Making two subnets talk to each other.
 

I'm trying to make two subnets that i have created talk to each other.

Server contains 2 subnets:
172.20.31.X and 172.16.4.X

each subnet has its on gateway , ex: 172.20.31.1 and 172.16.4.1.
Apparently when i try to ping a machine on 172.20.31.X i dont get a reply. This is also true when I ping from the 172.16.4.X subnet, I cannot access 172.20.31.X.

As I said earlier both of the subnets are connected to a Linux server operating as a router. The server is functioning as a DHCP server as well. I have a firewall setup through YaST. Internet access to both subnets runs very smooth. I just cant get them to talk to each other.

I would like to keep the subnets i have rather than combining them together if it is possible.

Thanks for any help.

Do you have any firewall rules to allow your subnets to talk to each other?

I haven't used YaST, does it create a script you can check? If not, what does iptables -L say?

have you enabled forwarding?
echo 1 > /proc/sys/net/ipv4/ip_forward

sl mritch.

I was able to get the server to ping machines on both subnets. I just need "link" the two. I tried enabling the echo command but either It didnt work or I dont know how it would work.

This is my table


Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
172.20.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth2

Umm, if your machine is acting as a firewall, and both subnets can access the internet, it's a pretty safe bet that IP forwarding is already enabled. However, normal firewall policy is to deny by default on the forwarding chain, and only forward what you let it (which would be "let subnet 1 access internet" and "let subnet 2 access internet". Without a firewall rule for "let subnet 1 access subnet 2" and vice versa, no go. So, again, what does iptables -L give you?

what part should i post? I typed iptables -L and it gave me a really really long output.

OK, if it's really long, then we'll skip the posting (although we may need to fall back on it if this doesn't help)

Load up your firewall configuration tool and see if there's a way to add forwarding between eth0 and eth1. You want to say something like "allow source 172.20.31.0/24 on interface eth1 with destination 172.16.4.0/24 on eth0", and the inverse. Until you have traffic allowed in both directions, you won't see anything from a ping.

If you can't see a way to do that in the tool, try these two commands directly:

iptables -A FORWARD -s 172.20.31.0/24 -i eth1 -d 172.16.4.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -s 172.16.4.0/24 -i eth0 -d 172.20.31.0/24 -o eth1 -j ACCEPT

and see if you can ping after that. If you can, you'll need to get those two lines added to your firewall script.

Thanks for the input CroMagnon. I tried your iptables configuration but it didn't work. I went back to my firewall tool and added the subnets to the external interfaces category. It worked after I did that. i was able to ping the other subnet.

I don't know and it probably is a security issue that my internal interfaces are also in my external interfaces category. My external interface is the connection to the internet. Im probably gonna increase the firewall security on my DSL modem/router for the time being. I've been looking around on the internet about the iptables command hopefully i'll find a better solution after I immerse my self in the research.:)

There is a good firewall HOWTO that explains what iptables is up to, so you can try that. The iptables man page also has a lot of good info.

Since just the forwarding rules didn't work, it's possible your firewall tool locked things down more in the INPUT or OUTPUT chains - you might need to add similar accept rules for one or both of those. Good luck!

Maybe I missed it, but are you sure that IP forwarding is enabled? No where do I see that being checked. You have to have IP forwarding turned on, otherwise you get the situation you described--i.e. the server can contact both subnets (since they're directly attached), but it won't forward packets from one to another.

I think you're barking up the wrong tree with ip_forwarding. As he said at the start:

It's pretty unlikely he has internet access through his firewall without forwarding.

Should that be "Internet access from both subnets..."?.

It looks like the firewall may be restricting the OUTPUT on each internal network interface to only ESTABLISHED connections. In that case, I agree with CroMagnon (who has better eyes than I do, apparently). It looks like an RTFM situation (pardon the acronym).