How to access device on different subnet?

DEF. · 10-08-2014, 04:15 PM

OK, I have read some of the previous forum post and tried to apply what is there to this problem but clearly I miss understand and nothing seems to work.

I have a Linux device (A), a Linux VM on the A (B) and another Linux device C.

A can ping B and C. But B and C cannot ping each other. How can I make C able to see B and vice versa?

I assume this is a routing problem and have so far tried to add a route to C. I did this by adding an additional ip to the nic.

e.g.

updated /etc/network/interfaces as below (in Red)

Code:

auto lo

iface lo inet loopback
iface eth0 inet static
  address 192.168.1.81
  netmask 255.255.255.0
  gateway 192.168.1.1

auto eth0:0
iface eth0:0 inet static
  address 192.168.122.81
  netmask 255.255.255.0
  gateway 192.168.122.1

I then note that the addition route '192.168.122.0' appears in the route table (below in Red).

Below are the route tables for each device, where C includes the additional route.

Code:

A - Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         Cisco31915      0.0.0.0         UG    0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     1      0        0 eth0
192.168.122.0   *               255.255.255.0   U     0      0        0 virbr0

Code:

B - Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.122.1   0.0.0.0         UG    0      0        0 eth0
192.168.122.0   *               255.255.255.0   U     0      0        0 eth0

Code:

C - Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.122.1   0.0.0.0         UG    0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.122.0   *               255.255.255.0   U     0      0        0 eth0

Ser Olmy · 10-08-2014, 05:30 PM

From what I understand, A is a hypervisor hosting B, and from the contents of the routing table on A it seems it also has a virtual NIC connected to an internal network where the virtual NIC of B is residing.

For C to be able to reach B and vice versa, two things must happen:

A must act as a router
C must have an entry in its routing table for the network 192.168.122.0/24, pointing to A

On A, make sure IP forwarding is enabled. Exactly how you accomplish that depends on your distribution, but you could try echo 1 > /proc/sys/net/ipv4/ip_forward as a quick-and-dirty solution (that won't survive a reboot). Additional configuration may be needed if rules in the iptables FORWARD chain (or the FORWARD policy) is set to block/drop traffic (iptables -L FORWARD will show both the policy and the ruleset).

On C, make sure 192.168.122.0/24 is routed to A's IP address. Again, for a permanent fix you'll have to edit your configuration files, but route add -net 192.168.122.0/24 gw <IP_address_of_A> should do as a quick fix.

Adding a second IP address in the 192.168.122.0/24 network to C's NIC, as you tried, is not the same as adding a route. It will only cause the 192.168.122.0/24 network to exist in two different places: in the virtual environment inside A, and on the outside network connecting A and C. That would be an invalid IP configuration, as an IP network can only exist in one place.

Also, having two default gateways on the same system won't work at all, as you're telling the IP stack to send any traffic not specifically routed elsewhere through two different routers. That will actually cause the IP stack to load balance outbound traffic across both gateways, which is almost certainly not what you want.

DEF. · 10-09-2014, 04:19 AM

Thanks for your reply.

I think I understand, so packets leave C destined for A ( the gateway ) where A routes these to B - makes sense I guess!

I have tried what you said but still not working. So far I have done the following:

1. Edited /etc/sysctl.conf and uncommented net.ipv4.ip_forward=1 (this is on A, the Host, which is a Ubuntu 14.04 distro).
2. Add a route to C as you stated e.g. sudo route add -net 192.168.122.0/24 gw 192.168.1.108 (where gw is the ip address of A).
3. Restarted the network on A e.g. sudo service network-manager restart.

On C I can now see the addition route e.g.

Code:

C - Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         Cisco31915      0.0.0.0         UG    0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.122.0   dw-desk-lin     255.255.255.0   UG    0      0        0 eth0

However when I try to ping B from C it fails (although fails instantly rather than waits). Interesting a ping from B to C is now fine?

I noted on A the iptables e.g.

Code:

sudo iptables -L FORWARD

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

But I have no idea what this means or if it is correct. Are those in Red my problem?

Ser Olmy · 10-09-2014, 07:59 AM

As you can now successfully ping host C from host B, routing must be working in both directions. That leaves firewall settings.

The rules in red are indeed the problem. It may seem like the "ACCEPT" rule immediately preceding those rules should prevent any packet form ever reaching the two "REJECT" but iptables -L doesn't fully list every match criteria associated with a rule. However, the iptables-save command does list everything, and should tell you what you need to know.

(Again, you can do a quick test by temporarily clearing the iptables FORWARD chain entirely with iptables -F FORWARD. That would leave only the "ACCEPT" policy in place, which should let all traffic through.)

DEF. · 10-16-2014, 08:32 AM

Sorry I have not replied - been distracted with a requirement to add WiFI on C (this is now done).

OK, so I have IP forwarding enabled. I have a route on C as described above. I have temporarily disabled the REJECTS in the iptables with sudo iptables -F. But still C cannot ping B (but B can ping C - A can ping both C and B)?

My sudo iptables-save currently looks like this:

Code:

# Generated by iptables-save v1.4.21 on Thu Oct 16 14:29:48 2014
*nat
:PREROUTING ACCEPT [2397:821337]
:INPUT ACCEPT [116:15624]
:OUTPUT ACCEPT [738:50641]
:POSTROUTING ACCEPT [745:53051]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Oct 16 14:29:48 2014
# Generated by iptables-save v1.4.21 on Thu Oct 16 14:29:48 2014
*mangle
:PREROUTING ACCEPT [8701:3764548]
:INPUT ACCEPT [6286:2918077]
:FORWARD ACCEPT [140:15220]
:OUTPUT ACCEPT [4795:646028]
:POSTROUTING ACCEPT [5117:686890]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Oct 16 14:29:48 2014
# Generated by iptables-save v1.4.21 on Thu Oct 16 14:29:48 2014
*filter
:INPUT ACCEPT [5401:2705075]
:FORWARD ACCEPT [34:3505]
:OUTPUT ACCEPT [4227:593497]
COMMIT
# Completed on Thu Oct 16 14:29:48 2014

What should I try next?