Problem with routing between interfaces

Kostko · 11-30-2003, 08:31 AM

Well, i have a problem setting up a vpn connection. The connection itself works, but one of the routers doesn't want to forward traffic between the two interfaces (vpn01 and eth1). The routing table seems correct and the /proc/sys/net/ipv4/ip_forward is set to 1.

Routing table:
213.250.19.90 dev ppp0 proto kernel scope link src 193.77.XXX.XXX
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
192.168.0.0/16 dev vpn01 proto kernel scope link src 192.168.0.1
127.0.0.0/8 via 127.0.0.1 dev lo scope link
default via 213.250.19.90 dev ppp0

And also, there are no firewall rules preventing the routing (i tried flushing and it didn't help).

zaphodiv · 11-30-2003, 08:55 AM

The 192.168 blocks you are using overlap.
192.168.0.0/16 is 192.168.0.0 to 192.168.255.255
192.168.0.0/24 is 192.168.0.0 to 192.168.0.255

Having two different routes to 192.168.0.1-255 isn't going to work.

Kostko · 11-30-2003, 09:01 AM

well, if i delete the route to 192.168.0.0/16 and replace it with a route for 192.168.1.0/24 to vpn01 it doesn't work either...

and yes, the second router has routes:
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.0.0/16 dev vpn01 proto kernel scope link src 192.168.1.1

and there it works just fine...

zaphodiv · 11-30-2003, 12:22 PM

>well, if i delete the route to 192.168.0.0/16 and replace it with a route for 192.168.1.0/24 to vpn01 it doesn't work either...
It may be better if you give the vpn interface a different ip to the eth1 interface, ie make vpn01 192.168.1.1

Tell us about how you are testing.

What ip blocks are the clients on eth1 using? what are their netmask and gateway set to?
What ip blocks are the clients on the other end of the vpn using? what are their netmask and gateway set to?

You need the subnet mask and gateway set on the clients that that they think ip adresses on the other side of the vpn are outside their local subnet and the gateway for thoses ip is the ip of their local router.

Kostko · 11-30-2003, 12:32 PM

firt network:
subnet: 192.168.0.0/24
router ip (eth1): 192.168.0.1 netmask 255.255.255.0
router ip (vpn01): 192.168.0.1 netmask 255.255.0.0

second network:
subnet 192.168.1.0/24
router ip (eth0): 192.168.1.1 netmask 255.255.255.0
router ip (vpn01): 192.168.1.1 netmask 255.255.0.0

if i ping from router 1 to router 2 or lan behind it, it works. if i ping from router 2 to router 1 it works, but i can't reach the lan behind it. if i tcpdump eth1 and vpn01 on router 1 i see that the packets are not getting forwarded from vpn01 to eth1 and reverse.

and the tincd howto says that i can give vpn01 the same ip that the eth1 has, but i need to change the netmask. so i have done that

Kostko · 12-01-2003, 12:16 PM

so no more ideas or suggestions ?

chort · 12-01-2003, 01:47 PM

Make sure the metric on the 192.168.0.0/24 route is lower than the metric for the 192.168.0.0/16 route (I don't see the metrics in the information you posted above). Using a subnet of a network for a more specific route is fine, you just have to make sure the metric is lower.