* Re: [LARTC] routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
@ 2002-03-05 17:28 ` Ard van Breemen
2002-03-06 6:44 ` suresh
` (19 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Ard van Breemen @ 2002-03-05 17:28 UTC (permalink / raw)
To: lartc
On Tue, Mar 05, 2002 at 09:25:58AM +0530, suresh wrote:
> I have routing problem using Adv Routing.
> Let me explain with exact flow of packets in my LAN to INTERNET
>
> I N T E R N E T
> / \
> ------------- -------------
> | a.b.c.e | | w.x.y.u |
> | router1 | | router2 |
> ------------- -------------
> \ /
> \ /
> \ /
> -----------
> | Switch |
> -----------
> |
> |
> |
> eth1 eth1 a.b.c.d gw a.b.c.e
> -------------- eth1:0 w.x.y.z gw w.x.y.u
> | |
> | linux |
> | |
> -------------- eth0 172.16.1.1
> eth0 eth0:0 192.168.1.1
> |
> |
Rephrased: eth0 is local, eth1 is internet?
eth0: 172.16.1.1/24 and 192.168.1.1/24
eth1: w.x.y.z/28 and a.b.c.d/28
> I want to forward all packet from 172.16.1.0/24 Network to router 1
> and from 192.168.1.0/24 Network to router2.
>
> In the linux box i am doing advance routing and iptables.
> Here i am using iptables just for masquerading
> the rules are
> #/sbin/iptables -t nat -A POSTROUTING -o eth0 -p icmp --icmp-type ping -s
> 0/0 -d 0/0 -j MASQUERADE
> #/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 0/0 -d 0/0 -j
> MASQUERADE
So you are really masquerading internet traffic, so that traffic from
the internet looks like local traffic?
Don't you mean:
/sbin/iptables -t nat -A POSTROUTING -o eth1 -p icmp --icmp-type ping -s 0/0 -d 0/0 -j MASQUERADE
In other words: icmp traffic going to the internet should be masqueraded?
But now for the next thing in problem solving:
1) flush your iptables.
2) start these:
tcpdump -n -e -i eth0
tcpdump -n -e -i eth1
3) ping from the 192.168.1.0 network a few times (it will not be answered).
Watch the outgoing traffic on eth1
4) ping from the 172.16.1.0 network a few times.
Watch the outgoing traffic on eth1
At this point it should start sending the icmp request to the different
routers. The *only* way to notice this is the mac address to which it
is sent!
If that is correct, then your ip stuff is correct. Your next target is
the iptables.
Enter this:
/sbin/iptables -t nat -A POSTROUTING -o eth1 -p icmp --icmp-type ping -s 0/0 -d 0/0 -j MASQUERADE
And try the pings again. Watch the mac, and the ip addresses.
You will see that masqueraded packets "arive" to times at the interface,
once masqueraded, and once demasqueraded.
If one of these steps does not do as I say, please cut and paste your
terminal output.
(That means tcpdumps etc...)
--
<ard@telegraafnet.nl> Telegraaf Elektronische Media http://wwwijzer.nl
http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html
Let your government know you value your freedom. Sign the petition:
http://petition.eurolinux.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
2002-03-05 17:28 ` Ard van Breemen
@ 2002-03-06 6:44 ` suresh
2002-11-20 17:31 ` [LARTC] Routing problem Mauro Cerboni
` (18 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: suresh @ 2002-03-06 6:44 UTC (permalink / raw)
To: lartc
Hello Ard,
Thanks for your guide now its working
Suresh
----- Original Message -----
From: Ard van Breemen <ard@telegraafnet.nl>
To: lartc <lartc@mailman.ds9a.nl>
Cc: suresh <super772002@yahoo.com>
Sent: Tuesday, March 05, 2002 10:58 PM
Subject: Re: [LARTC] routing problem
> On Tue, Mar 05, 2002 at 09:25:58AM +0530, suresh wrote:
> > I have routing problem using Adv Routing.
> > Let me explain with exact flow of packets in my LAN to INTERNET
> >
> > I N T E R N E T
> > / \
> > ------------- -------------
> > | a.b.c.e | | w.x.y.u |
> > | router1 | | router2 |
> > ------------- -------------
> > \ /
> > \ /
> > \ /
> > -----------
> > | Switch |
> > -----------
> > |
> > |
> > |
> > eth1 eth1 a.b.c.d gw a.b.c.e
> > -------------- eth1:0 w.x.y.z gw w.x.y.u
> > | |
> > | linux |
> > | |
> > -------------- eth0 172.16.1.1
> > eth0 eth0:0 192.168.1.1
> > |
> > |
> Rephrased: eth0 is local, eth1 is internet?
> eth0: 172.16.1.1/24 and 192.168.1.1/24
> eth1: w.x.y.z/28 and a.b.c.d/28
>
> > I want to forward all packet from 172.16.1.0/24 Network to router 1
> > and from 192.168.1.0/24 Network to router2.
> >
> > In the linux box i am doing advance routing and iptables.
> > Here i am using iptables just for masquerading
> > the rules are
> > #/sbin/iptables -t nat -A POSTROUTING -o eth0 -p icmp --icmp-type
ping -s
> > 0/0 -d 0/0 -j MASQUERADE
> > #/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 0/0 -d 0/0 -j
> > MASQUERADE
> So you are really masquerading internet traffic, so that traffic from
> the internet looks like local traffic?
> Don't you mean:
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -p icmp --icmp-type ping -s
0/0 -d 0/0 -j MASQUERADE
> In other words: icmp traffic going to the internet should be masqueraded?
>
> But now for the next thing in problem solving:
> 1) flush your iptables.
> 2) start these:
> tcpdump -n -e -i eth0
> tcpdump -n -e -i eth1
>
> 3) ping from the 192.168.1.0 network a few times (it will not be
answered).
> Watch the outgoing traffic on eth1
> 4) ping from the 172.16.1.0 network a few times.
> Watch the outgoing traffic on eth1
>
> At this point it should start sending the icmp request to the different
> routers. The *only* way to notice this is the mac address to which it
> is sent!
>
> If that is correct, then your ip stuff is correct. Your next target is
> the iptables.
>
> Enter this:
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -p icmp --icmp-type ping -s
0/0 -d 0/0 -j MASQUERADE
>
> And try the pings again. Watch the mac, and the ip addresses.
> You will see that masqueraded packets "arive" to times at the interface,
> once masqueraded, and once demasqueraded.
>
> If one of these steps does not do as I say, please cut and paste your
> terminal output.
> (That means tcpdumps etc...)
> --
> <ard@telegraafnet.nl> Telegraaf Elektronische Media http://wwwijzer.nl
> http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html
> Let your government know you value your freedom. Sign the petition:
> http://petition.eurolinux.org/
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
2002-03-05 17:28 ` Ard van Breemen
2002-03-06 6:44 ` suresh
@ 2002-11-20 17:31 ` Mauro Cerboni
2002-11-22 0:03 ` Jose Luis Domingo Lopez
` (17 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Mauro Cerboni @ 2002-11-20 17:31 UTC (permalink / raw)
To: lartc
Hi everybody,
I have 3 routers (Linux boxes with Red Hat 8.0 server), with iproute2 and ip_forward activated; they are linked together in this way:
AP1------Router1---------Router2----------Router3---------AP2
AP1 and AP2 are WLAN 802.11b Cisco Aironet 350 access points.
I can't ping AP2 from Router1 and Router2 and AP1 from Router3 and Router2.
Changing one of the AP with a laptop connected to Router (1 or 3) results in no effects.
The routing tables seem correct.
Router1 and Router3 can ping each other, so Router2 seems to make right routing.
The dotted lines above are 4 different subnets.
Any suggestion would be of great help!
Jhonatan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (2 preceding siblings ...)
2002-11-20 17:31 ` [LARTC] Routing problem Mauro Cerboni
@ 2002-11-22 0:03 ` Jose Luis Domingo Lopez
2002-11-22 0:32 ` George J. Jahchan, Eng.
` (16 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Jose Luis Domingo Lopez @ 2002-11-22 0:03 UTC (permalink / raw)
To: lartc
On Wednesday, 20 November 2002, at 18:31:42 +0100,
Mauro Cerboni wrote:
> I have 3 routers (Linux boxes with Red Hat 8.0 server), with iproute2 and ip_forward activated; they are linked together in this way:
>
> AP1------Router1---------Router2----------Router3---------AP2
>
> The routing tables seem correct.
>
But the symptoms you describe seem to tell the opposite :-(
> Router1 and Router3 can ping each other,
>
Router1 and Router2 share a network segment, as well as Router2 and
Router3. So as Router2 seems to be forwarding packets, and it has router
to directly connected networks (shared with Router1 and Router3) the
communication between Router1 and Router3 works.
My guess is a wrong configuration of routing tables. Maybe you could try
traceroute to see if packets reach the other end, or they get lost at
some point. It wouldn't be unusual for the packets to reach the
destination, but be unable to return to the source, so check the routing
tables and follow the path the packets would travel.
Hope it helps.
--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* RE: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (3 preceding siblings ...)
2002-11-22 0:03 ` Jose Luis Domingo Lopez
@ 2002-11-22 0:32 ` George J. Jahchan, Eng.
2002-12-17 16:53 ` [LARTC] ROUTING Problem Andre Lorenz
` (15 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: George J. Jahchan, Eng. @ 2002-11-22 0:32 UTC (permalink / raw)
To: lartc
Mauro,
Unless both Aironets have routes to each other (either default or static) they cannot communicate, and AFAIK, the Aironets are layer-2 devices with no routing capabilities. Wireless hosts behind AP1 should be able to communicate with wireless hosts behind AP2 though. Just make sure hosts at both ends have appropriate routes to each other.
-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Mauro Cerboni
Sent: Wednesday, November 20, 2002 7:32 pm
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Routing problem
Hi everybody,
I have 3 routers (Linux boxes with Red Hat 8.0 server), with iproute2 and ip_forward activated; they are linked together in this way:
AP1------Router1---------Router2----------Router3---------AP2
AP1 and AP2 are WLAN 802.11b Cisco Aironet 350 access points.
I can't ping AP2 from Router1 and Router2 and AP1 from Router3 and Router2.
Changing one of the AP with a laptop connected to Router (1 or 3) results in no effects.
The routing tables seem correct.
Router1 and Router3 can ping each other, so Router2 seems to make right routing.
The dotted lines above are 4 different subnets.
Any suggestion would be of great help!
Jhonatan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* [LARTC] ROUTING Problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (4 preceding siblings ...)
2002-11-22 0:32 ` George J. Jahchan, Eng.
@ 2002-12-17 16:53 ` Andre Lorenz
2003-09-05 16:12 ` [LARTC] Routing problem gaston
` (14 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Andre Lorenz @ 2002-12-17 16:53 UTC (permalink / raw)
To: lartc
hello,
(sorry for my bad english)
1,5 Mbit 2 Mbit
www www
| |
+---------------------------+
| LINUX Box |----- DMZ
+---------------------------+
|
LAN
most of clients in the lan are connectet to the 1,5 Mbit connection
and some are connectet to the 2 Mbit connection
the linux box has 4 network adapters
problem
the clients which are routet to the 2 Mbit couldn't acces the dmz
u will be able to connect the dmz from all other routes.
routes are following defined.
default --> 1,5 Mbit
table fast
default -> 2mbit
clientXX lookup table fast
dmz-Network lookup table fast
where I've done a mistake
I've tried to solve it with fw-mark but there is also the same problem
thanks for help
with friendly regards
Andre
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (5 preceding siblings ...)
2002-12-17 16:53 ` [LARTC] ROUTING Problem Andre Lorenz
@ 2003-09-05 16:12 ` gaston
2003-09-07 23:03 ` Damion de Soto
` (13 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: gaston @ 2003-09-05 16:12 UTC (permalink / raw)
To: lartc
Internet
|
|
________|________
| |
| Cisco 2600 | | |
IP: 208.53.98.254
|_______________|
|
|
|
|
|
|
________|_________
| |
| Switch 1 |
|_______________|
|
|
|
|
|
ETH0 ---> IP:208.53.98.198 Net 208.53.98.0/25
________|________
| |
| Linux |
|_______________|
|
ETH1 --> IP:208.53.164.254 Net 208.53.164.0/24
|
|
________|_________
| |
| Switch 2 | ------ Clients
|_______________|
Red Hat Linux 9
Kernel: 2.4.20-8
I used the traditional routing config (without iproute2)
Routing table:
208.53.98.128 0.0.0.0 255.255.255.128 U 0 eth0
208.53.164.0 0.0.0.0 255.255.255.0 U 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 lo
0.0.0.0 208.53.98.254 0.0.0.0 UG 0 eth0
Cisco 2600 config:
ip route 208.53.164.0 255.255.255.0 208.53.98.198
Problem:
This configuration didn't work. From the clients network (208.53.164.0) I
could only reach the Cisco router but was unable to reach Internet.
The only quick solution was to connect Switch 1 with Switch 2.
Any ideas why this didn't work?
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (6 preceding siblings ...)
2003-09-05 16:12 ` [LARTC] Routing problem gaston
@ 2003-09-07 23:03 ` Damion de Soto
2003-09-08 6:41 ` Ronny Aasen
` (12 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Damion de Soto @ 2003-09-07 23:03 UTC (permalink / raw)
To: lartc
gaston wrote:
> Problem:
> This configuration didn't work. From the clients network (208.53.164.0) I
> could only reach the Cisco router but was unable to reach Internet.
>
> The only quick solution was to connect Switch 1 with Switch 2.
> Any ideas why this didn't work?
did you have IP forwarding enabled and the appropriate iptables rules on the linux box ?
for pure routing:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
If you already done that, where does a traceroute from the clients' network
(208.53.164.0) go ? does it try to go through 208.53.164.254?
does it go anywhere after ?
good luck.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer email: damion@snapgear.com
SnapGear --- ph: +61 7 3435 2809
| Custom Embedded Solutions fax: +61 7 3891 3630
| and Security Appliances web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (7 preceding siblings ...)
2003-09-07 23:03 ` Damion de Soto
@ 2003-09-08 6:41 ` Ronny Aasen
2003-09-08 14:46 ` gaston
` (11 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Ronny Aasen @ 2003-09-08 6:41 UTC (permalink / raw)
To: lartc
On Mon, 2003-09-08 at 01:03, Damion de Soto wrote:
> gaston wrote:
> > Problem:
> > This configuration didn't work. From the clients network (208.53.164.0) I
> > could only reach the Cisco router but was unable to reach Internet.
> >
> > The only quick solution was to connect Switch 1 with Switch 2.
> > Any ideas why this didn't work?
>
> did you have IP forwarding enabled and the appropriate iptables rules on the linux box ?
> for pure routing:
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> If you already done that, where does a traceroute from the clients' network
> (208.53.164.0) go ? does it try to go through 208.53.164.254?
> does it go anywhere after ?
in addition, was the cisco aware that the route to
208.53.164.0/24 was thru the linux ?
post the routing table from the cisco also.
still good luck
--
Ronny Aasen <list@datapart-as.no>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (8 preceding siblings ...)
2003-09-08 6:41 ` Ronny Aasen
@ 2003-09-08 14:46 ` gaston
2003-09-09 13:59 ` gaston
` (10 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: gaston @ 2003-09-08 14:46 UTC (permalink / raw)
To: lartc
Well, I don't think its the cisco's problem. I think there is something
wrong with my linux routing config , here it is:
/proc/sys/net/ipv4
icmp_echo_ignore_all:0
icmp_echo_ignore_broadcasts:0
icmp_ignore_bogus_error_responses:0
icmp_ratelimit:100
icmp_ratemask:6168
igmp_max_memberships:20
inet_peer_gc_maxtime:120
inet_peer_gc_mintime:10
inet_peer_maxttl:600
inet_peer_minttl:120
inet_peer_threshold:65664
ip_autoconfig:0
ip_conntrack_max:32656
ip_default_ttl:64
ip_dynaddr:0
ip_forward:1
ipfrag_high_thresh:262144
ipfrag_low_thresh:196608
ipfrag_time:30
ip_local_port_range:32768 61000
ip_nonlocal_bind:0
ip_no_pmtu_disc:0
tcp_abort_on_overflow:0
tcp_adv_win_scale:2
tcp_app_win:31
tcp_dsack:1
tcp_ecn:0
tcp_fack:1
tcp_fin_timeout:60
tcp_frto:0
tcp_keepalive_intvl:75
tcp_keepalive_probes:9
tcp_keepalive_time:7200
tcp_max_orphans:16384
tcp_max_syn_backlog:1024
tcp_max_tw_buckets:180000
tcp_mem:97280 97792 98304
tcp_orphan_retries:0
tcp_reordering:3
tcp_retrans_collapse:1
tcp_retries1:3
tcp_retries2:15
tcp_rfc1337:0
tcp_rmem:4096 87380 174760
tcp_sack:1
tcp_stdurg:0
tcp_synack_retries:5
tcp_syncookies:0
tcp_syn_retries:5
tcp_timestamps:1
tcp_tw_recycle:0
tcp_tw_reuse:0
tcp_window_scaling:1
tcp_wmem:4096 16384 131072
/proc/sys/net/ipv4/conf/ethX
accept_redirects:1
accept_source_route:1
arp_filter:0
bootp_relay:0
forwarding:1
log_martians:0
mc_forwarding:0
medium_id:0
proxy_arp:0
rp_filter:1
secure_redirects:1
send_redirects:1
shared_media:1
tag:0
-----Original Message-----
From: Ani <an2rhyme@yahoo.com>
To: gaston <gaston@steel.com.ar>
Date: Sat, 6 Sep 2003 03:07:14 -0700 (PDT)
Subject: Re: [LARTC] Routing problem
> if u r able to reach from ur client machine to cisco router ( but not
> outside ) then its the cisco configuration u need to check... send the
> cisco config and we can get back to u.
>
> gaston <gaston@steel.com.ar> wrote:
> Internet
> |
> |
> ________|________
> | |
> | Cisco 2600 | | |
> IP: 208.53.98.254
> |_______________|
> |
> |
> |
> |
> |
> |
> ________|_________
> | |
> | Switch 1 |
> |_______________|
>
> |
> |
> |
> |
> |
> ETH0 ---> IP:208.53.98.198 Net 208.53.98.0/25
> ________|________
> | |
> | Linux |
> |_______________|
> |
> ETH1 --> IP:208.53.164.254 Net 208.53.164.0/24
> |
> |
> ________|_________
> | |
> | Switch 2 | ------ Clients
>
> |_______________|
>
> Red Hat Linux 9
> Kernel: 2.4.20-8
> I used the traditional routing config (without iproute2)
>
>
> Routing table:
>
> 208.53.98.128 0.0.0.0 255.255.255.128 U 0 eth0
> 208.53.164.0 0.0.0.0 255.255.255.0 U 0 eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 lo
> 0.0.0.0 208.53.98.254 0.0.0.0 UG 0 eth0
>
>
> Cisco 2600 config:
>
> ip route 208.53.164.0 255.255.255.0 208.53.98.198
>
>
> Problem:
>
> This configuration didn't work. From the clients network (208.53.164.0)
> I
> could only reach the Cisco router but was unable to reach Internet.
>
> The only quick solution was to connect Switch 1 with Switch 2.
>
>
> Any ideas why this didn't work?
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (9 preceding siblings ...)
2003-09-08 14:46 ` gaston
@ 2003-09-09 13:59 ` gaston
2003-11-10 12:29 ` [LARTC] routing problem Meretei Balázs
` (9 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: gaston @ 2003-09-09 13:59 UTC (permalink / raw)
To: lartc
>
> Message: 1
> Subject: Re: [LARTC] Routing problem
> From: Ronny Aasen <list@datapart-as.no>
> To: lartc <lartc@mailman.ds9a.nl>
> Cc: Damion de Soto <damion@snapgear.com>
> Organization:
> Date: 08 Sep 2003 08:41:46 +0200
>
> On Mon, 2003-09-08 at 01:03, Damion de Soto wrote:
> > gaston wrote:
> > > Problem:
> > > This configuration didn't work. From the clients network
> (208.53.164.0) I
> > > could only reach the Cisco router but was unable to reach Internet.
> > >
> > > The only quick solution was to connect Switch 1 with Switch 2.
> > > Any ideas why this didn't work?
> >
> > did you have IP forwarding enabled and the appropriate iptables rules
> on the linux box ?
> > for pure routing:
> >
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > iptables -P INPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
> >
> > If you already done that, where does a traceroute from the clients'
> network
> > (208.53.164.0) go ? does it try to go through 208.53.164.254?
> > does it go anywhere after ?
>
>
> in addition, was the cisco aware that the route to
> 208.53.164.0/24 was thru the linux ?
>
> post the routing table from the cisco also.
>
> still good luck
> --
> Ronny Aasen <list@datapart-as.no>
>
>
> --__--__--
Yes, the cisco knows that everything going to the net 208.53.164.0 goes
through the linux.
I did a traceroute from one of the clients to cisco's website ip:
1st hop --> 208.53.164.254
2nd hop --> Time out
3d --> Time out
and so on
while doing this i sniffed with ethereal:
source dest
208.53.164.2 208.53.98.254(dns) standard query ptr
208.53.164.2 208.53.98.254(dns) destination unreachable
208.53.164.2 198.133.219.25 echo ping request
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* [LARTC] routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (10 preceding siblings ...)
2003-09-09 13:59 ` gaston
@ 2003-11-10 12:29 ` Meretei Balázs
2003-11-10 23:55 ` Damion de Soto
` (8 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Meretei Balázs @ 2003-11-10 12:29 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 616 bytes --]
I got a problem with ip aliasing.
I've an interface (eth0) and its address (eg. 195.150.0.11) routed throught 195.150.0.1
I made an alias 193.144.0.11 too (eth0:1)
but I have to route the second subnet trought an other router (193.144.0.1)
the main problem is, that I cannot make two default routes...
I dont know really what to in this case
----------
| | eth0 (195.150.0.11)----------------[router: 195.150.0.11]-------------INET
| | eth0:1 (193.144.0.11)---------------[router: 193.144.0.11]-------------INET
---------
======================
Meretei Balázs
noxy@icw.hu
[-- Attachment #2: Type: text/html, Size: 1884 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (11 preceding siblings ...)
2003-11-10 12:29 ` [LARTC] routing problem Meretei Balázs
@ 2003-11-10 23:55 ` Damion de Soto
2003-11-11 4:22 ` Martin A. Brown
` (7 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Damion de Soto @ 2003-11-10 23:55 UTC (permalink / raw)
To: lartc
Meretei Balázs wrote:
> I've an interface (eth0) and its address (eg. 195.150.0.11) routed
> throught 195.150.0.1
> I made an alias 193.144.0.11 too (eth0:1)
> but I have to route the second subnet trought an other router (193.144.0.1)
I'm pretty sure you need source-based routing here. (or is that policy-based ?)
you setup 2 routing tables, and then make rules that say packets from 195.150.0.0 go
into one (which has a default gateway of 195.150.0.1) and packets from the other
network go into the second routing table, with a gw of 193.144.0.1
take a look at:
http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE
and maybe:
http://linux-ip.net/html/ch-routing.html
http://linux-ip.net/gl/ip-cref/
it's pretty easy once you work out what needs to happen.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer email: damion@snapgear.com
SnapGear --- ph: +61 7 3435 2809
| Custom Embedded Solutions fax: +61 7 3891 3630
| and Security Appliances web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- Free Embedded Linux Distro at http://www.snapgear.org ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (12 preceding siblings ...)
2003-11-10 23:55 ` Damion de Soto
@ 2003-11-11 4:22 ` Martin A. Brown
2004-04-06 11:09 ` [LARTC] Routing problem huffo
` (6 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Martin A. Brown @ 2003-11-11 4:22 UTC (permalink / raw)
To: lartc
Meretei,
: I've an interface (eth0) and its address (eg. 195.150.0.11) routed
: throught 195.150.0.1 I made an alias 193.144.0.11 too (eth0:1) but I
: have to route the second subnet trought an other router (193.144.0.1)
:
: the main problem is, that I cannot make two default routes... I dont
: know really what to in this case
Damion was correct when he suggested that policy routing would be a good
solution for you. He suggested reading lartc.org [0] and also a chapter
in my (incomplete) book; the chapter on routing [1]. Together these two
resources should give you a good idea of how the solution works. Policy
routing leverages multiple routing tables and a policy database. The
lookups in the policy database select the routing table to apply for a
particular packet. With a careful design of your routing tables, you can
easily have two or more default routes, depending on the characteristics
of the outbound packet.
: +--------+
: | linux | eth0 (195.150.0.11) -- [router: 195.150.0.1] -- INET
: | router | eth0:1 (193.144.0.11) -- [router: 193.144.0.1] -- INET
: +--------+
I assume that you are only showing us the networks connected to this
router, and that there are no others. If that is the case, then my
following statements hold.
For you, the pitfall and difficulty will likely have more to do with
ensuring that the packets are sourced from the correct IP. This will be
trivial if you are running servers on 195.150.0.11 and 193.144.0.11, but
may be more difficult if you are trying to select outbound path from
userspace. This could depend on your application supporting the call to
bind to a particular IP.
In particular, you'll want to examine the kernel's rules for selecting a
source IP if it is not specified by the application [2].
If eth0 is your preferred link, then this should work for you as a
starting point:
echo secondary >> /etc/iproute2/rt_tables
ip rule add from 193.144.0.11 table secondary
ip route flush table secondary
ip route show table main | while read ROUTE ; do
ip route add table secondary $ROUTE
done
ip route change default table secondary via 193.144.0.1
One other note. The use of the term IP aliasing is archaic and
deprecated. The command "ifconfig" displays "aliased" interfaces with
the old-style name "eth0:0", when, in fact, there is no such thing as an
alias under Linux. This is immediately obvious when using the "ip
address" command line tool to list addresses associated with a particular
interface.
-Martin
[0] http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE
[1] http://linux-ip.net/html/ch-routing.html
[2] http://linux-ip.net/gl/ip-cref/node155.html
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (13 preceding siblings ...)
2003-11-11 4:22 ` Martin A. Brown
@ 2004-04-06 11:09 ` huffo
2004-04-06 12:28 ` huffo
` (5 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: huffo @ 2004-04-06 11:09 UTC (permalink / raw)
To: lartc
Hi,
i have one firewall/gateway server with two interfaces and a routing
problem (?).
eth0: external interface
eth1: internal interface. Both ip address are valid.
Services like DNS, HTTP is configured to run using eth1 ip address.
The problem is when i try to connect from internet to firewall, i can´t see
eth1 ip address... only eth0 ip address.
So, when i try to connect to web server or transfer zones to slaves DNS
servers, the connection fails (they cannot see eth1). Nothing that runs in
eth1 ip address works for people outside my local network.
My local network is working fine, because can see eth1, and has a masquerade
rule to make transparent proxy.
If i´m connected to firewall, i can see everything.
I disabled all firewall rules to make tests... no results.
Anyone can help me to find where is the problem? I think it´s a routing
problem, but i don´t know where it is...
Thanks in advance,
Pereira
_________________________________________________________
Voce quer um iGMail protegido contra vírus e spams?
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (14 preceding siblings ...)
2004-04-06 11:09 ` [LARTC] Routing problem huffo
@ 2004-04-06 12:28 ` huffo
2004-04-06 23:32 ` Damion de Soto
` (4 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: huffo @ 2004-04-06 12:28 UTC (permalink / raw)
To: lartc
Of course. IP_FORWARDING is enable for a long time.
Pereira.
Em 6 Apr 2004, huffo@ig.com.br escreveu:
>Hi,
>i have one firewall/gateway server with two interfaces and a routing
>problem (?).
>
>eth0: external interface
>eth1: internal interface. Both ip address are valid.
>
>Services like DNS, HTTP is configured to run using eth1 ip address.
>
>The problem is when i try to connect from internet to firewall, i can´t see
>eth1 ip address... only eth0 ip address.
>
>So, when i try to connect to web server or transfer zones to slaves DNS
>servers, the connection fails (they cannot see eth1). Nothing that runs in
>eth1 ip address works for people outside my local network.
>
>My local network is working fine, because can see eth1, and has a
masquerade
>rule to make transparent proxy.
>
>If i´m connected to firewall, i can see everything.
>
>I disabled all firewall rules to make tests... no results.
>
>Anyone can help me to find where is the problem? I think it´s a routing
>problem, but i don´t know where it is...
>
>Thanks in advance,
>Pereira
>
>_________________________________________________________
>Voce quer um iGMail protegido contra vírus e spams?
>Clique aqui: http://www.igmailseguro.ig.com.br
>Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
>
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>----------
_________________________________________________________
Voce quer um iGMail protegido contra vírus e spams?
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (15 preceding siblings ...)
2004-04-06 12:28 ` huffo
@ 2004-04-06 23:32 ` Damion de Soto
2004-04-07 1:16 ` huffo
` (3 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: Damion de Soto @ 2004-04-06 23:32 UTC (permalink / raw)
To: lartc
Hi Pereira,
> i have one firewall/gateway server with two interfaces and a routing
> problem (?).
>
> eth0: external interface
> eth1: internal interface. Both ip address are valid.
> Anyone can help me to find where is the problem? I think it´s a routing
> problem, but i don´t know where it is...
Has your ISP placed routing entries for eth1 IP via eth0 IP ?
Are they on the same subnets ?
If you do a traceroute from the internet, you should see your hops hit eth0
(and then if everything was working, hit eth1)
> Of course. IP_FORWARDING is enable for a long time.
I assume you've also turned it on in /proc/sys/net/ipv4/ip_forward ?
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer email: damion@snapgear.com
SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809
| Custom Embedded Solutions fax: +61 7 3891 3630
| and Security Appliances web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- Free Embedded Linux Distro at http://www.snapgear.org ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (16 preceding siblings ...)
2004-04-06 23:32 ` Damion de Soto
@ 2004-04-07 1:16 ` huffo
2004-04-07 1:26 ` huffo
` (2 subsequent siblings)
20 siblings, 0 replies; 22+ messages in thread
From: huffo @ 2004-04-07 1:16 UTC (permalink / raw)
To: lartc
I installed gated to resolve my routing problem. It wa s a RIP problem.
Thanks a lot,
Mauricio.
Em 07 Apr 2004, Damion de Soto escreveu:
>Hi Pereira,
>> i have one firewall/gateway server with two interfaces and a routing
>> problem (?).
>>
>> eth0: external interface
>> eth1: internal interface. Both ip address are valid.
>> Anyone can help me to find where is the problem? I think it´s a routing
>> problem, but i don´t know where it is...
>
>Has your ISP placed routing entries for eth1 IP via eth0 IP ?
>Are they on the same subnets ?
>If you do a traceroute from the internet, you should see your hops hit eth0
>(and then if everything was working, hit eth1)
>
> > Of course. IP_FORWARDING is enable for a long time.
>I assume you've also turned it on in /proc/sys/net/ipv4/ip_forward ?
>
>--
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Damion de Soto - Software Engineer email: damion@snapgear.com
>SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809
> | Custom Embedded Solutions fax: +61 7 3891 3630
> | and Security Appliances web: http://www.snapgear.com
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> --- Free Embedded Linux Distro at http://www.snapgear.org ---
>
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>----------
_________________________________________________________
Voce quer um iGMail protegido contra vírus e spams?
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (17 preceding siblings ...)
2004-04-07 1:16 ` huffo
@ 2004-04-07 1:26 ` huffo
2006-12-12 13:07 ` [LARTC] Routing Problem Javier A Toledano
2006-12-13 15:05 ` Taylor, Grant
20 siblings, 0 replies; 22+ messages in thread
From: huffo @ 2004-04-07 1:26 UTC (permalink / raw)
To: lartc
Anyone knows a pdf, text, html that explains how /etc/gateway, or gated.conf
works?
I installed gated, configured rip1 and now is working, but i want to know
everything about...
Thanks any help,
_________________________________________________________
Voce quer um iGMail protegido contra vírus e spams?
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 22+ messages in thread* [LARTC] Routing Problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (18 preceding siblings ...)
2004-04-07 1:26 ` huffo
@ 2006-12-12 13:07 ` Javier A Toledano
2006-12-13 15:05 ` Taylor, Grant
20 siblings, 0 replies; 22+ messages in thread
From: Javier A Toledano @ 2006-12-12 13:07 UTC (permalink / raw)
To: lartc
Routing Problem
Internet
|
|
DSL Router with NAT Enabled
192.168.93.2/24
|
|
|
|
192.168.93.1/24 (eth1)
|
Linux Multihomed Router -- 10.0.0.25/8 (eth0) ------------------10.0.0.1 (host)
| |
192.168.10.2/24 (eth2)
|
|
|
|
192.168.10.49 (host)
The linux is running Centos 4.2. I have 3 ethernet cards, eth1
(davicom Semiconductor, Inc 21x4x DEC -Tulip Compatible), eth0 (VIA
Technologies, Ic VT6105 Rhine III)
Eth2 (intel Corporation 82547Gi Gigabit Ethernet Controller)
I don't have any rules of iptables applied to the kernel.
the content of sysctl.conf is below:
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 0
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
The problem is that forwarding is enabled but when I try to probe
connectivity from a host in the 10.0.0.0 net , eg 10.0.0.1 making an
echo request
to a host in 192.168.10.0 net , eg 192.168.10.49 the icmp packets
arrive to the linux box (interface eth0) but don't traverset it.
After I iniate an echo request from 192.168.10.49 to 10.0.0.1, the
packets iniatated in 10.0.0.0 net starts to traverse the router
magically.
It seems that It needs a packet from the 192.168.10.0 to start working.
I would appreciate any idea.
Thanks in advance.
Javier Toledano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 22+ messages in thread* Re: [LARTC] Routing Problem
2002-03-05 3:55 [LARTC] routing problem suresh
` (19 preceding siblings ...)
2006-12-12 13:07 ` [LARTC] Routing Problem Javier A Toledano
@ 2006-12-13 15:05 ` Taylor, Grant
20 siblings, 0 replies; 22+ messages in thread
From: Taylor, Grant @ 2006-12-13 15:05 UTC (permalink / raw)
To: lartc
Javier A Toledano wrote:
> Routing Problem
<snip>
> The problem is that forwarding is enabled but when I try to probe
> connectivity from a host in the 10.0.0.0 net , eg 10.0.0.1 making an
> echo request
> to a host in 192.168.10.0 net , eg 192.168.10.49 the icmp packets
> arrive to the linux box (interface eth0) but don't traverset it.
> After I iniate an echo request from 192.168.10.49 to 10.0.0.1, the
> packets iniatated in 10.0.0.0 net starts to traverse the router
> magically.
> It seems that It needs a packet from the 192.168.10.0 to start working.
>
> I would appreciate any idea.
I'm not a CentOS user so I can not say for sure. However I would expect
that (despite what you say) that there is some sort of IPTables stateful
packet inspection going on from your 10/ network to your 192.168/
network. If this is indeed the case and the rule is a basic state of
ESTABLISHED, RELATED, then any traffic from 10/ to 192.168/ AFTER you
sent traffic from 192.168/ to 10/ would be considered RELATED and thus
allowed through.
However, if as you say, there are no IPTables rules in play at all
something else is interfering with your traffic, what it would be, I'm
not sure.
Try running iptables-save to make sure that there are absolutely no
rules in effect any where.
Grant. . . .
(Reposted to the mailing list verses directly back to the OP.)
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 22+ messages in thread