LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-21-2016, 02:41 PM   #1
jet-lee
LQ Newbie
 
Registered: Jan 2008
Posts: 10

Rep: Reputation: 0
Debian routing issues from specific subnets not working properly


Hi

Im wondering if anyone can give me a place to start looking, as Ive exhausted my limited Linux experience, and could use some additional perspective.

I have a virtualized shorewall firewall running on a xen host. when trying to ping a specific host from 2 different subnets, one is successful, and the other times out. I can successfully ping the firewall from both hosts, and a tcpdump on the firewall seems to show identical traffic... below the conversations

eth2, eth1 and eth4 are firewall ifaces, vmbr10 is the target interface on the host

eth2 -> eth1 -> vmbr10 ----- fail
eth4 -> eth1 -> vmbr10 ----- success
same ip target (192.168.1.10)

Unsucessful conversation
Code:
root@jetfire:/etc# tcpdump -v icmp -i eth2 -e -s0
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
20:54:01.433953 f4:28:53:29:da:54 (oui Unknown) > 00:16:3e:4d:55:20 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 25864, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.2.99 > 192.168.1.10: ICMP echo request, id 1, seq 200, length 40

root@jetfire:/etc# tcpdump -v icmp -i eth1 -e -s0
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
20:54:31.864024 00:16:3e:4d:55:1f (oui Unknown) > 3c:a8:2a:4b:22:5c (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 9915, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.4.64 > 192.168.1.10: ICMP echo request, id 1, seq 24, length 40

root@jetsan:~# tcpdump -v icmp -i vmbr10 -e -s0
tcpdump: listening on vmbr10, link-type EN10MB (Ethernet), capture size 262144 bytes
21:21:27.643450 00:16:3e:4d:55:1f (oui Unknown) > 3c:a8:2a:4b:22:5c (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 25881, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.2.99 > 192.168.1.10: ICMP echo request, id 1, seq 202, length 40
successful conversation
Code:
root@jetfire:/etc# tcpdump -v icmp -i eth4 -e -s0
tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
20:54:17.160341 50:46:5d:6a:ee:58 (oui Unknown) > 00:16:3e:4d:55:22 (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 128, id 9880, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.4.64 > 192.168.1.10: ICMP echo request, id 1, seq 23, length 40

root@jetfire:/etc# tcpdump -v icmp -i eth1 -e -s0
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
20:54:43.635294 00:16:3e:4d:55:1f (oui Unknown) > 3c:a8:2a:4b:22:5c (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 25865, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.2.99 > 192.168.1.10: ICMP echo request, id 1, seq 201, length 40

root@jetsan:~# tcpdump -v icmp -i vmbr10 -e -s0
tcpdump: listening on vmbr10, link-type EN10MB (Ethernet), capture size 262144 bytes
21:21:12.384002 00:16:3e:4d:55:1f (oui Unknown) > 3c:a8:2a:4b:22:5c (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 11331, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.4.64 > 192.168.1.10: ICMP echo request, id 1, seq 25, length 40
routing table
Code:
root@jetfire:/etc# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.220.67.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth3
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 eth4
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth5
I have also obviously checked the firewall logs, and they do not show and dropped packets, and to troubleshoot, I have set all traffic between these interfaces to allow to rule it out

To further rule out the firewall, I installed a complete pfsense VM, that exhibits the same behavior

Some direction would be very much appreciated

Thanks
 
Old 11-21-2016, 02:48 PM   #2
jet-lee
LQ Newbie
 
Registered: Jan 2008
Posts: 10

Original Poster
Rep: Reputation: 0
OK, so I typed all that .. and after about a month of battling, posting this gave me new google path ... which culminated in a solution, so I thought Id post for completeness, even though I got the answer pretty much as I was previewing the post.... seeing as I'd gone to all the trouble of typing it, it may aswell help someone ..

The issue was something called "reverse path filtering"

The fix was to turn it off. Im still trying to understand the security implications, but here are the steps to resolve
Code:
sysctl -a | grep \\.rp_filter
shows all rp_filter configs, all rp_filters must be set to 0 using the following commands (for each instance)

Code:
sysctl -w net.ipv4.conf.eth0.rp_filter=0
This pretty much instantly resolved my issue ..

Hope this helps someone.

Last edited by jet-lee; 11-21-2016 at 02:50 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing between two subnets through Debian PC karish Linux - Networking 4 01-26-2015 01:22 AM
persistant ip routing between two subnets - config issues. borgy95 Linux - Networking 3 04-11-2012 09:34 AM
Routing issues with dual interfaces on debian server flybob Linux - Networking 9 09-28-2009 08:41 AM
routing issues - debian spargonaut Linux - Networking 4 05-24-2006 02:13 AM
Two issues: groff not working properly and updated glib being installed not noticed.. EnigmaX Linux - General 0 08-08-2004 07:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration