[LARTC] Serious Routing problem

[LARTC] Serious Routing problem

[Segree, Gareth]

It might seem like I'm asking this question in vain but let me post it for
the last time.

I have a server with two interfaces 128.187.2.0/16 and 128.187.1.0/16 that
was setup by a vendor (I dont think there is any ip routing enabled).

I have a hosts on two hubs (server card 1 is on hub 1 128.187.2.1 and server
card 2 is on hub 2 128.187.1.1) 

I have a firewall with two interface cards with the following eth1:
128.187.3.1/24 [hub 1] and eth2: 128.187.4.1/24 [hub 2].

I want each side to talk to the other in the event that one of the network
card goes down.

I have a firewall setup like the following.

eth1: 128.187.3.1/24 and eth2: 128.187.4.1/24 - with clients on each side of
the lan with default gateway being the interface that it is connected to.

I have done the following:
echo 1 > /proc/sys/net/ipv4/ip_forward
ip route replace 128.187.1.1 dev eth1
ip route replace 128.187.2.1 dev eth2

From the firewall I can ping 128.187.1.1 & 128.187.2.1.

clients from the 128.187.3.0 side can't ping 128.187.2.1 and clients from
the 128.187.4.0 side can't ping 128.187.1.1.

How can I allow hosts on the eth1: 128.187.3.1/24 to ping 128.187.2.1 and
hosts on eth2: 128.187.4.1/24 to ping 128.187.1.1.

Thanks in Advance.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Serious Routing problem

[tc lewis]

er, i didn't really read this whole thing, so this reply is probably
worthless, but...

> I have a server with two interfaces 128.187.2.0/16 and 128.187.1.0/16 that
> was setup by a vendor (I dont think there is any ip routing enabled).

doesn't 128.187.1.0/16 bleed into 128.187.2.0/16?  i would think there
would be problems with that right there.  y/n?

-tcl.


On Fri, 5 Jul 2002, Segree, Gareth wrote:

> It might seem like I'm asking this question in vain but let me post it for
> the last time.
>
> I have a server with two interfaces 128.187.2.0/16 and 128.187.1.0/16 that
> was setup by a vendor (I dont think there is any ip routing enabled).
>
> I have a hosts on two hubs (server card 1 is on hub 1 128.187.2.1 and server
> card 2 is on hub 2 128.187.1.1)
>
> I have a firewall with two interface cards with the following eth1:
> 128.187.3.1/24 [hub 1] and eth2: 128.187.4.1/24 [hub 2].
>
> I want each side to talk to the other in the event that one of the network
> card goes down.
>
> I have a firewall setup like the following.
>
> eth1: 128.187.3.1/24 and eth2: 128.187.4.1/24 - with clients on each side of
> the lan with default gateway being the interface that it is connected to.
>
> I have done the following:
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ip route replace 128.187.1.1 dev eth1
> ip route replace 128.187.2.1 dev eth2
>
> From the firewall I can ping 128.187.1.1 & 128.187.2.1.
>
> clients from the 128.187.3.0 side can't ping 128.187.2.1 and clients from
> the 128.187.4.0 side can't ping 128.187.1.1.
>
> How can I allow hosts on the eth1: 128.187.3.1/24 to ping 128.187.2.1 and
> hosts on eth2: 128.187.4.1/24 to ping 128.187.1.1.
>
> Thanks in Advance.
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Serious Routing problem

[Julian Anastasov]

	Hello,

On Fri, 5 Jul 2002, Segree, Gareth wrote:

> It might seem like I'm asking this question in vain but let me post it for
> the last time.

	Well, do you have picture of this setup: wires, hosts, hubs, IPs,
subnets. It will help for selecting the right solution. Is the problem 
that rp_filter drops the packets?

> Thanks in Advance.

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Serious Routing problem

[Segree, Gareth]

> Well, do you have picture of this setup: wires, hosts, hubs, IPs,
> Subnets. It will help for selecting the right solution. Is the problem 
> that rp_filter drops the packets?
No I can ping both hosts and server from the firewall .

I thought that if you created host routes on the firewall and enable
ip_forwarding thats all that would be needed.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Serious Routing problem

[Julian Anastasov]

	Hello,

On Sat, 6 Jul 2002, Segree, Gareth wrote:

> > Well, do you have picture of this setup: wires, hosts, hubs, IPs,
> > Subnets. It will help for selecting the right solution. Is the problem
> > that rp_filter drops the packets?
> No I can ping both hosts and server from the firewall .
>
> I thought that if you created host routes on the firewall and enable
> ip_forwarding thats all that would be needed.

	Not so easy if you connect one Linux box to another host by using
2 or more devices....

	ping can work because by default selects as src IP the preferred 
source address to the targat host. But from the information provided I 
assume you have a problem with talks between different subnets. No? At
least, I don't have a clear picture of your setup which is essential
step before continuing further.

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Serious Routing problem

[Segree, Gareth]

             [128.187.1.1] gw none          [128.187.2.1] gw none
      __________________[eth1--  Server  -- eth2]__________________
     /                                                             \
24-port Hub 1                                                 24 port Hub 2
+-----------+                                                 +-----------+
+-----------+                                                 +-----------+
    /\______________[eth1-- Linux Firewall --eth2]__________________/\
   /              [128.187.3.1]        [128.187.4.1]                  \
[clients1]                                                        [clients2]
128.187.3.0/24 gw eth1                              128.187.4.0/24 gw eth2


I want clients1 to be able to reach eth2 on server [128.187.2.1] if eth1 on
Server goes down and visa versa.

Does this explain better.

-----Original Message-----
From: Julian Anastasov [mailto:ja@ssi.bg]
Sent: Saturday, July 06, 2002 2:05 PM
To: Segree, Gareth
Cc: 'lartc@mailman.ds9a.nl'
Subject: RE: [LARTC] Serious Routing problem



	Hello,

On Sat, 6 Jul 2002, Segree, Gareth wrote:

> > Well, do you have picture of this setup: wires, hosts, hubs, IPs,
> > Subnets. It will help for selecting the right solution. Is the problem
> > that rp_filter drops the packets?
> No I can ping both hosts and server from the firewall .
>
> I thought that if you created host routes on the firewall and enable
> ip_forwarding thats all that would be needed.

	Not so easy if you connect one Linux box to another host by using
2 or more devices....

	ping can work because by default selects as src IP the preferred 
source address to the targat host. But from the information provided I 
assume you have a problem with talks between different subnets. No? At
least, I don't have a clear picture of your setup which is essential
step before continuing further.

Regards

--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Serious Routing problem

[Julian Anastasov]

	Hello,

On Sat, 6 Jul 2002, Segree, Gareth wrote:

>              [128.187.1.1] gw none          [128.187.2.1] gw none
>       __________________[eth1--  Server  -- eth2]__________________
>      /                                                             \
> 24-port Hub 1                                                 24 port Hub 2
> +-----------+                                                 +-----------+
> +-----------+                                                 +-----------+
>     /\______________[eth1-- Linux Firewall --eth2]__________________/\
>    /              [128.187.3.1]        [128.187.4.1]                  \
> [clients1]                                                        [clients2]
> 128.187.3.0/24 gw eth1                              128.187.4.0/24 gw eth2

	Hey, your setup is rather complex.

	OK, where do you think is the problem? Did you really tried
to set /proc/sys/net/ipv4/conf/*/rp_filter to 0, both on Server
and Firewall? Tests with tcpdump can show what does not work.
If rp_filter=1 is the problem and you still require rp_filter=1
then you need some patching:

http://www.linuxvirtualserver.org/~julian/#rp_filter_mask
http://www.linuxvirtualserver.org/~julian/#medium_id

	In short, Server and Firewall should allow traffic from
the clients to come via the both interfaces. rp_filter=1 allows
the traffic to come only from one interface. rp_filter_mask
extends the allowed devices according to the medium_id values and
routes. Note that rp_filter constrols both ARP and IP.

	If you decide using the above features then you have to
mark each hub with specific medium_id value and then to set
medium_id value and rp_filter_mask for each interface to allow
traffic from the both mediums.

> I want clients1 to be able to reach eth2 on server [128.187.2.1] if eth1 on
> Server goes down and visa versa.

	If you need failover then we come to other features:

http://www.linuxvirtualserver.org/~julian/#routes

	You need to use alternative routes for the local networks,
IMO both on Server and Firewall. In short, these 2 boxes will
have two routes for the remote subnet, one for each devices. The
patches will do passive failover by inspecting the ARP state
for all neighbours. If one NIC fails it will be noticed and the
alternative route will be used. There are so many variations for
the settings so I only can recommend you to read the docs provided
on the above URLs. You are just starting ... :)

> Does this explain better.

	Better - yes, enough - no :) Welcome to the world of
advanced routing :) There are no many ways to build working setup
but there are huge number of settings that can break it :)

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/