Help with subnet routing issue (Centos 8)

hcook1 · 12-09-2020, 04:51 PM

I would appreciate help on an issue that has me completely stymied at this point and I know it is something silly that I am missing...

My issue is that I cannot get a newly installed Centos 8 server to forward packets between two subnets. In the diagram immediately below, the object of my efforts and frustration is the server dick. The goal is to allow the nodes in the 10.4.160.0/24 subnet to get "out" to all of the other nodes in the network and ultimately the internet.

Here is the configuration:

Code:

                  <corp net>---<server A>---<server B>---<server dick>---<node rh3>
upstream address:               10.1.3.27    10.4.1.27    10.4.150.57     10.4.160.35
Downstream address:             10.4.1.1     10.4.150.1   10.4.160.1      N/A

In this configuration, the server dick is a new Centos 8 server with two ethernet adapters. Here are the salient details:

Code:

[root@dick ~]ip route
default via 10.4.150.1 dev eno1 proto kernel metric 1
10.4.150.0/24 dev eno1 proto kernel src 10.4.150.57 metric 100
10.4.160.0/24 dev eno2 proto kernel scope link src 10.4.160.1 metric 101

[root@dick ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.4.150.57/24 brd 10.4.150.255 scope global dynamic noprefixroute eno1
valid_lft 36325sec preferred_lft 36325sec
inet6 fe80::ca1f:66ff:fef8:bd8c/64 scope link
valid_lft forever preferred_lft forever
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.4.160.1/24 brd 10.4.160.255 scope global noprefixroute eno2
valid_lft forever preferred_lft forever
inet6 fe80::ca1f:66ff:fef8:bd8d/64 scope link
valid_lft forever preferred_lft foreverThe first Adapter:

I have enabled Kernel forwarding:

Code:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

I am on a secure subnet so I have disabled firewalld.
I am using NetworkManager and dnsmasq all of which appears to be working just fine.

With the config files that I provided above, all three of the servers (server A, Server B & dick) can ping all of peer nodes on their respective subnets and all three servers can ping nodes upstream and downstream from their local subnet. All of the nodes on the 10.4.1.0/24 and 10.4.150.0/24 subnets can ping everything EXCEPT nodes on the 10.4.160.0/24 network.

Here is the issue:
rh3 and its peers on the 10.4.160.0/24 network can ping peer nodes in the 10.4.160.0/24 subnet and can ping both interfaces on on dick (10.4.160.1 and 10.4.150.57) BUT cannot ping anything else:

Code:

[root@rh3 ~]# ping -c 3 10.4.160.1 
PING 10.4.160.1 (10.4.160.1) 56(84) bytes of data.
64 bytes from 10.4.160.1: icmp_seq=1 ttl=64 time=0.118 ms
64 bytes from 10.4.160.1: icmp_seq=2 ttl=64 time=0.116 ms
64 bytes from 10.4.160.1: icmp_seq=3 ttl=64 time=0.118 ms

--- 10.4.160.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2081ms
rtt min/avg/max/mdev = 0.116/0.117/0.118/0.000 ms
[root@rh3 ~]#
[root@rh3 ~]# ping -c 3 10.4.150.57 
PING 10.4.150.57 (10.4.150.57) 56(84) bytes of data.
64 bytes from 10.4.150.57: icmp_seq=1 ttl=64 time=0.118 ms
64 bytes from 10.4.150.57: icmp_seq=2 ttl=64 time=0.125 ms
64 bytes from 10.4.150.57: icmp_seq=3 ttl=64 time=0.131 ms

--- 10.4.150.57 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2056ms
rtt min/avg/max/mdev = 0.118/0.124/0.131/0.005 ms
[root@rh3 ~]# ping -c 3 10.4.150.1 
PING 10.4.150.1 (10.4.150.1) 56(84) bytes of data.
^C
--- 10.4.150.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2025ms

One other data point that may be a clue, when I try to ping rh3 (10.4.160.35) from server B, this is the result that I am getting:

Code:

[Root@serverB ~] ping 10.4.160.35
PING 10.4.160.35 (10.4.160.35) 56(84) bytes of data.
From 10.1.3.1: icmp_seq=1 Redirect Host(New nexthop: 10.1.3.27)
From 10.1.3.1 icmp_seq=1 Redirect HostFrom 10.1.3.1: icmp_seq=2 Redirect Host(New nexthop: 10.1.3.27)
From 10.1.3.1 icmp_seq=2 Redirect HostFrom 10.1.3.1: icmp_seq=3 Redirect Host(New nexthop: 10.1.3.27)
From 10.1.3.1 icmp_seq=3 Redirect HostFrom 10.1.3.1: icmp_seq=4 Redirect Host(New nexthop: 10.1.3.27)
From 10.1.3.1 icmp_seq=4 Redirect HostFrom 10.1.3.1: icmp_seq=5 Redirect Host(New nexthop: 10.1.3.27)
From 10.1.3.1 icmp_seq=5 Redirect HostFrom 10.1.3.1: icmp_seq=6 Redirect Host(New nexthop: 10.1.3.27)
From 10.1.3.1 icmp_seq=6 Redirect Host^C
--- 10.4.160.35 ping statistics ---
6 packets transmitted, 0 received, +6 errors, 100% packet loss, time 5000ms

ping from server dick to rh3 is fine:

Code:

[root@dick etc]# ping -c 5 rh3
PING rh3 (10.4.160.35) 56(84) bytes of data.
64 bytes from rh3 (10.4.160.35): icmp_seq=1 ttl=64 time=0.125 ms
64 bytes from rh3 (10.4.160.35): icmp_seq=2 ttl=64 time=0.121 ms
64 bytes from rh3 (10.4.160.35): icmp_seq=3 ttl=64 time=0.122 ms
64 bytes from rh3 (10.4.160.35): icmp_seq=4 ttl=64 time=0.120 ms
64 bytes from rh3 (10.4.160.35): icmp_seq=5 ttl=64 time=0.118 ms

--- rh3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 95ms
rtt min/avg/max/mdev = 0.118/0.121/0.125/0.007 ms

Help Please! What am I missing?
--- Harold

ferrari · 12-10-2020, 01:22 PM

Share the routing tables for each of the servers.

Code:

[root@rh3 ~]# ping -c 3 10.4.150.1 
PING 10.4.150.1 (10.4.150.1) 56(84) bytes of data.
^C
--- 10.4.150.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2025ms

This will fail if there is no route to (and/or from) "server B" to "node rh3". Default gateways can be useful for routing packets upstream, but the return path will need static routes in each of the intermediate hosts in order to be able to reach the downstream device. In bigger networks, a dynamic routing protocol (eg OSPF) can be used to do this.

ferrari · 12-10-2020, 01:38 PM

BTW, use traceroute to help identify at which hop a particular issue lies. You can then traceroute from the other direction as well to get get a definitive idea about where routing may be broken in a given path.

hcook1 · 12-10-2020, 05:39 PM

Awesome! Almost resolved.

By adding the correct routes to all of the servers, I can now ping into and out of 10.4.160.0/24. However, I still have one troubling issue.
traceroute from rh3 fails! here are two examples:

Code:

[root@rh3 etc]# traceroute 10.4.150.57
traceroute to 10.4.150.57 (10.4.150.57), 30 hops max, 60 byte packets
 1  dick (10.4.150.57)  0.540 ms !X  0.505 ms !X  0.470 ms !X
 
[root@rh3 etc]# traceroute 10.4.1.1
traceroute to 10.4.1.1 (10.4.1.1), 30 hops max, 60 byte packets
 1  rh25 (10.4.160.1)  0.555 ms  0.518 ms  0.484 ms
 2  rh25 (10.4.160.1)  0.450 ms !X  0.416 ms !X  0.381 ms !X

Any ideas on what is causing the !X???

Note that traceroute from any of the servers works as expected.

Any thoughts?
--- Harold

jefro · 12-10-2020, 08:16 PM

https://serverfault.com/questions/43...n-a-traceroute

hcook1 · 12-10-2020, 09:42 PM

I found that the firewalld had been reloaded on my dick server. Disabling that resolved all my issues. Thank you for all the help!

ferrari · 12-11-2020, 12:26 AM

Quote:

Originally Posted by hcook1

I found that the firewalld had been reloaded on my dick server. Disabling that resolved all my issues. Thank you for all the help!

Yes, always worth checking firewalls. Thanks for the update.