* Re: Routing
2009-01-30 16:10 Routing tony.chamberlain
@ 2009-01-30 16:38 ` Bill Unruh
2009-01-30 18:06 ` Routing James Carlson
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Bill Unruh @ 2009-01-30 16:38 UTC (permalink / raw)
To: linux-ppp
On Fri, 30 Jan 2009, tony.chamberlain@lemko.com wrote:
> I have a machine, accessible from outside our company, running PPP.
> It's local IP address is 10.0.1.29 (the address it gets from PPP).
> I also have another machine whose IP address is 10.0.1.3 and also has
> an IP address of 192.168.5.88 connected to our local network.
>
> I can get to the 10.0.1.29 machine through an external IP address (which
> I won't list here, for security reasons) and from there ssh to 10.0.1.3
> and from 10.0.1.3 to the 192 network.
>
> I would like to be able to get right from 10.0.1.29 to the 192 network.
> On 10.0.1.3 I set the ip_forard (I forgot exaclty what it is called) to 1
> and restarted the network.
192.168.x.x addresses are not forwarded by
routers. They are simply thrown away as private addresses. NOw, you could on
the 10.0.1.29 put in a routing table telling it to send all such packets to
10.0.1.3, but if there are any routers in the way, they may well discard it.
>
> On 10.0.1.29 I did an
>
> ip route add '192.168.5.0/24' via 10.0.1.3 dev ppp0
> and
> ip route add '192.168.5.0/24' via 10.0.1.3
>
> tried both. It was entered succesfully and showed up in "route -n" but
> when I tried from 10.0.1.29 to do for example
>
> ssh -l root 192.168.5.191
Do a traceroute on the ppp0 to see if the packet is going out (are you sure
that 10.0.1.3 is directly connected to 10.0.1.3 via ppp )
Youneed to tell us exactly what the connection topology is.
>
> it wouldn't let me and couldn't connect (though it would work from 10.0.1.3).
>
> Did I miss something, or what else do I need to do?
>
> I somehow got this to work earlier between our 192.168.5 nextwork and
> our 10.0.0.0 network where a machine (10.0.0.215/192.168.5.15) was on
> both networks, and I set its address (192.168.5.15) as default router
> for 192.168.5 networks and 10.0.0.215 for 10 networks.
>
> 192.168.5 mask is 255.255.255.0 and 10 network mask is 255.0.0.0
>
> Tony
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Routing
2009-01-30 16:10 Routing tony.chamberlain
2009-01-30 16:38 ` Routing Bill Unruh
@ 2009-01-30 18:06 ` James Carlson
2009-01-30 23:05 ` Routing James Carlson
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: James Carlson @ 2009-01-30 18:06 UTC (permalink / raw)
To: linux-ppp
Bill Unruh writes:
> 192.168.x.x addresses are not forwarded by
> routers. They are simply thrown away as private addresses.
That's not true without qualification. The correct statement is that
those "private" addresses are not forwardable on the open Internet.
The routes for the RFC 1918 address ranges don't exist by
administrative design, and the ranges are (sometimes) filtered at the
edges of provider networks.
However, no known router will discard them arbitrarily, so the
injunction against letting them pass through routers doesn't make
sense here.
--
James Carlson 42.703N 71.076W <carlsonj@workingcode.com>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Routing
2009-01-30 16:10 Routing tony.chamberlain
2009-01-30 16:38 ` Routing Bill Unruh
2009-01-30 18:06 ` Routing James Carlson
@ 2009-01-30 23:05 ` James Carlson
2010-07-08 12:40 ` routing tony.chamberlain
2010-07-08 13:39 ` routing James Carlson
4 siblings, 0 replies; 6+ messages in thread
From: James Carlson @ 2009-01-30 23:05 UTC (permalink / raw)
To: linux-ppp
tony.chamberlain@lemko.com writes:
> I have a machine, accessible from outside our company, running PPP.
> It's local IP address is 10.0.1.29 (the address it gets from PPP).
> I also have another machine whose IP address is 10.0.1.3 and also has
> an IP address of 192.168.5.88 connected to our local network.
>
> I can get to the 10.0.1.29 machine through an external IP address (which
> I won't list here, for security reasons) and from there ssh to 10.0.1.3
> and from 10.0.1.3 to the 192 network.
Unless that external IP address is actually a system routed on the
inside of some corporate network (where there's an overlay for the RFC
1918 ranges), what you're describing sounds very odd.
Typically, systems with RFC 1918 are accessible from the Internet only
through a NAT device that does some sort of static address and/or port
translation -- meaning that you use a _different_ address to reach it,
not the RFC 1918 address.
Are you perhaps misstating the addresses in use as some sort of
security measure, or is there more going on here than you're telling
us about?
> I would like to be able to get right from 10.0.1.29 to the 192 network.
> On 10.0.1.3 I set the ip_forard (I forgot exaclty what it is called) to 1
> and restarted the network.
You'll also need routes on the 192 network to point back to the 10
network.
> ssh -l root 192.168.5.191
>
> it wouldn't let me and couldn't connect (though it would work from 10.0.1.3).
>
> Did I miss something, or what else do I need to do?
You likely missed the reverse routes I described above.
--
James Carlson 42.703N 71.076W <carlsonj@workingcode.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* routing
2009-01-30 16:10 Routing tony.chamberlain
` (2 preceding siblings ...)
2009-01-30 23:05 ` Routing James Carlson
@ 2010-07-08 12:40 ` tony.chamberlain
2010-07-08 13:39 ` routing James Carlson
4 siblings, 0 replies; 6+ messages in thread
From: tony.chamberlain @ 2010-07-08 12:40 UTC (permalink / raw)
To: linux-ppp
I have three machines. One, Machine A, is in China and acts as a PPP server. It has an external IP address that I ppp to from machine B. Machine
B is on our 192.168.5 network and has IP 192.168.5.27. It can get out
to Internet. When B ppp's to A, A gets 10.0.0.98 and B gets 10.0.0.26.
A nd B need to exchange messgages and have the from and to ips be correct
(which they are).
Now I have machine C, 192.168.5.139. I am trying to avoid having to install
PPP on it but it has to communicate with both B and A. B is, of course, no
problem. It can be reached via 192.168.5.27 and for some reason I cannot
figure out, 10.0.0.26 also works from C to B.
To get C to be able to communicate with A I did the following:
in C: ip route replace 10.0.0.98 via 192.168.5.27 # Route to 98 through 27
in A: ip route replace 192.168.5.139 via 10.0.0.26 # reverse
in B (more complicated):
ip forward is set to 1
iptables -t nat -A POSTROUTING -s 192.168.5.139 -o ppp0 -j MASQUERADE
This allows me to go to 10.0.0.98 from A and to 192.168.5.139 from C.
This works fine for ssh, scp, etc. However, when an IP message is sent
from A to C, it appears the return (or FROM) IP address is B (10.0.0.26)
not A (192.168.5.139) so when A tries to respond it sends to the wrong
location (B). I imagine it is because of the masquerade
I can't change all incoming traffic for B to C because A also needs to
correspond with B. Is there any iptables command I can use to preserve
C's address, but also preserve B's address when the message is from B?
I can just install ppp on A but it is a pain in 5.4 and does not always
work right.
Thanks
p.s. and yes B and machines are CentOS 5.4 and A is 4.5
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: routing
2009-01-30 16:10 Routing tony.chamberlain
` (3 preceding siblings ...)
2010-07-08 12:40 ` routing tony.chamberlain
@ 2010-07-08 13:39 ` James Carlson
4 siblings, 0 replies; 6+ messages in thread
From: James Carlson @ 2010-07-08 13:39 UTC (permalink / raw)
To: linux-ppp
tony.chamberlain@lemko.com wrote:
> I have three machines.
For what it's worth, it sounds a lot like these are basic IP routing
questions, and that the use of PPP is mostly immaterial. You might want
to try to find a mailing list that's more focussed on routing issues in
Linux.
> Now I have machine C, 192.168.5.139. I am trying to avoid having to install
> PPP on it but it has to communicate with both B and A. B is, of course, no
> problem. It can be reached via 192.168.5.27 and for some reason I cannot
> figure out, 10.0.0.26 also works from C to B.
There's always a reason for things. ;-} It would be good to understand
exactly what's going on there, because it may be related to the problems
you see. Showing some "netstat -rn" output might be a start.
> To get C to be able to communicate with A I did the following:
>
> in C: ip route replace 10.0.0.98 via 192.168.5.27 # Route to 98 through 27
> in A: ip route replace 192.168.5.139 via 10.0.0.26 # reverse
That along with the masquerading seems too complicated to me.
Assuming that static routing is somehow "required," I would have done
this on C:
route add 10.0.0.0/24 192.168.5.27
because the 10 network is reachable through machine B. Then on machine
A, I would have:
route add 192.168.5.0/24 10.0.0.26
and nothing else. No masquerading or any other tricks should be needed.
Just an IP path between those two systems ought to do the job. (For
good measure, you could add a blackhole route for 10.0.0.0/24, so that
misaddressed packets don't bounce around, but that's not strictly required.)
But that assumes static routing. I wouldn't do that on my network. I'd
just enable RIP-2 or OSPF and let it do its thing. It'll figure out the
routes.
--
James Carlson 42.703N 71.076W <carlsonj@workingcode.com>
^ permalink raw reply [flat|nested] 6+ messages in thread