[LARTC] routing problem

[LARTC] routing problem

[suresh]

Hello All,

I have routing problem using Adv Routing.
Let me explain with exact flow of packets in my LAN to INTERNET

                I N T E R N E T
                /                     \
    -------------             -------------
    | a.b.c.e      |              | w.x.y.u     |
    |  router1    |              |   router2    |
    -------------             -------------
               \                   /
                \                /
                 \             /
                  -----------
                  |   Switch  |
                  -----------
                       |
                       |
                       |
                      eth1                eth1 a.b.c.d     gw a.b.c.e
                 --------------       eth1:0 w.x.y.z  gw w.x.y.u
                 |                   |
                 |    linux        |
                 |                   |
                 --------------        eth0 172.16.1.1
                    eth0                    eth0:0 192.168.1.1
                        |
                        |

I want to forward all packet from 172.16.1.0/24 Network to router 1
and from 192.168.1.0/24 Network to router2.

In the linux box i am doing advance routing and iptables.
Here i am using iptables just for masquerading
the rules are
#/sbin/iptables -t nat -A POSTROUTING -o eth0 -p icmp --icmp-type ping -s
0/0 -d  0/0 -j MASQUERADE
#/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 0/0 -d 0/0 -j
MASQUERADE

Linux box's default gw is w.x.y.u and i added only following command

#echo 200 isp1 >> /etc/iproute2/rt_tables
#ip rule add from 172.16.1.0/24 table isp1
#ip rule ls
0:      from all lookup local
32765:  from 172.16.1.0/24 lookup isp1
32766:  from all lookup main
32767:  from all lookup default

#ip route add default via a.b.c.e dev eth1 table isp1
#ip route flush cache

It is not forwarding if packet from 172.16.1.0/24 but works fine if packets
from 192.168.1.0/24.

If i delete default gw and ip rule and add a.d.c.e as default gw than
packets from both networks forwarded to router1.
#ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:06:5b:38:99:a8 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.1/24 brd 172.16.1.255 scope global eth0
    inet 192.168.1.1/24 brd 190.190.1.255 scope global eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:06:5b:38:99:a9 brd ff:ff:ff:ff:ff:ff
    inet a.b.c.d/28 brd *.*.*.* scope global eth1
    inet w.x.y.z/28 brd *.*.*.* scope global eth1:0

# ip route
*.*.*.*/28 dev eth1  proto kernel  scope link  src a.b.c.d
*.*.*.*/28 dev eth1  proto kernel  scope link  src w.x.y.z
172.16.1.0/24 dev eth0  proto kernel  scope link  src 172.16.1.1
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
127.0.0.0/8 dev lo  scope link
default via w.x.y.u dev eth0


Thanks
Suresh



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] routing problem

[Ard van Breemen]

On Tue, Mar 05, 2002 at 09:25:58AM +0530, suresh wrote:
> I have routing problem using Adv Routing.
> Let me explain with exact flow of packets in my LAN to INTERNET
> 
>                 I N T E R N E T
>                 /                     \
>     -------------             -------------
>     | a.b.c.e      |              | w.x.y.u     |
>     |  router1    |              |   router2    |
>     -------------             -------------
>                \                   /
>                 \                /
>                  \             /
>                   -----------
>                   |   Switch  |
>                   -----------
>                        |
>                        |
>                        |
>                       eth1                eth1 a.b.c.d     gw a.b.c.e
>                  --------------       eth1:0 w.x.y.z  gw w.x.y.u
>                  |                   |
>                  |    linux        |
>                  |                   |
>                  --------------        eth0 172.16.1.1
>                     eth0                    eth0:0 192.168.1.1
>                         |
>                         |
Rephrased: eth0 is local, eth1 is internet?
eth0: 172.16.1.1/24 and 192.168.1.1/24
eth1: w.x.y.z/28 and a.b.c.d/28

> I want to forward all packet from 172.16.1.0/24 Network to router 1
> and from 192.168.1.0/24 Network to router2.
> 
> In the linux box i am doing advance routing and iptables.
> Here i am using iptables just for masquerading
> the rules are
> #/sbin/iptables -t nat -A POSTROUTING -o eth0 -p icmp --icmp-type ping -s
> 0/0 -d  0/0 -j MASQUERADE
> #/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 0/0 -d 0/0 -j
> MASQUERADE
So you are really masquerading internet traffic, so that traffic from
the internet looks like local traffic?
Don't you mean:
/sbin/iptables -t nat -A POSTROUTING -o eth1 -p icmp --icmp-type ping -s  0/0 -d  0/0 -j MASQUERADE
In other words: icmp traffic going to the internet should be masqueraded?

But now for the next thing in problem solving:
1) flush your iptables.
2) start these:
tcpdump -n -e -i eth0
tcpdump -n -e -i eth1

3) ping from the 192.168.1.0 network a few times (it will not be answered).
Watch the outgoing traffic on eth1
4) ping from the 172.16.1.0 network a few times.
Watch the outgoing traffic on eth1

At this point it should start sending the icmp request to the different
routers. The *only* way to notice this is the mac address to which it
is sent!

If that is correct, then your ip stuff is correct. Your next target is
the iptables.

Enter this:
/sbin/iptables -t nat -A POSTROUTING -o eth1 -p icmp --icmp-type ping -s  0/0 -d  0/0 -j MASQUERADE

And try the pings again. Watch the mac, and the ip addresses.
You will see that masqueraded packets "arive" to times at the interface,
once masqueraded, and once demasqueraded.

If one of these steps does not do as I say, please cut and paste your
terminal output.
(That means tcpdumps etc...)
-- 
<ard@telegraafnet.nl> Telegraaf Elektronische Media  http://wwwijzer.nl
http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html 
Let your government know you value your freedom. Sign the petition:
http://petition.eurolinux.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] routing problem

[suresh]

Hello Ard,
Thanks for your guide now its working

Suresh
----- Original Message -----
From: Ard van Breemen <ard@telegraafnet.nl>
To: lartc <lartc@mailman.ds9a.nl>
Cc: suresh <super772002@yahoo.com>
Sent: Tuesday, March 05, 2002 10:58 PM
Subject: Re: [LARTC] routing problem


> On Tue, Mar 05, 2002 at 09:25:58AM +0530, suresh wrote:
> > I have routing problem using Adv Routing.
> > Let me explain with exact flow of packets in my LAN to INTERNET
> >
> >                 I N T E R N E T
> >                 /                     \
> >     -------------             -------------
> >     | a.b.c.e      |              | w.x.y.u     |
> >     |  router1    |              |   router2    |
> >     -------------             -------------
> >                \                   /
> >                 \                /
> >                  \             /
> >                   -----------
> >                   |   Switch  |
> >                   -----------
> >                        |
> >                        |
> >                        |
> >                       eth1                eth1 a.b.c.d     gw a.b.c.e
> >                  --------------       eth1:0 w.x.y.z  gw w.x.y.u
> >                  |                   |
> >                  |    linux        |
> >                  |                   |
> >                  --------------        eth0 172.16.1.1
> >                     eth0                    eth0:0 192.168.1.1
> >                         |
> >                         |
> Rephrased: eth0 is local, eth1 is internet?
> eth0: 172.16.1.1/24 and 192.168.1.1/24
> eth1: w.x.y.z/28 and a.b.c.d/28
>
> > I want to forward all packet from 172.16.1.0/24 Network to router 1
> > and from 192.168.1.0/24 Network to router2.
> >
> > In the linux box i am doing advance routing and iptables.
> > Here i am using iptables just for masquerading
> > the rules are
> > #/sbin/iptables -t nat -A POSTROUTING -o eth0 -p icmp --icmp-type
ping -s
> > 0/0 -d  0/0 -j MASQUERADE
> > #/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 0/0 -d 0/0 -j
> > MASQUERADE
> So you are really masquerading internet traffic, so that traffic from
> the internet looks like local traffic?
> Don't you mean:
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -p icmp --icmp-type ping -s
0/0 -d  0/0 -j MASQUERADE
> In other words: icmp traffic going to the internet should be masqueraded?
>
> But now for the next thing in problem solving:
> 1) flush your iptables.
> 2) start these:
> tcpdump -n -e -i eth0
> tcpdump -n -e -i eth1
>
> 3) ping from the 192.168.1.0 network a few times (it will not be
answered).
> Watch the outgoing traffic on eth1
> 4) ping from the 172.16.1.0 network a few times.
> Watch the outgoing traffic on eth1
>
> At this point it should start sending the icmp request to the different
> routers. The *only* way to notice this is the mac address to which it
> is sent!
>
> If that is correct, then your ip stuff is correct. Your next target is
> the iptables.
>
> Enter this:
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -p icmp --icmp-type ping -s
0/0 -d  0/0 -j MASQUERADE
>
> And try the pings again. Watch the mac, and the ip addresses.
> You will see that masqueraded packets "arive" to times at the interface,
> once masqueraded, and once demasqueraded.
>
> If one of these steps does not do as I say, please cut and paste your
> terminal output.
> (That means tcpdumps etc...)
> --
> <ard@telegraafnet.nl> Telegraaf Elektronische Media  http://wwwijzer.nl
> http://leerquoten.monster.org/ http://www.faqs.org/rfcs/rfc1855.html
> Let your government know you value your freedom. Sign the petition:
> http://petition.eurolinux.org/


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Routing problem

[Mauro Cerboni]

Hi everybody,

I have 3 routers (Linux boxes with Red Hat 8.0 server), with iproute2 and ip_forward activated; they are linked together in this way:

AP1------Router1---------Router2----------Router3---------AP2

AP1 and AP2 are WLAN 802.11b Cisco Aironet 350 access points. 
I can't ping AP2 from Router1 and Router2 and AP1 from Router3 and Router2.
Changing one of the AP with a laptop connected to Router (1 or 3) results in no effects.
The routing tables seem correct.
Router1 and Router3 can ping each other, so Router2 seems to make right routing.
The dotted lines above are 4 different subnets.

Any suggestion would be of great help!

Jhonatan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[Jose Luis Domingo Lopez]

On Wednesday, 20 November 2002, at 18:31:42 +0100,
Mauro Cerboni wrote:

> I have 3 routers (Linux boxes with Red Hat 8.0 server), with iproute2 and ip_forward activated; they are linked together in this way:
> 
> AP1------Router1---------Router2----------Router3---------AP2
> 
> The routing tables seem correct.
>
But the symptoms you describe seem to tell the opposite :-(

> Router1 and Router3 can ping each other, 
>
Router1 and Router2 share a network segment, as well as Router2 and
Router3. So as Router2 seems to be forwarding packets, and it has router
to directly connected networks (shared with Router1 and Router3) the
communication between Router1 and Router3 works.

My guess is a wrong configuration of routing tables. Maybe you could try
traceroute to see if packets reach the other end, or they get lost at
some point. It wouldn't be unusual for the packets to reach the
destination, but be unable to return to the source, so check the routing
tables and follow the path the packets would travel.

Hope it helps.

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Woody (Linux 2.4.19-pre6aa1)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Routing problem

[George J. Jahchan, Eng.]

Mauro,
Unless both Aironets have routes to each other (either default or static) they cannot communicate, and AFAIK, the Aironets are layer-2 devices with no routing capabilities. Wireless hosts behind AP1 should be able to communicate with wireless hosts behind AP2 though. Just make sure hosts at both ends have appropriate routes to each other.
-----Original Message-----
From: 	lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]  On Behalf Of Mauro Cerboni
Sent:	Wednesday, November 20, 2002 7:32 pm
To:	lartc@mailman.ds9a.nl
Subject:	[LARTC] Routing problem
Hi everybody,
I have 3 routers (Linux boxes with Red Hat 8.0 server), with iproute2 and ip_forward activated; they are linked together in this way:
AP1------Router1---------Router2----------Router3---------AP2
AP1 and AP2 are WLAN 802.11b Cisco Aironet 350 access points. 
I can't ping AP2 from Router1 and Router2 and AP1 from Router3 and Router2.
Changing one of the AP with a laptop connected to Router (1 or 3) results in no effects.
The routing tables seem correct.
Router1 and Router3 can ping each other, so Router2 seems to make right routing.
The dotted lines above are 4 different subnets.
Any suggestion would be of great help!
Jhonatan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] ROUTING Problem

[Andre Lorenz]

hello,
(sorry for my bad english)

        1,5 Mbit                2 Mbit
          www             www
                |                       |
        +---------------------------+
        |  LINUX Box                |----- DMZ
        +---------------------------+
                        |
                        LAN
most of  clients in the lan are connectet to the 1,5 Mbit connection
and some are connectet to the 2 Mbit connection

the linux box has 4 network adapters

problem
        the clients which are routet to the 2 Mbit couldn't acces the dmz

u will be able to connect the dmz from all other routes.

routes are following defined.

default --> 1,5 Mbit
        table fast 
        default -> 2mbit
        clientXX lookup table fast
        dmz-Network lookup table fast   

where I've done a mistake

I've tried to solve it with fw-mark but there is also the same problem

thanks for help

with friendly regards
Andre

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Routing problem

[gaston]

	    Internet
		|
		|
	________|________
	|		|
	| Cisco 2600	|                   		                	        |   		|   
IP: 208.53.98.254               
	|_______________|
		|
		|	
		|
		|
		|	
		|
	________|_________
	|		|
	|     Switch 1	|                   		                    
	|_______________|
	
		|	
		|
		|
		|	
		|
	       ETH0 ---> IP:208.53.98.198        Net 208.53.98.0/25
	________|________
	|		|
   	|    Linux      | 
	|_______________|
		|
	       ETH1 --> IP:208.53.164.254    Net 208.53.164.0/24		
		|
		|
	________|_________
	|		|
	|     Switch 2	| ------ Clients                   		                    
       
	|_______________|
			
Red Hat Linux 9
Kernel: 2.4.20-8
I used the traditional routing config (without iproute2)


Routing table:

208.53.98.128   0.0.0.0         255.255.255.128 U                   0 eth0
208.53.164.0    0.0.0.0         255.255.255.0   U                   0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U                   0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U                   0 lo
0.0.0.0         208.53.98.254   0.0.0.0         UG                  0 eth0

		
Cisco 2600 config:

ip route 208.53.164.0 255.255.255.0 208.53.98.198


Problem:

This configuration didn't work. From the clients network (208.53.164.0) I
could only reach the Cisco router but was unable to reach Internet. 

The only quick solution was to connect Switch 1 with Switch 2.


Any ideas why this didn't work? 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[Damion de Soto]

gaston wrote:
> Problem:
> This configuration didn't work. From the clients network (208.53.164.0) I
> could only reach the Cisco router but was unable to reach Internet. 
> 
> The only quick solution was to connect Switch 1 with Switch 2.
> Any ideas why this didn't work? 

did you have IP forwarding enabled and the appropriate iptables rules on the linux box ?
for pure routing:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

If you already done that, where does a traceroute from the clients' network 
(208.53.164.0) go ?   does it try to go through 208.53.164.254?
does it go anywhere after ?

good luck.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer  email:     damion@snapgear.com
SnapGear ---                           ph:         +61 7 3435 2809
  | Custom Embedded Solutions          fax:         +61 7 3891 3630
  | and Security Appliances            web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[Ronny Aasen]

On Mon, 2003-09-08 at 01:03, Damion de Soto wrote:
> gaston wrote:
> > Problem:
> > This configuration didn't work. From the clients network (208.53.164.0) I
> > could only reach the Cisco router but was unable to reach Internet. 
> > 
> > The only quick solution was to connect Switch 1 with Switch 2.
> > Any ideas why this didn't work? 
> 
> did you have IP forwarding enabled and the appropriate iptables rules on the linux box ?
> for pure routing:
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> 
> If you already done that, where does a traceroute from the clients' network 
> (208.53.164.0) go ?   does it try to go through 208.53.164.254?
> does it go anywhere after ?


in addition, was the cisco aware that the route to 
208.53.164.0/24 was thru the linux ?

post the routing table from the cisco also.

still good luck
-- 
Ronny Aasen <list@datapart-as.no>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[gaston]

Well, I don't think its the cisco's problem. I think there is something
wrong with my linux routing config , here it is:

/proc/sys/net/ipv4 


icmp_echo_ignore_all:0
icmp_echo_ignore_broadcasts:0
icmp_ignore_bogus_error_responses:0
icmp_ratelimit:100
icmp_ratemask:6168
igmp_max_memberships:20
inet_peer_gc_maxtime:120
inet_peer_gc_mintime:10
inet_peer_maxttl:600
inet_peer_minttl:120
inet_peer_threshold:65664
ip_autoconfig:0
ip_conntrack_max:32656
ip_default_ttl:64
ip_dynaddr:0
ip_forward:1
ipfrag_high_thresh:262144
ipfrag_low_thresh:196608
ipfrag_time:30
ip_local_port_range:32768       61000
ip_nonlocal_bind:0
ip_no_pmtu_disc:0
tcp_abort_on_overflow:0
tcp_adv_win_scale:2
tcp_app_win:31
tcp_dsack:1
tcp_ecn:0
tcp_fack:1
tcp_fin_timeout:60
tcp_frto:0
tcp_keepalive_intvl:75
tcp_keepalive_probes:9
tcp_keepalive_time:7200
tcp_max_orphans:16384
tcp_max_syn_backlog:1024
tcp_max_tw_buckets:180000
tcp_mem:97280   97792   98304
tcp_orphan_retries:0
tcp_reordering:3
tcp_retrans_collapse:1
tcp_retries1:3
tcp_retries2:15
tcp_rfc1337:0
tcp_rmem:4096   87380   174760
tcp_sack:1
tcp_stdurg:0
tcp_synack_retries:5
tcp_syncookies:0
tcp_syn_retries:5
tcp_timestamps:1
tcp_tw_recycle:0
tcp_tw_reuse:0
tcp_window_scaling:1
tcp_wmem:4096   16384   131072


/proc/sys/net/ipv4/conf/ethX


accept_redirects:1
accept_source_route:1
arp_filter:0
bootp_relay:0
forwarding:1
log_martians:0
mc_forwarding:0
medium_id:0
proxy_arp:0
rp_filter:1
secure_redirects:1
send_redirects:1
shared_media:1
tag:0




-----Original Message-----
From: Ani <an2rhyme@yahoo.com>
To: gaston <gaston@steel.com.ar>
Date: Sat, 6 Sep 2003 03:07:14 -0700 (PDT)
Subject: Re: [LARTC] Routing problem

> if u r able to reach from ur client machine to cisco router ( but not
> outside ) then its the cisco configuration u need to check... send the
> cisco config and we can get back to u.
> 
> gaston <gaston@steel.com.ar> wrote:
> Internet
> |
> |
> ________|________
> | |
> | Cisco 2600 | | | 
> IP: 208.53.98.254 
> |_______________|
> |
> | 
> |
> |
> | 
> |
> ________|_________
> | |
> | Switch 1 | 
> |_______________|
> 
> | 
> |
> |
> | 
> |
> ETH0 ---> IP:208.53.98.198 Net 208.53.98.0/25
> ________|________
> | |
> | Linux | 
> |_______________|
> |
> ETH1 --> IP:208.53.164.254 Net 208.53.164.0/24 
> |
> |
> ________|_________
> | |
> | Switch 2 | ------ Clients 
> 
> |_______________|
> 
> Red Hat Linux 9
> Kernel: 2.4.20-8
> I used the traditional routing config (without iproute2)
> 
> 
> Routing table:
> 
> 208.53.98.128 0.0.0.0 255.255.255.128 U 0 eth0
> 208.53.164.0 0.0.0.0 255.255.255.0 U 0 eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 lo
> 0.0.0.0 208.53.98.254 0.0.0.0 UG 0 eth0
> 
> 
> Cisco 2600 config:
> 
> ip route 208.53.164.0 255.255.255.0 208.53.98.198
> 
> 
> Problem:
> 
> This configuration didn't work. From the clients network (208.53.164.0)
> I
> could only reach the Cisco router but was unable to reach Internet. 
> 
> The only quick solution was to connect Switch 1 with Switch 2.
> 
> 
> Any ideas why this didn't work? 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> 
> ---------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[gaston]

> 
> Message: 1
> Subject: Re: [LARTC] Routing problem
> From: Ronny Aasen <list@datapart-as.no>
> To: lartc <lartc@mailman.ds9a.nl>
> Cc: Damion de Soto <damion@snapgear.com>
> Organization: 
> Date: 08 Sep 2003 08:41:46 +0200
> 
> On Mon, 2003-09-08 at 01:03, Damion de Soto wrote:
> > gaston wrote:
> > > Problem:
> > > This configuration didn't work. From the clients network
> (208.53.164.0) I
> > > could only reach the Cisco router but was unable to reach Internet.
> > > 
> > > The only quick solution was to connect Switch 1 with Switch 2.
> > > Any ideas why this didn't work? 
> > 
> > did you have IP forwarding enabled and the appropriate iptables rules
> on the linux box ?
> > for pure routing:
> > 
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > iptables -P INPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
> > 
> > If you already done that, where does a traceroute from the clients'
> network 
> > (208.53.164.0) go ?   does it try to go through 208.53.164.254?
> > does it go anywhere after ?
> 
> 
> in addition, was the cisco aware that the route to 
> 208.53.164.0/24 was thru the linux ?
> 
> post the routing table from the cisco also.
> 
> still good luck
> -- 
> Ronny Aasen <list@datapart-as.no>
> 
> 
> --__--__--

Yes, the cisco knows that everything going to the net 208.53.164.0 goes
through the linux.

I did a traceroute from one of the clients to cisco's website ip:

1st hop --> 208.53.164.254
2nd hop --> Time out
3d --> Time out
and so on

while doing this i sniffed with ethereal:

source            dest 
 
208.53.164.2      208.53.98.254(dns)           standard query ptr 
208.53.164.2      208.53.98.254(dns)           destination unreachable
208.53.164.2      198.133.219.25               echo ping request

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] routing problem

[Meretei Balázs]

[-- Attachment #1: Type: text/plain, Size: 616 bytes --]

I got a problem with ip aliasing.

I've an interface (eth0) and its address (eg. 195.150.0.11) routed throught 195.150.0.1 


I made an alias 193.144.0.11 too (eth0:1)
but I have to route the second subnet trought an other router (193.144.0.1)

the main problem is, that I cannot make two default routes...
I dont know really what to in this case

----------
|        | eth0    (195.150.0.11)----------------[router: 195.150.0.11]-------------INET
|        | eth0:1  (193.144.0.11)---------------[router: 193.144.0.11]-------------INET
---------


======================
Meretei Balázs
noxy@icw.hu

[-- Attachment #2: Type: text/html, Size: 1884 bytes --]

Re: [LARTC] routing problem

[Damion de Soto]

Meretei Balázs wrote:
> I've an interface (eth0) and its address (eg. 195.150.0.11) routed 
> throught 195.150.0.1 
> I made an alias 193.144.0.11 too (eth0:1)
> but I have to route the second subnet trought an other router (193.144.0.1)

I'm pretty sure you need source-based routing here. (or is that policy-based ?)
you setup 2 routing tables, and then make rules that say packets from 195.150.0.0 go 
into one (which has a default gateway of 195.150.0.1) and packets from the other 
network go into the second routing table, with a gw of 193.144.0.1

take a look at:
http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE
and maybe:
http://linux-ip.net/html/ch-routing.html
http://linux-ip.net/gl/ip-cref/

it's pretty easy once you work out what needs to happen.


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer  email:     damion@snapgear.com
SnapGear ---                           ph:         +61 7 3435 2809
  | Custom Embedded Solutions          fax:         +61 7 3891 3630
  | and Security Appliances            web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] routing problem

[Martin A. Brown]

Meretei,

 : I've an interface (eth0) and its address (eg. 195.150.0.11) routed
 : throught 195.150.0.1  I made an alias 193.144.0.11 too (eth0:1) but I
 : have to route the second subnet trought an other router (193.144.0.1)
 :
 : the main problem is, that I cannot make two default routes... I dont
 : know really what to in this case

Damion was correct when he suggested that policy routing would be a good
solution for you.  He suggested reading lartc.org [0] and also a chapter
in my (incomplete) book; the chapter on routing [1].  Together these two
resources should give you a good idea of how the solution works.  Policy
routing leverages multiple routing tables and a policy database.  The
lookups in the policy database select the routing table to apply for a
particular packet.  With a careful design of your routing tables, you can
easily have two or more default routes, depending on the characteristics
of the outbound packet.

 : +--------+
 : | linux  | eth0    (195.150.0.11) -- [router: 195.150.0.1] -- INET
 : | router | eth0:1  (193.144.0.11) -- [router: 193.144.0.1] -- INET
 : +--------+

I assume that you are only showing us the networks connected to this
router, and that there are no others.  If that is the case, then my
following statements hold.

For you, the pitfall and difficulty will likely have more to do with
ensuring that the packets are sourced from the correct IP.  This will be
trivial if you are running servers on 195.150.0.11 and 193.144.0.11, but
may be more difficult if you are trying to select outbound path from
userspace.  This could depend on your application supporting the call to
bind to a particular IP.

In particular, you'll want to examine the kernel's rules for selecting a
source IP if it is not specified by the application [2].

If eth0 is your preferred link, then this should work for you as a
starting point:

  echo secondary >> /etc/iproute2/rt_tables
  ip rule add from 193.144.0.11 table secondary
  ip route flush table secondary
  ip route show table main | while read ROUTE ; do
      ip route add table secondary $ROUTE
  done
  ip route change default table secondary via 193.144.0.1

One other note.  The use of the term IP aliasing is archaic and
deprecated.  The command "ifconfig" displays "aliased" interfaces with
the old-style name "eth0:0", when, in fact, there is no such thing as an
alias under Linux.  This is immediately obvious when using the "ip
address" command line tool to list addresses associated with a particular
interface.

-Martin

 [0]  http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE
 [1]  http://linux-ip.net/html/ch-routing.html
 [2]  http://linux-ip.net/gl/ip-cref/node155.html

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Routing problem

[huffo]

Hi, 
i have one  firewall/gateway server with two interfaces and a routing 
problem (?). 

eth0: external interface 
eth1: internal interface. Both ip address are valid. 

Services like DNS, HTTP is configured to run using eth1 ip address. 

The problem is when i try to connect from internet to firewall, i can´t see 
eth1 ip address... only eth0 ip address. 

So, when i try to connect to web server or transfer zones to slaves DNS 
servers, the connection fails (they cannot see eth1). Nothing that runs in 
eth1 ip address works for people outside my local network. 

My local network is working fine, because can see eth1, and has a masquerade 
rule to make transparent proxy. 

If i´m connected to firewall, i can see everything. 

I disabled all firewall rules to make tests... no results. 

Anyone can help me to find where is the problem? I think it´s a routing 
problem, but i don´t know where it is... 

Thanks in advance, 
Pereira 

_________________________________________________________
Voce quer um iGMail protegido contra vírus e spams? 
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[huffo]

Of course. IP_FORWARDING is enable for a long time. 

Pereira. 

Em 6 Apr 2004, huffo@ig.com.br escreveu: 

>Hi, 
>i have one firewall/gateway server with two interfaces and a routing 
>problem (?). 
> 
>eth0: external interface 
>eth1: internal interface. Both ip address are valid. 
> 
>Services like DNS, HTTP is configured to run using eth1 ip address. 
> 
>The problem is when i try to connect from internet to firewall, i can´t see 
>eth1 ip address... only eth0 ip address. 
> 
>So, when i try to connect to web server or transfer zones to slaves DNS 
>servers, the connection fails (they cannot see eth1). Nothing that runs in 
>eth1 ip address works for people outside my local network. 
> 
>My local network is working fine, because can see eth1, and has a 
masquerade 
>rule to make transparent proxy. 
> 
>If i´m connected to firewall, i can see everything. 
> 
>I disabled all firewall rules to make tests... no results. 
> 
>Anyone can help me to find where is the problem? I think it´s a routing 
>problem, but i don´t know where it is... 
> 
>Thanks in advance, 
>Pereira 
> 
>_________________________________________________________ 
>Voce quer um iGMail protegido contra vírus e spams? 
>Clique aqui: http://www.igmailseguro.ig.com.br 
>Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/ 
> 
>_______________________________________________ 
>LARTC mailing list / LARTC@mailman.ds9a.nl 
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ 
> 
>---------- 

_________________________________________________________
Voce quer um iGMail protegido contra vírus e spams?
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[Damion de Soto]

Hi Pereira,
> i have one  firewall/gateway server with two interfaces and a routing 
> problem (?). 
> 
> eth0: external interface 
> eth1: internal interface. Both ip address are valid. 
> Anyone can help me to find where is the problem? I think it´s a routing 
> problem, but i don´t know where it is... 

Has your ISP placed routing entries for eth1 IP via eth0 IP ?
Are they on the same subnets ?
If you do a traceroute from the internet, you should see your hops hit eth0
(and then if everything was working, hit eth1)

 > Of course. IP_FORWARDING is enable for a long time.
I assume you've also turned it on in /proc/sys/net/ipv4/ip_forward ?

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer  email:     damion@snapgear.com
SnapGear - A CyberGuard Company ---    ph:         +61 7 3435 2809
  | Custom Embedded Solutions          fax:         +61 7 3891 3630
  | and Security Appliances            web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[huffo]

I installed gated to resolve my routing problem. It wa s a RIP problem. 

Thanks a lot, 
Mauricio. 

Em 07 Apr 2004, Damion de Soto escreveu: 

>Hi Pereira, 
>> i have one firewall/gateway server with two interfaces and a routing 
>> problem (?). 
>> 
>> eth0: external interface 
>> eth1: internal interface. Both ip address are valid. 
>> Anyone can help me to find where is the problem? I think it´s a routing 
>> problem, but i don´t know where it is... 
> 
>Has your ISP placed routing entries for eth1 IP via eth0 IP ? 
>Are they on the same subnets ? 
>If you do a traceroute from the internet, you should see your hops hit eth0 
>(and then if everything was working, hit eth1) 
> 
> > Of course. IP_FORWARDING is enable for a long time. 
>I assume you've also turned it on in /proc/sys/net/ipv4/ip_forward ? 
> 
>-- 
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
>Damion de Soto - Software Engineer email: damion@snapgear.com 
>SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809 
> | Custom Embedded Solutions fax: +61 7 3891 3630 
> | and Security Appliances web: http://www.snapgear.com 
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
> --- Free Embedded Linux Distro at http://www.snapgear.org --- 
> 
>_______________________________________________ 
>LARTC mailing list / LARTC@mailman.ds9a.nl 
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ 
> 
>---------- 

_________________________________________________________
Voce quer um iGMail protegido contra vírus e spams?
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing problem

[huffo]

Anyone knows a pdf, text, html that explains how /etc/gateway, or gated.conf 
works? 

I installed gated, configured rip1 and now is working, but i want to know 
everything about... 

Thanks any help, 

_________________________________________________________
Voce quer um iGMail protegido contra vírus e spams? 
Clique aqui: http://www.igmailseguro.ig.com.br
Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Routing Problem

[Javier A Toledano]

Routing Problem



  Internet
        |
        |
 DSL Router with NAT Enabled
        192.168.93.2/24
                                 |
                 |
                 |
                 |
       192.168.93.1/24 (eth1)
                 |
Linux Multihomed Router -- 10.0.0.25/8 (eth0) ------------------10.0.0.1 (host)
                 |               |
                 192.168.10.2/24 (eth2)
                 |
                 |
                 |
                 |
               192.168.10.49 (host)




The linux is running Centos 4.2. I have 3 ethernet cards, eth1
(davicom Semiconductor, Inc 21x4x DEC -Tulip Compatible), eth0 (VIA
Technologies, Ic VT6105 Rhine III)
Eth2 (intel Corporation 82547Gi Gigabit Ethernet Controller)


I don't have any rules of iptables applied to the kernel.


the content of sysctl.conf is below:

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1


The problem is that forwarding is enabled but when I try to probe
connectivity from a host in the 10.0.0.0 net , eg 10.0.0.1 making an
echo request
to a host in 192.168.10.0 net , eg 192.168.10.49 the icmp packets
arrive to the linux box (interface eth0) but don't traverset it.
After I iniate an echo request from 192.168.10.49 to 10.0.0.1, the
packets iniatated in 10.0.0.0 net starts to traverse the router
magically.
It seems that It needs a packet from the 192.168.10.0 to start working.

I would appreciate any idea.
Thanks in advance.

Javier Toledano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Routing Problem

[Taylor, Grant]

Javier A Toledano wrote:
> Routing Problem

<snip>

> The problem is that forwarding is enabled but when I try to probe
> connectivity from a host in the 10.0.0.0 net , eg 10.0.0.1 making an
> echo request
> to a host in 192.168.10.0 net , eg 192.168.10.49 the icmp packets
> arrive to the linux box (interface eth0) but don't traverset it.
> After I iniate an echo request from 192.168.10.49 to 10.0.0.1, the
> packets iniatated in 10.0.0.0 net starts to traverse the router
> magically.
> It seems that It needs a packet from the 192.168.10.0 to start working.
> 
> I would appreciate any idea.

I'm not a CentOS user so I can not say for sure.  However I would expect
that (despite what you say) that there is some sort of IPTables stateful
packet inspection going on from your 10/ network to your 192.168/
network.  If this is indeed the case and the rule is a basic state of
ESTABLISHED, RELATED, then any traffic from 10/ to 192.168/ AFTER you
sent traffic from 192.168/ to 10/ would be considered RELATED and thus
allowed through.

However, if as you say, there are no IPTables rules in play at all
something else is interfering with your traffic, what it would be, I'm
not sure.

Try running iptables-save to make sure that there are absolutely no
rules in effect any where.



Grant. . . .

(Reposted to the mailing list verses directly back to the OP.)
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc