bidirectional forwarding

bidirectional forwarding

[Itrat Rasod Quadri]

Hello,

I have setup linux routers as shown below

PC1               R1           R2           R3           R4            PC2
|---------------|   |-------|    |--------|   |--------|   |-----------|
192.168.10.2   .1  12.1    12.2 13.1     13.2 16.1    16.2 11.1       11.2
e0             e0   e1     e0   e1        e0  e1       e0  e1          e0

I am able to send traffic from PC1 to PC2 but I am unable to receive the 
response beyond R3. I am able to set up a bi directional path from R1 to R4 
but unbelievably I can't seem to do the same for PC1 and PC2. Response from a 
ping from PC2 doesn't go beyond e0 of R3.

I have the following settings at R3

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i eth0 -d 192.168.11.2 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.11.2 -j ACCEPT
iptables -A OUTPUT -o eth1 -d 192.168.11.2 -j ACCEPT
iptables -A INPUT -i eth1 -d 192.168.10.2 -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.10.2 -j ACCEPT
iptables -A OUTPUT -i eth0 -d 192.168.10.2 -j ACCEPT

I have set the default route as

route add default gw 192.168.16.2 dev eth1

Using tcpdump I can see the ping response at eth1 of R3 but it doesn't go 
beyond that. I tried to add another default route for eth0 as

route add default gw 192.168.13.1 dev eth0

but then the traffic from PC1 doesn't go beyond eth0. Any help will be most 
welcome.

Thanks in advance.

Re: bidirectional forwarding

[Antony Stone]

On Wednesday 28 July 2004 2:20 am, Itrat Rasod Quadri wrote:

> Hello,
>
> I have setup linux routers as shown below
>
> PC1               R1           R2           R3           R4            PC2
>
> |---------------|   |-------|    |--------|   |--------|   |-----------|
>
> 192.168.10.2   .1  12.1    12.2 13.1     13.2 16.1    16.2 11.1       11.2
> e0             e0   e1     e0   e1        e0  e1       e0  e1          e0
>
> I am able to send traffic from PC1 to PC2 but I am unable to receive the
> response beyond R3. I am able to set up a bi directional path from R1 to R4
> but unbelievably I can't seem to do the same for PC1 and PC2. Response from
> a ping from PC2 doesn't go beyond e0 of R3.

I suspect this is almost certainly a routing table problem (on one or more of 
the systems involved).

Quickest way to eliminate netfilter as a cause of the problem is:

iptables -A FORWARD -p icmp -j ACCEPT

as a temporary rule on whichever of the above machines are running netfilter.

Sig below chosen specifically for this email.

Regards,

Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: bidirectional forwarding

[Jason Opperisano]

> PC1               R1           R2           R3           R4            PC2
> |---------------|   |-------|    |--------|   |--------|   |-----------|
> 192.168.10.2   .1  12.1    12.2 13.1     13.2 16.1    16.2 11.1       11.2
> e0             e0   e1     e0   e1        e0  e1       e0  e1          e0

assuming:

  default gw of pc1 is 10.1
  default gw of r1 is 12.2

  default gw of pc2 is 11.1
  default gw of r4 is 16.1

both r2 & r3 will need static routes telling them how to get to networks 10 and 11:

on r2:

  192.168.10.0/24 via 192.168.12.1
  192.168.11.0/24 via 192.168.13.2

on r3:

  192.168.10.0/24 via 192.168.13.1
  192.168.11.0/24 via 192.168.16.2

the output of:

  ip route get 192.168.10.2
  ip route get 192.168.11.2

on r2 and r3 should clue you in to where the packets are going.

HTH...

-j

Re: bidirectional forwarding

[Frans Luteijn]

Jason Opperisano schreef:

> > PC1               R1           R2           R3           R4            PC2
> > |---------------|   |-------|    |--------|   |--------|   |-----------|
> > 192.168.10.2   .1  12.1    12.2 13.1     13.2 16.1    16.2 11.1       11.2
> > e0             e0   e1     e0   e1        e0  e1       e0  e1          e0
>
> assuming:
>
>   default gw of pc1 is 10.1
>   default gw of r1 is 12.2
>
>   default gw of pc2 is 11.1
>   default gw of r4 is 16.1
>
> both r2 & r3 will need static routes telling them how to get to networks 10 and 11:
>
> on r2:
>
>   192.168.10.0/24 via 192.168.12.1
>   192.168.11.0/24 via 192.168.13.2

How cat r2 reach your 16-network? you will need to add a routing for
that network to.

>
>
> on r3:
>
>   192.168.10.0/24 via 192.168.13.1
>   192.168.11.0/24 via 192.168.16.2

Same for r3, but now for your 12-network.

>
>
> the output of:
>
>   ip route get 192.168.10.2
>   ip route get 192.168.11.2
>
> on r2 and r3 should clue you in to where the packets are going.
>
> HTH...
>
> -j

Routingprotocols are designed for this kind of problem, to get this
resolved
automaticly. In this case you might look at zebra.

Regards,
--
Frans Luteijn
PGP PblKey fprnt=C4 87 CE AF BC B6 98 C1  EF 42 A1 9A E2 C0 42 5B
GPG PblKey fprnt=ED20 0F25 C233 DC59 3FFA  170E D0BF 15F5 0BA6 1355

RE: bidirectional forwarding

[Jason Opperisano]

> Jason Opperisano schreef:
>
> > > PC1               R1           R2           R3           R4            PC2
> > > |---------------|   |-------|    |--------|   |--------|   |-----------|
> > > 192.168.10.2   .1  12.1    12.2 13.1     13.2 16.1    16.2 11.1       11.2
> > > e0             e0   e1     e0   e1        e0  e1       e0  e1          e0
> >
> > assuming:
> >
> >   default gw of pc1 is 10.1
> >   default gw of r1 is 12.2
> >
> >   default gw of pc2 is 11.1
> >   default gw of r4 is 16.1
> >
> > both r2 & r3 will need static routes telling them how to get to networks 10 and 11:
> >
> > on r2:
> >
> >   192.168.10.0/24 via 192.168.12.1
> >   192.168.11.0/24 via 192.168.13.2
>
> How cat r2 reach your 16-network? you will need to add a routing for
> that network to.

why does r2 need to know how to get to the 16 network?  IIRC--the OP never indicated an interest in a "fully-routed" environment.  as long as 10.2 can talk to 11.2 and vice versa--everyone's happy.  the transport networks are irrelevant to the solution and would only serve to distract from the real problem.

>
> Routingprotocols are designed for this kind of problem, to get this
> resolved
> automaticly. In this case you might look at zebra.

uh huh.  my personal opinion is that dynamic routing protocols on firewalls are a Bad Idea (tm), and should only be used when necessary (in networks with redundant paths that must be learned automatically).  the scenario above does not meet this criteria.  also, (again my opinion)--routing transport networks (i.e. networks that will never have traffic that sources from or is destined to them) is just a waste of time.  finally, i think if people took the time to understand how to statically route an environment before spewing "redistribute everything" statements all over their router configs--they might actually end up understanding what's going on.

not saying that the OP might not *want* a fully routed environment, but saying that these additional routes are *needed* is simply not correct, and will only serve to continue to confuse those that have a hard enough time understanding routing to begin with (not implying that i'm not in that group myself).  :-D

-j

Re: bidirectional forwarding

[James Sneeringer]

On Wed, Jul 28, 2004 at 04:20:53AM +0300, Itrat Rasod Quadri wrote:
> I have setup linux routers as shown below
> 
> PC1               R1           R2           R3           R4            PC2
> |---------------|   |-------|    |--------|   |--------|   |-----------|
> 192.168.10.2   .1  12.1    12.2 13.1     13.2 16.1    16.2 11.1       11.2
> e0             e0   e1     e0   e1        e0  e1       e0  e1          e0
> 
> I am able to send traffic from PC1 to PC2 but I am unable to receive the 
> response beyond R3. I am able to set up a bi directional path from R1 to R4 
> but unbelievably I can't seem to do the same for PC1 and PC2. Response from a 
> ping from PC2 doesn't go beyond e0 of R3.
> 
> I have the following settings at R3

It would also help to see the routing table for R3: "route -n"

> iptables -F
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -A INPUT -i eth0 -d 192.168.11.2 -j ACCEPT
> iptables -A FORWARD -i eth0 -d 192.168.11.2 -j ACCEPT
> iptables -A OUTPUT -o eth1 -d 192.168.11.2 -j ACCEPT
> iptables -A INPUT -i eth1 -d 192.168.10.2 -j ACCEPT
> iptables -A FORWARD -i eth1 -d 192.168.10.2 -j ACCEPT
> iptables -A OUTPUT -i eth0 -d 192.168.10.2 -j ACCEPT
                     ^^
I think you meant for the last line to be "-o eth0".  Without it, you are
not permitting locally-originated outbound traffic from R3 to 192.168.10.2.
However, the OUTPUT chain is not consulted for routed traffic (only the
FORWARD chain is), so that isn't your problem here.

> I have set the default route as
> 
> route add default gw 192.168.16.2 dev eth1
> 
> Using tcpdump I can see the ping response at eth1 of R3 but it doesn't go 
> beyond that. I tried to add another default route for eth0 as
> 
> route add default gw 192.168.13.1 dev eth0
> 
> but then the traffic from PC1 doesn't go beyond eth0. Any help will be most 
> welcome.

Your default route should only point to the host (or hosts) that you need
to go through to get to the rest of the world.  Unless both R2 and R4 have
Internet connections, you don't want to do this.

Try this, instead:

    R3# route add -host 192.168.10.2 gw 192.168.13.1 dev eth0
    R3# route add -host 192.168.11.2 gw 192.168.16.2 dev eth1

You can get from R1 to R4 because R3 probably has a route to get to R1
(192.168.12.1/32 or 192.168.12.0/30 or whatever).  However, R3 does not
have a route to PC1's network.

-James