LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-16-2007, 01:05 AM   #1
endfx
Member
 
Registered: May 2003
Location: Canada
Distribution: Debian
Posts: 105

Rep: Reputation: 15
Routing and ip_forward


Hi,

I'm trying to turn my Ubuntu server into a router.
I have 2 subnets:

10.8.0.0/24
192.168.0.0/24

I have enabled ip_forwarding and have iptables set to accept all.

The router doesn't seem to work. A computer on each subnet can ping the gateway/router and the router
can ping the clients on each subnet. But I can't seem to ping from one subnet to another.

cat /proc/sys/net/ipv4/if_forwarding returns 1 so I know ip_forwarding is enabled.

Does anybody have any ideas as to what I'm doing wrong?

Thanks.
 
Old 06-16-2007, 02:07 AM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
When I used my laptop's wireless to give my desktop access to the internet (192.168.1.0/25 and 192.168.1.128/25 subnets), I needed to modprobe the ip_conntrack module before forwarding would work.

Last edited by jschiwal; 06-16-2007 at 02:09 AM.
 
Old 06-16-2007, 11:41 AM   #3
FMC
Member
 
Registered: May 2007
Location: São Paulo
Distribution: Gentoo & Debian
Posts: 97

Rep: Reputation: 15
I believe that if you specify a route on the client machine the things might work:

On a PC that is on the 10.x.x.x network:
# route add -net 192.168.0.0/24 eth0

[]'s, FMC!
 
Old 06-17-2007, 12:05 AM   #4
endfx
Member
 
Registered: May 2003
Location: Canada
Distribution: Debian
Posts: 105

Original Poster
Rep: Reputation: 15
I've loaded ip_conntrack and by linux box still isn't routing.

Here is the routing table for the linux router:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1


So tun0 is connected to the 10.8.0.0/24 subnet and eth1 is connected to the 192.168.0.0/24 subnet.


I think the client routing table is Ok because when I ping from the 10.8.0.0 subnet to another subnet
and then run "tcpdump -i tun0" on the router, it sees the the ping requests, but doesn't send out
the replies.

I must be missing something basic here because all the linux router guides say you should only have
to setup if_forwarding for this to work.

Any ideas?

Thanks.
 
Old 06-17-2007, 09:37 AM   #5
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi,

any firewall running?
how about the remote end? ip_forward running?
 
Old 06-17-2007, 07:34 PM   #6
BotKeeper
LQ Newbie
 
Registered: Aug 2006
Posts: 17

Rep: Reputation: 0
Quote:
Originally Posted by endfx
I've loaded ip_conntrack and by linux box still isn't routing.

Here is the routing table for the linux router:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1


So tun0 is connected to the 10.8.0.0/24 subnet and eth1 is connected to the 192.168.0.0/24 subnet.
I'm not sure why you have a tun0 device. It is not needed in this case.

Also, the ip_conntrack applies only to internal traffic destined for the Internet that is masqueraded (NAT'e). For one network to another "behind the firewall," you will not need to add any routes.

Maybe the NAT rules kick in before the route rules and attempt to direct the packet to the Internet.

Get this to work first without NAT. Then introduce NAT.
 
Old 06-17-2007, 08:00 PM   #7
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
The tunnel device confused me as well.

I also shouldn't have assumed that you would have the routes set up.

What is on the 10.8. network? Are you routing between two subnet? If that is the case, you don't need to use NAT.
The devices on the 10.8. network should have your Linux routers 10.8. device as their default gateway.
The devices on the 192.168.0. network should have eth1's IP address (192.168.0.1) as their default gateway entry.

In my case, I had a Linksys wireless router and that provided the NAT translating. I used the laptop to forward internet traffic between the router and the desktop, which at the time didn't have a wireless card.

First set up the interfaces and routes for each network. Make sure that you can ping devices on both the 10.8 and 192.168.0 networks before proceeding.

Maybe you have a vpn tunnel setup to another network and that is what the route is doing, connecting two sites. Maybe more information on the two networks would be helpful. Also, enclose output of commands like route in a code block so that you don't loose alignment. Thanks.

Last edited by jschiwal; 06-17-2007 at 08:05 PM.
 
Old 06-17-2007, 09:45 PM   #8
endfx
Member
 
Registered: May 2003
Location: Canada
Distribution: Debian
Posts: 105

Original Poster
Rep: Reputation: 15
Thanks a lot for everyone's input. I think I've found the problem, but haven't been able
to solve it yet (thanks to a cheapo dlink router used as a gateway on 192.168.0.0)

The reason for the tun0 device is that the linux router is actually an openvpn server.
I didn't mention it because I didn't want responses about openvpn not be setup properly
because I'm pretty sure it is.

Anyway, I think I've found the problem but haven't solved it yet.

Basically the 192.168.0.0/24 is my home network and the 10.8.0.0/24 is the subnet I use for VPN clients.
On the 192.168.0.0/24 network I have a cheapo D-Link SOHO router for my default gateway/router (This is how I share
internet on my home network, 192.168.0.0/24). Now I have an openvpn server behind the dlink router.
I think the problem is that my openvpn server is not the default gateway for the 192.168.0.0/24 network. The dlink
router is.

So when I try to ping a 192.168.0.0 address from the 10.8.0.0 network, the ping request gets through to the 192.168.0.*
host but the 192.168.0.* host sends the reply to the dlink router because that is the default gateway for 192.168.0.0.

So I could either a) Add a route on all devices on the 192.168.0.0 network to route 10.8.0.0 to the vpn server (Huge
pain to do)

or
b) Add a route to the dlink router (the default gateway for 192.168.0.0). Problem is that the cheapo dlink router
doesn't let me modify the routing table so I can't test this method.

Long story short, the devices on the 192.168.0.0/24 network don't send packets destined for 10.8.0.0/24 to the correct gateway.

Thanks again for your responses.
 
Old 06-17-2007, 10:27 PM   #9
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
Do you want the 192.168.0.0 network traffic to the internet to be routed through your linux router, or just use the router to route traffic between the vpn and the LAN. If it is the latter, then you need a route to the VPN. But it isn't the default route. The default gateway should be the IP of the dlink router.

Then you need a route to the vpn tunnel. This is another route but not the default route.

The other hosts on the lan will need a route to 10.8.0.0 with the gateway being the linux routers eth0 IP address.
Their default gateway will be the dlink's IP address.

You could alternately use the Linux router as the default gateway. Then you need a route to 192.168.0.0/24, a route to 10.8.0.0/24 and a default route to the dlink router. Then one of the other hosts on the LAN will use your Linux router for both 10.8.0.0/24 network traffic, and internet traffic, but the Linux router will use the 10.8.0.0/24 route instead of the default route for the 10.8.0.0/24 route.

By the way, if you name your networks in /etc/networks, then you can use symbolic names for the networks.

Code:
cat /etc/networks 
#
# networks      This file describes a number of netname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#

loopback        127.0.0.0
link-local      169.254.0.0
jesnet          192.168.1.0

# End.

hpamd64:/home/jschiwal/Podcasts # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
jesnet          *               255.255.255.128 U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         linksys         0.0.0.0         UG    0      0        0 eth0
The linksys entry is from /etc/hosts.

Looking back at your original post, I guess what I am suggesting is similar to what you had, except that you should not have the 10.8.0.0/24 route being a default route. The default route is the one to use when none of the net or host routes match.

Last edited by jschiwal; 06-17-2007 at 10:48 PM.
 
Old 06-18-2007, 07:56 AM   #10
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
is this your home LAB? or your production?

if this your home LAB than I assume you have plenty of time reading about terms such as site-to-site VPN, and VPN Client, router, gateway etc.

how can you route a vpn traffic on a single NIC vpn server?

HTH,

Cheers.

Last edited by rossonieri#1; 06-18-2007 at 07:58 AM.
 
Old 06-19-2007, 09:28 PM   #11
endfx
Member
 
Registered: May 2003
Location: Canada
Distribution: Debian
Posts: 105

Original Poster
Rep: Reputation: 15
Quote:
Do you want the 192.168.0.0 network traffic to the internet to be routed through your linux router, or just use the router to route traffic between the vpn and the LAN. If it is the latter, then you need a route to the VPN. But it isn't the default route. The default gateway should be the IP of the dlink router.
I don't want the vpn server to be the default gateway. I want the dlink router to be the default gateway (for the 192.168 subnet).
I only want the vpn server to route between the 10.8 subnet and the 192.168 subnet.
I was hoping that I could add a route on the 192.168 default gateway (i.e. the dlink router) to the 10.8. network.
That way I wouldn't have to change any routes on my 192.168.0.0 hosts. Unfortunately, the dlink router doesn't
let me add or modify any routes.

Quote:
The other hosts on the lan will need a route to 10.8.0.0 with the gateway being the linux routers eth0 IP address.
Their default gateway will be the dlink's IP address.
I agree. But rather than giving them each a route to the 10.8 network via the openvpn server, I was hoping to just add
the route to the 192.168 default gateway (the dlink router). That way a host on 192.168 would route 10.8 addresses to the default
gateway (dlink router) which would then route to the vpn server rather than the internet.

Quote:
By the way, if you name your networks in /etc/networks, then you can use symbolic names for the networks.
That's really cool. I've never played with that file before. Thanks =)


Quote:
how can you route a vpn traffic on a single NIC vpn server?
rossonieri, openvpn uses tun/tap devices. These are like vitual NICs. I could route many more networks using tun or tap devices but only using
1 physical NIC.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
lost rc.ip_forward hardknox Slackware 5 03-24-2005 05:32 PM
ip_forward mikz Slackware 2 02-01-2005 05:49 AM
how to set ip_forward on at startup? enjoyzj Linux - Networking 4 04-16-2004 11:56 AM
IP_Forward Neur0tek Linux - Newbie 9 05-09-2002 10:44 AM
ip_forward Sathe Linux - Networking 2 10-19-2001 01:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration