Static Route Problem

Cypher12 · 11-13-2006, 08:28 AM

Hello all,

I have situation and could really use some assistance ... allow me to elaborate:

My computer on "Network A" has to communicate to other computers on Network B. It does this through "Linux Box 1" which has a static route to "Linux Box2" which in turn has a direct connection (via eth1) to "Network B" .... its a lot easier if I just draw a diagram:

Mask Values:
Network A : 255.255.255.0
Network B: 255.255.255.192

Code:

Internet <-----------> "LinuxBox1" 
                [WAN]      |[192.168.22.48]                                     
                           |                           
                           |[192.168.22.230](gw 192.168.22.48)
                           |<----------"Network A computer"
                           |
                           |[192.168.22.209]
                       "LinuxBox2"
           [192.168.33.193]| 
                           |
                           |[192.168.33.194]
                           <-----------"Network B computer'

*****************************************
To make things simple my Network A computer has its gateway set to "LinuxBox1" and as you have probably guessed, my "Network A" computers are not able to communicate (ie: ping) to my Network B computers. Does anybody have a clue as to what may be my problem?? ... really I am at the early "brain-storming" stage .. so any ideas may help. I just don't want to have to manually set a static route on each computer in "Network A" to the "LinuxBox2" (I mean I really don't think thats the most practical solution). I was told to look up a "sysctrl.conf" file ... I don't know what that file governs ... don't even know if thats the right course of action, but I will investigate it in the mean time.

Thanks for your help in advance
Take Care

acid_kewpie · 11-13-2006, 08:33 AM

it all generally looks fine, i'd make your first port of call a mission to run tcpdump or wireshark on both routers and try to ping from A to B and see what you see.

Samotnik · 11-13-2006, 08:38 AM

Output of ping on network A computer?
Output of route on LinuxBox2?
Output of iptables -L on both network A computer and LinuxBox2?

Cypher12 · 11-13-2006, 11:05 AM

Hello,

Thank you for attempting to help ...

*******************************************
Output of ping on Network A Computer
*******************************************

Code:

prompt# ping 192.168.33.193
prompt# PING 192.168.33.193 (192.168.33.193) 56(84) bytes of data.

So nothing really happens .. I mean no echo-request reports back...

************************************
Output of Route on LinuxBox 2
************************************

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.33.192  itsa193         255.255.255.192 UG    0      0        0 eth1
192.168.33.192  *               255.255.255.192 U     0      0        0 eth1
192.168.22.0    192.168.22.209  255.255.255.0   UG    0      0        0 eth0
192.168.22.0    *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.22.48   0.0.0.0         UG    0      0        0 eth0

**************************************************
Output of iptables -L on Network A Computer
**************************************************

Code:

prompt# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
log_fw_service  all  --  anywhere             anywhere
fw_service  all  --  anywhere             anywhere
log_PING   all  --  anywhere             anywhere
PING       all  --  anywhere             anywhere
log_SNMP   all  --  anywhere             anywhere
SNMP       all  --  anywhere             anywhere
log_HTTPS  all  --  anywhere             anywhere
HTTPS      all  --  anywhere             anywhere
log_REMOTE_SSH  all  --  anywhere             anywhere
REMOTE_SSH  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpts:1024:65535
ACCEPT     tcp  --  anywhere             anywhere            tcp multiport dports ssh,https
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED

*****************************************
Output of iptables -L on LinuxBox2
*****************************************

Code:

itsa193 ndadm # /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fw_service  all  --  anywhere             anywhere
log_PING   all  --  anywhere             anywhere
PING       all  --  anywhere             anywhere
log_SNMP   all  --  anywhere             anywhere
SNMP       all  --  anywhere             anywhere
log_HTTPS  all  --  anywhere             anywhere
HTTPS      all  --  anywhere             anywhere
log_REMOTE_SSH  all  --  anywhere             anywhere
REMOTE_SSH  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpts:1024:65535
ACCEPT     tcp  --  anywhere             anywhere            tcp multiport dports ssh,https
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
DROP       icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       udp  --  anywhere             anywhere            state NEW
DROP       tcp  --  anywhere             anywhere            state NEW
DROP       all  --  anywhere             anywhere

Thank-you again
Take Care

chort · 11-13-2006, 11:25 AM

Is IP forwarding enabled on both machines?

If you ping machines on network B from LinuxBox1, does it work?

Can you ping LinuxBox2 from LinuxBox1?

acid_kewpie · 11-13-2006, 12:00 PM

/me would still like tcpdumps on both boxes for icmp traffic.

Cypher12 · 11-13-2006, 12:28 PM

Hello again,

Quote:

Is IP-forwarding on?

Yes, actually I enabled it on all machines:

Code:

prompt# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 1

*******************************

Quote:

If you ping machines on network B from LinuxBox1, does it work?

No, unfortunetly it does not work that way eitheir.

********************************

Quote:

Can you ping LinuxBox2 from LinuxBox1?

Yes .. pinging LinuxBox2 from LinuxBox1 does work ... in fact for clarity .. I can ping both of LinuxBox2 NIC's from LinuxBox1. For example:

From LinuxBox 1 (pinging eth0 on LinuxBox2):

Code:

prompt# ping 192.168.22.209
3PING 192.168.22.209 (192.168.22.209) 56(84) bytes of data.
64 bytes from 192.168.22.209: icmp_seq=1 ttl=64 time=0.855 ms
64 bytes from 192.168.22.209: icmp_seq=2 ttl=64 time=0.371 ms
64 bytes from 192.168.22.209: icmp_seq=3 ttl=64 time=0.393 ms

--- 192.168.22.209 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.371/0.539/0.855/0.224 ms

******************************
Again From LinuxBox 1(pinging eth1 on LinuxBox2):

Code:

prompt# ping 192.168.33.193
PING 192.168.33.193 (192.168.33.193) 56(84) bytes of data.
64 bytes from 192.168.33.193: icmp_seq=1 ttl=64 time=2.96 ms
64 bytes from 192.168.33.193: icmp_seq=2 ttl=64 time=0.354 ms
64 bytes from 192.168.33.193: icmp_seq=3 ttl=64 time=0.368 ms

--- 192.168.33.193 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.354/1.228/2.964/1.227 ms

*********************************

But again,its LinuxBox1 that has the static route defined in it to see LinuxBox2 192.168.33.192 network card, For example I added this in LinuxBox1:

Code:

/sbin/route add -net 192.168.33.192 netmask 255.255.255.192 gw 192.168.22.209

***********************************
Thanks again
Take care

chort · 11-13-2006, 12:45 PM

What's the default gateway on a Network B machine?

Have you tested Network B machines to make sure they can actually reach the Internet? Can you try to tracepath to www.google.com or something else on the Internet from a Network B machine?

It does not make sense that machines on Network B would be able to route packets to the Internet and back through LB1, but LB1 would not be able to ping those machines, unless LB2 is NAT'ing the traffic from eth1 out eth0, or if LB2 has another connection that is allowing packets back from the Internet to bypass LB1.

Cypher12 · 11-13-2006, 12:56 PM

Hello again,

Here are some tcpdumps:

In this attempt I wil attempt to communicate from Network A computer (IP 192.168.22.230 gw 192.168.22.48) to the LinuxBox2's 33 network card:

From Network A computer (192.168.22.230):

Code:

pompt# ping 192.168.33.193
PING 192.168.33.193 (192.168.33.193) 56(84) bytes of data.

*Remember, LinuxBox1 (192.168.22.48) is the gateway for this computer (192.168.22.230).

**Also, you will note: that a "no route to host" warning is NOT
genrated .. which I think is somewhat significant here.

*******************************************************************
tcpdump output of LinuxBox1 (while ping 192.168.33.193 from Network A computer 192.168.22.230)
*******************************************************************

Code:

prompt# /usr/sbin/tcpdump -i eth1 | grep echo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes
14:25:07.129610 IP 192.168.22.230 > 192.168.33.193: ICMP echo request, id 8533, seq 597, length 64
14:25:08.129887 IP 192.168.22.230 > 192.168.33.193: ICMP echo request, id 8533, seq 598, length 64
14:25:09.130165 IP 192.168.22.230 > 192.168.33.193: ICMP echo request, id 8533, seq 599, length 64
14:25:09.307669 IP ndssrv48 > 192.168.22.223: ICMP echo request, id 22372, seq 1, length 64
14:25:09.307894 IP 192.168.22.223 > ndssrv48: ICMP echo reply, id 22372, seq 1, length 64
14:25:10.130482 IP 192.168.22.230 > 192.168.33.193: ICMP echo request, id 8533, seq 600, length 64
14:25:11.130729 IP 192.168.22.230 > 192.168.33.193: ICMP echo request, id 8533, seq 601, length 64
14:25:12.131022 IP 192.168.22.230 > 192.168.33.193: ICMP echo request, id 8533, seq 602, length 64
14:25:13.131299 IP 192.168.22.230 > 192.168.33.193: ICMP echo request, id 8533, seq 603, length 64
14:25:14.131575 IP 192.168.22.230 > 192.168.33.193: ICMP echo request, id 8533, seq 604, length 64

*I dont' know why there was an echo-request/echo-reply sent to 223, though they both reisde on tNetwork A, still it is anotherr computer on Network A (192.168.22.230) that is doing the pinging.

**I added the grep for echo, to keep things cleaner ... hope that is okay??

*******************************************************************
tcpdump output of LinuxBox2 BOTH interfaces (while ping 192.168.33.193 from Network A computer 192.168.22.230)
*******************************************************************

Code:

/usr/sbin/tcpdump -i eth0 | grep echo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes

******************************

Code:

/usr/sbin/tcpdump -i eth1 | grep echo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes

**************************************
So it seems as though the echo-request are not getting re-directed over from LinuxBox1 to LinuxBox2.

Thanks again and I apologize for the long post
Take Care

Cypher12 · 11-13-2006, 01:45 PM

Hello again,

No a computer on NetworkB cannot reach the internet .. however a computer on Network B can ping LinuxBox1 which has a direct connection to the internet, so I don't know how that can be explained??

So to clarify, A computer on Network A:

Quote:

1. Can ping LinuxBox1 (192.168.22.48)
2. Can access the internet
2. Can ping the 192.168.22.209 interface in LinuxBox2
3. Cannot ping the 192.168.33.193 inteface on LinuxBox2

A computer on Network B:

Quote:

1. Can ping Linux Box 1 (192.168.22.48)
2. Cannot access the internet
3. Can ping the 192.168.22.209 interface on LinuxBox2
4. Can ping the 192.168.33.193 interface on LinuxBox2

********************************************************
Additionally, performing a tracepath to google.com produces (after a short delay):

Code:

prompt# traceroute google.com
unknown host google.com

Also the default gateway for a Network B machine is, LinuxBox2's 33 network interface, that is the inteface 192.168.33.193.

Thanks for your time
Take Care

Cypher12 · 11-13-2006, 02:48 PM

Hello again,

Do I need to enable IP-Masquerqading for my problem??

Thanks

chort · 11-13-2006, 02:50 PM

Try tracepath to 66.102.7.99 from Network B.

I know you said IP forwarding is on, but it really seems like LB2 is not forwarding packets that didn't originate from itself.

Cypher12 · 11-13-2006, 03:43 PM

Hello again,

I Attempted from a Netwrok B machine (IP: 192.168.33.194):

Code:

prompt# tracepath 66.102.7.99
1: send failed
Resume pmtu

**ALSO: I think what I am looking for is a functioanlity called ICMP redirect if anybody has heard of this, specifically how I need to get it enable into my system, that would probably be the key to this puzzle.

Thanks again
Take Care

chort · 11-13-2006, 03:53 PM

Seems like LB2 is filtering out some ICMP traffic. Looking at your iptables it's a bit confusing to tell which rule is taking precedent.

Code:

ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
DROP       icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       udp  --  anywhere             anywhere            state NEW
DROP       tcp  --  anywhere             anywhere            state NEW
DROP       all  --  anywhere             anywhere

Is iptables first-match, or last-match? I'm not sure. If it's first-match it seems that you're dropping all ICMP that isn't an echo-reply (which would rule out ttl-exceeded I believe), and if it's last-match it would be dropping everything (!?!) from the last rule: DROP all -- anywhere anywhere. So either way I think most ICMP is being dropped, other than replies (but if the request never makes it in, how could a reply go out?).

I think the problem is on LB2. Is there any chance you could iptables -F all on LB2 and see if that temporarily removes the problem? Try the same tests after iptables -F all and see if they work. Note that it will flush all the iptables rules that you currently have loaded.

Cypher12 · 11-13-2006, 04:12 PM

Hello again,

I just preformed a iptables -F:

Code:

prompt# iptables -F

to flush out the previously exisiting rules .. then
from a Network A computer (192.168.22.230):

*****************************************
From Network A machine (192.168.22.230)
*****************************************

Code:

prompt# ping 192.168.33.193
PING 192.168.33.193 (192.168.33.193) 56(84) bytes of data.

--- 192.168.33.193 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

******************************************
So still no communication between the two subnets. I know that in cisco routers there is a icmp redirect feature, whereby in my scenario, LinuxBox1, would inform (since it has the static route to the .33 network) any Network A computer to direct packages destined for the .33 network to LinuxBox2.

Additionally, I enabled in my sysctl.conf:

Code:

net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 1

but still no redirects, no communication
Thanks again
Take Care