A gets 10.0.0.98 and B gets 10.0.0.26.
A nd B need to exchange messgages and have the from and to ips be correct
(which they are).

Now I have machine C, 192.168.5.139.  I am trying to avoid having to install
PPP on it but it has to communicate with both B and A.  B is, of course, no
problem.  It can be reached via 192.168.5.27 and for some reason I cannot
figure out, 10.0.0.26 also works from C to B.

To get C to be able to communicate with A I did the following:

in C:  ip route replace 10.0.0.98 via 192.168.5.27    # Route to 98 through 27
in A:  ip route replace 192.168.5.139 via 10.0.0.26   # reverse

in B (more complicated):
   ip forward is set to 1
   iptables -t nat -A POSTROUTING -s 192.168.5.139 -o ppp0 -j MASQUERADE

This allows me to go to 10.0.0.98 from A and to 192.168.5.139 from C.
This works fine for ssh, scp, etc.  However, when an IP message is sent
from A to C, it appears the return (or FROM) IP address is B (10.0.0.26)
not A (192.168.5.139) so when A tries to respond it sends to the wrong
location (B).  I imagine it is because of the masquerade

I can't change all incoming traffic for B to C because A also needs to
correspond with B.  Is there any iptables command I can use to preserve
C's address, but also preserve B's address when the message is from B?

I can just install ppp on A but it is a pain in 5.4 and does not always
work right.

Thanks
p.s. and yes B and machines are CentOS 5.4 and A is 4.5

Re: routing

[James Carlson]

tony.chamberlain@lemko.com wrote:
> I have three machines.

For what it's worth, it sounds a lot like these are basic IP routing
questions, and that the use of PPP is mostly immaterial.  You might want
to try to find a mailing list that's more focussed on routing issues in
Linux.

> Now I have machine C, 192.168.5.139.  I am trying to avoid having to install
> PPP on it but it has to communicate with both B and A.  B is, of course, no
> problem.  It can be reached via 192.168.5.27 and for some reason I cannot
> figure out, 10.0.0.26 also works from C to B.

There's always a reason for things.  ;-}  It would be good to understand
exactly what's going on there, because it may be related to the problems
you see.  Showing some "netstat -rn" output might be a start.

> To get C to be able to communicate with A I did the following:
> 
> in C:  ip route replace 10.0.0.98 via 192.168.5.27    # Route to 98 through 27
> in A:  ip route replace 192.168.5.139 via 10.0.0.26   # reverse

That along with the masquerading seems too complicated to me.

Assuming that static routing is somehow "required," I would have done
this on C:

	route add 10.0.0.0/24 192.168.5.27

because the 10 network is reachable through machine B.  Then on machine
A, I would have:

	route add 192.168.5.0/24 10.0.0.26

and nothing else.  No masquerading or any other tricks should be needed.
Just an IP path between those two systems ought to do the job.  (For
good measure, you could add a blackhole route for 10.0.0.0/24, so that
misaddressed packets don't bounce around, but that's not strictly required.)

But that assumes static routing.  I wouldn't do that on my network.  I'd
just enable RIP-2 or OSPF and let it do its thing.  It'll figure out the
routes.

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

routing

[Patrick Ahler]

[-- Attachment #1: Type: text/plain, Size: 918 bytes --]

I have a router setup to forward 192.168.1.x (private/internal)
addresses to A.B.C.x (public) addresses and public to private. The x
variable remains the same.

192.168.1.x <-- --> eth0 (router/iptables) eth1 <-- --> A.B.C.x  

Using the following configuration I have had no luck getting anything to
forward. (yes I've enabled ip_forward and correctly compiled the
kernel). If I run a traceroute from a machine outside our network it
will find the router, but if I traceroute a machine behind the firewall
(A.B.C.x), the trace will hang just before it gets to my router and then
won't find my router.

Route:
Route add -net A.B.C.x netmask 255.255.255.255 dev eth1
(also add default gateway and loopback interface)

iptables:
iptables -t nat -A PREROUTING -d A.B.C.x -I eth0 -j DNAT -to 192.168.1.x
iptables -t nat -A POSTROUTING -s 192.168.1.x -I eth0 -j SNAT -to
A.B.C.x

Thanks,
Patrick A.

[-- Attachment #2: Type: text/html, Size: 2937 bytes --]

routing

[Patrick Ahler]

[-- Attachment #1: Type: text/plain, Size: 918 bytes --]

I have a router setup to forward 192.168.1.x (private/internal)
addresses to A.B.C.x (public) addresses and public to private. The x
variable remains the same.

192.168.1.x <-- --> eth0 (router/iptables) eth1 <-- --> A.B.C.x  

Using the following configuration I have had no luck getting anything to
forward. (yes I've enabled ip_forward and correctly compiled the
kernel). If I run a traceroute from a machine outside our network it
will find the router, but if I traceroute a machine behind the firewall
(A.B.C.x), the trace will hang just before it gets to my router and then
won't find my router.

Route:
Route add -net A.B.C.x netmask 255.255.255.255 dev eth1
(also add default gateway and loopback interface)

iptables:
iptables -t nat -A PREROUTING -d A.B.C.x -I eth0 -j DNAT -to 192.168.1.x
iptables -t nat -A POSTROUTING -s 192.168.1.x -I eth0 -j SNAT -to
A.B.C.x

Thanks,
Patrick A.

[-- Attachment #2: Type: text/html, Size: 2937 bytes --]

Re: routing

[John A. Sullivan III]

> I have a router setup to forward 192.168.1.x (private/internal)
> addresses to A.B.C.x (public) addresses and public to private. The x
> variable remains the same.
>
> 192.168.1.x <-- --> eth0 (router/iptables) eth1 <-- --> A.B.C.x
>
> Using the following configuration I have had no luck getting anything to
> forward. (yes I've enabled ip_forward and correctly compiled the
> kernel). If I run a traceroute from a machine outside our network it
> will find the router, but if I traceroute a machine behind the firewall
> (A.B.C.x), the trace will hang just before it gets to my router and then
> won't find my router.
>
> Route:
>
> Route add -net A.B.C.x netmask 255.255.255.255 dev eth1
>
> (also add default gateway and loopback interface)
>
> iptables:
>
> iptables -t nat -A PREROUTING -d A.B.C.x -I eth0 -j DNAT -to 192.168.1.x
>
> iptables -t nat -A POSTROUTING -s 192.168.1.x -I eth0 -j SNAT -to
> A.B.C.x
>
> Thanks,
>
> Patrick A.
>
>
I am a little unclear about what you are doing.  Is the 192.168.1.x
network and indirect route and that is why you are adding the explicit
route entry? If it is directly connected, you do not need the route
statement at all.  If it is indirectly connected, i.e., through another
router, I would suggest routing the entire network rather than the host.

I would also suggest using the NETMAP patch to create a one-to-one mapping
from the private to the public address for a network rather than a series
of individual SNAT/DNAT rules.

Finally, your syntax for the DNAT/SNAT rules seems incorrect unless they
are just typos.  I'm not at a Linux station to check but don't you want:

iptables -t nat -A PREROUTING -d A.B.C.x -i eth1 -j DNAT --to-destination
192.168.1.x

iptables -t nat -A POSTROUTING -s 192.168.1.x -o eth1 -j SNAT --to-source
A.B.C.x

-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

routing

[Patrick Ahler]

[-- Attachment #1: Type: text/plain, Size: 918 bytes --]

I have a router setup to forward 192.168.1.x (private/internal)
addresses to A.B.C.x (public) addresses and public to private. The x
variable remains the same.

192.168.1.x <-- --> eth0 (router/iptables) eth1 <-- --> A.B.C.x  

Using the following configuration I have had no luck getting anything to
forward. (yes I've enabled ip_forward and correctly compiled the
kernel). If I run a traceroute from a machine outside our network it
will find the router, but if I traceroute a machine behind the firewall
(A.B.C.x), the trace will hang just before it gets to my router and then
won't find my router.

Route:
Route add -net A.B.C.x netmask 255.255.255.255 dev eth1
(also add default gateway and loopback interface)

iptables:
iptables -t nat -A PREROUTING -d A.B.C.x -I eth0 -j DNAT -to 192.168.1.x
iptables -t nat -A POSTROUTING -s 192.168.1.x -I eth0 -j SNAT -to
A.B.C.x

Thanks,
Patrick A.

[-- Attachment #2: Type: text/html, Size: 2937 bytes --]

routing

[Patrick Ahler]

[-- Attachment #1: Type: text/plain, Size: 918 bytes --]

I have a router setup to forward 192.168.1.x (private/internal)
addresses to A.B.C.x (public) addresses and public to private. The x
variable remains the same.

192.168.1.x <-- --> eth0 (router/iptables) eth1 <-- --> A.B.C.x  

Using the following configuration I have had no luck getting anything to
forward. (yes I've enabled ip_forward and correctly compiled the
kernel). If I run a traceroute from a machine outside our network it
will find the router, but if I traceroute a machine behind the firewall
(A.B.C.x), the trace will hang just before it gets to my router and then
won't find my router.

Route:
Route add -net A.B.C.x netmask 255.255.255.255 dev eth1
(also add default gateway and loopback interface)

iptables:
iptables -t nat -A PREROUTING -d A.B.C.x -I eth0 -j DNAT -to 192.168.1.x
iptables -t nat -A POSTROUTING -s 192.168.1.x -I eth0 -j SNAT -to
A.B.C.x

Thanks,
Patrick A.

[-- Attachment #2: Type: text/html, Size: 8585 bytes --]

Re: routing

[Joshua]

I plan on making it tcp/ip over AX.25


VA7JAJ

=====
Joshua
God Bless America
VATSIM ID: 816287 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

routing

[Joshua]

could somebody recommend a routing protocol for the
folowing network design.

++++++++++++++++
+              +
o----o----o----o
|    |    |    |
s    s    s    s

 the s's are subnets that are connected to each other
through a router o. the o's are routers that have to
ax.25 ports one on one frequency for the subnet it is
connected to, and one connecting it to surrounding
routers; the two on the ends have a third port to each
other via an hf-link, and the other links are vfh.
assume that each router can only communicate with it's
direct neighbors, except the end routers wich can
communicate through a different link

=====
Joshua
God Bless America
VATSIM ID: 816287 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: routing

[Jeroen Vreeken]

On 2003.09.07 00:47:56 +0200 Joshua wrote:
> could somebody recommend a routing protocol for the
> folowing network design.
> 
> ++++++++++++++++
> +              +
> o----o----o----o
> |    |    |    |
> s    s    s    s
> 
>  the s's are subnets that are connected to each other
> through a router o. the o's are routers that have to
> ax.25 ports one on one frequency for the subnet it is
> connected to, and one connecting it to surrounding
> routers; the two on the ends have a third port to each
> other via an hf-link, and the other links are vfh.
> assume that each router can only communicate with it's
> direct neighbors, except the end routers wich can
> communicate through a different link

It depends what you want... just ax25 connections? tcp/ip?
If it just an amateur radio network look at netrom, if you want ip look at
something like rip.

Jeroen