LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-02-2020, 04:09 AM   #1
bogdanc2011
LQ Newbie
 
Registered: Dec 2013
Distribution: openSUSE, Arch Linux
Posts: 9

Rep: Reputation: Disabled
Ping only works one way


I have a debian 10 server connected to a network via static IP. The network consists of some workstations that are local with respect to the server (they're connected to the same switch) and some workstations that are remote (connected to a fiber optic network). The other workstations are windows-based.
It looks something like this:

server: 172.16.10.23
workstation 1: 172.16.10.21
workstation 2: 172.16.10.22
...

remote workstation 1: 172.16.122.11
remote workstation 2: 172.16.122.12
...

The problem is:
- I can ping the server from any workstation
- I can ping any workstation (including remote) from the server
- I can ping any workstation from any remote workstation (and vice versa)
- I cannot ping the server from any remote workstation

I have excluded:
- the switch blocking ping requests (although it's managed, it's set up to let any traffic on the network)
- IPv6 is disabled on the server
- hardware (swapped different NICs)
- windows related stuff (disabled firewall, uninstalled antivirus etc)

Interfaces:

Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

allow-hotplug enp1s8
iface enp1s8 inet static
	address 172.16.30.23
	netmask 255.255.0.0
	network 172.16.30.0
	broadcast 172.16.30.255
	up ip route add 172.16.30.0/24 dev enp1s8 table enp1s8
	up ip route add default via 172.16.30.254 dev enp1s8 table enp1s8
	up ip rule add from 172.16.30.23/32 table enp1s8
	up ip rule add to 172.16.30.23/32 table enp1s8

allow-hotplug enp1s0
iface enp1s0 inet static
	address 172.16.10.23
	netmask 255.255.0.0
	network 172.16.10.0
	broadcast 172.16.10.255
	gateway 172.16.10.254
	up ip route add 172.16.10.0/24 dev enp1s0 table enp1s0
	up ip route add default via 172.16.10.254 dev enp1s0 table enp1s0
	up ip rule add from 172.16.10.23/32 table enp1s0
	up ip rule add to 172.16.10.23/32 table enp1s0
(There's actually two NICs, two separate networks, but the other one works fine)

Routing table:
Code:
#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep
1 enp1s8
2 enp1s0
I'm thinking maybe there's an issue with the server, although as far as I know debian doesn't come with an active firewall.
 
Old 06-02-2020, 05:05 AM   #2
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,780

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
You could compare tracepath (or traceroute) results from remote workstation to server, and remote workstation to workstation perhaps. Examine the routing tables more completely.

Quote:
I'm thinking maybe there's an issue with the server, although as far as I know debian doesn't come with an active firewall.
This will soon show if a firewall is active...
Code:
iptables -L
https://wiki.debian.org/DebianFirewall
 
Old 06-02-2020, 08:25 AM   #3
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 4,421
Blog Entries: 7

Rep: Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535
Ping only works one way

What he said, and

iptables -F

will take down the firewall until next reboot.
 
Old 06-02-2020, 08:39 PM   #4
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,272
Blog Entries: 28

Rep: Reputation: 6124Reputation: 6124Reputation: 6124Reputation: 6124Reputation: 6124Reputation: 6124Reputation: 6124Reputation: 6124Reputation: 6124Reputation: 6124Reputation: 6124
ICMP may be blocked on one of the devices. https://www.tecmint.com/block-ping-i...ests-to-linux/
 
Old 06-02-2020, 10:55 PM   #5
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,780

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
Quote:
ICMP may be blocked on one of the devices
That doesn't make sense if you take into account the OP's comments...
Quote:
The problem is:
- I can ping the server from any workstation
- I can ping any workstation (including remote) from the server
- I can ping any workstation from any remote workstation (and vice versa)
- I cannot ping the server from any remote workstation
 
Old 06-03-2020, 12:27 AM   #6
bogdanc2011
LQ Newbie
 
Registered: Dec 2013
Distribution: openSUSE, Arch Linux
Posts: 9

Original Poster
Rep: Reputation: Disabled
https://i.imgur.com/TpTxbiX.jpg
 
Old 06-03-2020, 01:52 AM   #7
rkelsen
Senior Member
 
Registered: Sep 2004
Distribution: slackware
Posts: 4,421
Blog Entries: 7

Rep: Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535Reputation: 2535
Putty on Winxp! Love it.

It is very odd that it responds locally, but not from outside. Many of the tutorials on the internet use iptables to do this... but that is certainly not your issue here.

This should show "0":
Code:
$ cat /proc/sys/net/ipv4/icmp_echo_ignore_all
If it does, then there might be some setting or conflict in your router.

Last edited by rkelsen; 06-03-2020 at 02:07 AM.
 
Old 06-03-2020, 07:21 AM   #8
bogdanc2011
LQ Newbie
 
Registered: Dec 2013
Distribution: openSUSE, Arch Linux
Posts: 9

Original Poster
Rep: Reputation: Disabled
I made some slight progress. I found out that the server might only accept connections from IPs from 172.16.10.x network. Anything outside of it is blocked. That's true for the other interface as well.
The remote workstations have different IPs (172.16.122.x). It's technically the same network with the same mask, but I think there's something missing from the routing table.
 
Old 06-03-2020, 02:22 PM   #9
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,780

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
Quote:
Originally Posted by bogdanc2011 View Post
I made some slight progress. I found out that the server might only accept connections from IPs from 172.16.10.x network. Anything outside of it is blocked. That's true for the other interface as well.
The remote workstations have different IPs (172.16.122.x). It's technically the same network with the same mask, but I think there's something missing from the routing table.
Yes, I missed this before, but if you examine the interface IP assignments, they are BOTH in the same /16 subnet space. Any reason for that? You should know that the broadcast address is defined as the last address in a subnet, so for both enp1s8 and enp1s0, this would be 172.16.255.255 (normally no need to explicitly define).

It would make more sense to change the subnet masks to /24 (255.255.255.0).

In any case, currently it's likely that a ping from 172.16.122.x will arrive via the gateway, and not return via it, since the chosen subnet mask means the source IP address is determined as being within the same network, so no routing needed, and hence no reply.

Code:
iface enp1s8 inet static
	address 172.16.30.23
	netmask 255.255.0.0
	network 172.16.30.0
	broadcast 172.16.30.255

iface enp1s0 inet static
	address 172.16.10.23
	netmask 255.255.0.0
	network 172.16.10.0
	broadcast 172.16.10.255
	gateway 172.16.10.254

Last edited by ferrari; 06-03-2020 at 02:28 PM.
 
Old 06-03-2020, 03:12 PM   #10
bogdanc2011
LQ Newbie
 
Registered: Dec 2013
Distribution: openSUSE, Arch Linux
Posts: 9

Original Poster
Rep: Reputation: Disabled
Yes, that is true, although the subnet is the same over the network, so I shouldn't be able to ping any 172.16.10.x machine from 172.16.122.x, but I can.
The networks were set up by a third party and we were given IP assignments for the workstations. Unfortunately, they chose to have it in the same /16 subnet. The two networks are supposed to be completely separate and should not be joined through this server. When I initially set up the interfaces, I got a lot of weird behavior hence why I did the routing table. But I don't quite understand how it works.

Last edited by bogdanc2011; 06-03-2020 at 03:14 PM.
 
Old 06-03-2020, 09:37 PM   #11
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,780

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
Are they separated by a router?
<172.16.122.x>Router<172.16.10.x>

Can you share the server routing?
Code:
ip route
 
Old 06-08-2020, 02:53 PM   #12
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,939

Rep: Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619
#1. I can ping any workstation (including remote) from the server
#2. I cannot ping the server from any remote workstation

#1 proved that in fact there was two way communication between remote and server. Ping is generally a poor way to test communications as more and more ping is being blocked by default.
 
Old 06-09-2020, 12:41 AM   #13
bogdanc2011
LQ Newbie
 
Registered: Dec 2013
Distribution: openSUSE, Arch Linux
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Are they separated by a router?
<172.16.122.x>Router<172.16.10.x>
Yes
Quote:
#1 proved that in fact there was two way communication between remote and server. Ping is generally a poor way to test communications as more and more ping is being blocked by default.
Well, the server is an NTP server, so if ping doesn't work there's a high chance that time synchronization doesn't work. And it doesn't.

I changed the netmask to 255.255.255.0 and I get the same issue. I also commented the broadcast and network sections.

ip route:
Code:
default via 172.16.10.254 dev enp1s0 onlink
172.16.10.0/24 dev enp1s0 proto kernel scope link src 172.16.10.23
172.16.30.0/24 dev enp1s8 proto kernel scope link src 172.16.30.23
Isn't this line basically telling "route all traffic from 172.16.10.x" to enp1s0, but ignore traffic from other IPs?
Code:
up ip rule add from 172.16.10.23/32 table enp1s0
EDIT: I remember I did the routing to prevent computers from one network to connect to the other network. But I think that by doing that, I also prevent 172.16.122.xx computers from connecting to the server.

Last edited by bogdanc2011; 06-09-2020 at 03:00 AM.
 
Old 06-09-2020, 02:55 AM   #14
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,780

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
Quote:
Isn't this line basically telling "route all traffic from 172.16.10.x" to enp1s0, but ignore traffic from other IPs?
Code:
ip rule add from 172.16.10.23/32 table enp1s0
No, this rule (policy-based routing) means that all traffic with the 172.16.10.23 source IP address will use the “enp1s0” routing table instead of “main” one. Likewise, the following refers to packets with the destination address of 172.16.10.23 being routed via the "enp1s0" routing table...
Code:
ip rule add to 172.16.10.23/32 table enp1s0
More info...
Code:
man ip-rule
Useful pages...
https://www.thegeekstuff.com/2014/08...te-ip-command/
https://blog.scottlowe.org/2013/05/2...olicy-routing/
 
Old 06-09-2020, 03:24 AM   #15
bogdanc2011
LQ Newbie
 
Registered: Dec 2013
Distribution: openSUSE, Arch Linux
Posts: 9

Original Poster
Rep: Reputation: Disabled
I did a test with only one interface and only the basic configuration:
Code:
allow-hotplug enp1s8
iface enp1s8 inet static
	address 172.16.30.23
	netmask 255.255.0.0
	network 172.16.0.0
And the server works as expected. I can connect from 172.16.132.x computers.
But then if I add the routing, it stops working from those IP addreses:
Code:
allow-hotplug enp1s8
iface enp1s8 inet static
	address 172.16.30.23
	netmask 255.255.0.0
	network 172.16.0.0
	up ip route add 172.16.30.0/24 dev enp1s8 table enp1s8
	up ip route add default via 172.16.30.254 dev enp1s8 table enp1s8
	up ip rule add from 172.16.30.23/32 table enp1s8
	up ip rule add to 172.16.30.23/32 table enp1s8
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ping does not work in two way. only one way mahmoodn Linux - Networking 2 05-16-2012 02:10 AM
I cannot ping with command 'ping IP' address but can ping with 'ping IP -I eth0' sanketmlad Linux - Networking 2 07-15-2011 05:32 AM
DNS look up works, ping only works for some sites any ideas? Mantrout Linux - Wireless Networking 3 01-29-2006 11:59 AM
Linux/Windows networking: ping only works one way qmm Linux - Wireless Networking 6 03-24-2004 04:21 AM
ping works, host works, ping host does not dublin212 Linux - Networking 3 03-31-2003 11:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration