questions about my routing table
 

Hi,
first of all what do the following entries mean? For network 192.168.2.0 and 192.168.1.0 follow the default gateway; 192.168.1.1 ?

Then, i would like to change the following table to this one:
The "192.168.2.1" interface of my router is "pingable":
I successfully remove the false entry, but when i try to create a new one, i get a "SIOCADDRT: Network is unreachable".
192.168.2.1 and 192.168.1.1 are on the same router.

What is wrong?

the first entry means that you are on 192.168.2/0/24 the second means you are also on 192.168.1.0/24. the third means everythign else is accessible via 192.168.1.1. as such what you want to change it to does not makes sense. you don't have a gateway out of a certain network, you have a gateway to get to other networks. this seems identical on simple networks but not so in your case. the route add command is saying that to get to a network you are already on, send data to a router which is on the network your trying to get to... doesn't make sense right... like locking your keys in your car, you can't get to the keys without erm... your keys. like you can't get to 192.168.2.0/24 (the car) without using a host inside that network (your keys). sorry to use a dumb analogy but i try to kid myself that everything can be analogous to cars.

I didn't want to go into much detail in order not to make things more complicated. The network addresses/subnets correspond to vserver guests running on the same physical machine. The 192.168.1.0/24 is to be accessible only from my LAN, while 192.168.2.0/24 is supposed to be a DMZ zone accessible only by WAN and Internet. That means, that i need 2 different gateways -i think, or am i still wrong? . The problem would probably be simpler if the 192.168.1.0/24 subnet resided in a different physical machine than the 192.168.2.0/24.

Another solution -which seemed more complicated, at least in the beginning- would be to change all server IPs to subnet 192.168.1.0/24, keep a single default gw to the router and then use the router to NAT the DMZ IPs to the WAN and the Internet and additionally create a firewall between them and the other IPs of my LAN.

Any suggestions for this mess?

Any comment appreciated... Newbie diving in deep water :)

ok, well going by the description there, your topology would look like...
no? if so then your box would only require a default route to the 192.168.1.1 router, as .2.0/24 is already local. also in this case you'd either presumably be load balancing on the linux box or using it as a router.

I did what you suggested above, but i cannot ping the router (192.168.1.1) from 192.168.2.0/24 (say from guest "web" 192.168.2.2). Is this problem caused, because there is no real next-hop connection between "web" and the router? Is there a workaround?
Unfortunately i cannot work with the route command inside vserver-guests, unless i enable some kernel capabilities... ok, if the solution lies in enabling them i will do it...

The routing table of "web":
The routing table of "vakhos":

well i've not run vservers before, but they will surely work fine with standard routing logic. i'm still not clear on what your topology realyl is though... was that right in my diagram (expect for the ip ranges being the wrong way round.

Sorry for not clearing out the diagram...

Given, that box must be connected to the router via only one interface, here it is:

Thanks for the help, acid_kewpie

ok, so 1) what is the networking role of the box in the middle? just to allow layer 3 connectivity to the virtual boxes? in which case you're saying that bout your subnets use the one router as their default gateway, but don't want the two to be able to talk to each other? if so then is your router even able to sit on two networks at the same time? it's not a particuarly normal thing for somethign like an adsl router to be able to do...

The router is a PC running pfSense (a freeBSD/monowall-based firewall distro) -not an embedded ADSL router. My ADSL router is set to bridged mode with the pfSense one, ie one interface of the pfSense router has a PPPoE connection (1). The other interface (2) has as a gateway my wireless WAN router. Another interface (3) is connected to my virtual boxes PC, offering them Internet and Wireless connectivity.

ok well in that case presumably the box in the middle has to do nothign at all? now if this were real virtual machines like xen or vmware, then i'd be saying that you'd need to enable bridging between both networks on the external and virtual interfaces, but with the vserver stuff i take it the networking is actaully a lot more subtle than that?

VServer networking is fairly straight-forward and based on iptables. In a very few words an IP of a guest can be:
-alias to a host interface
-the same IP with the IP of a host interface
-just an IP, that will be treated localy, but is no alias to anything (using the --nodev option)

Afterwards, one is supposed to play with the iptables of the (host) system. The guests have no network "intelligence" -at least by default, since one can change a lot by enabling "linux capabilties".

ok so the ip on eth0:1 would be vhost1, and eth0:3 could be vhost3? well in that situation there's presumably even less for the box to do. it's not great to do so but you can run multiple subnets on the same nic without vlan tagging. as suchif the pfsense box can do the same, they should be able to communicate i assume. it's then down to firewall rules there as to whether the two different subnets can talk to each other via that default gateway address