VLAN users unable to ping LAN users

Winanjaya · 04-09-2019, 12:00 AM

Hi All,

my LAN is on 10.100.100.0/24

my CentOS 7.6 configs:

eth0 -> 10.100.100.1/24
eth1.100 -> 192.168.100.0/24

VLAN users are able to ping to eth0 (10.100.100.1)
but they are not able to ping any host in LAN.

I tried to add a new static route to route-eth1.100 as follow:

10.100.100.0/24 via 10.100.100.1 dev eth1.100

but still no luck

ferrari · 04-09-2019, 02:37 AM

The address assigned to eth1.100 is not valid.

Post the complete picture using the output from these commands please.

Code:

ip address

Code:

ip route

berndbausch · 04-09-2019, 04:26 AM

Quote:

Originally Posted by Winanjaya

eth0 -> 10.100.100.1/24
eth1.100 -> 192.168.100.0/24

I tried to add a new static route to route-eth1.100 as follow:

10.100.100.0/24 via 10.100.100.1 dev eth1.100

You need to route via the interface that is connected to 10.100.100.0/24, i.e. eth0. You also need to set kernel parameter ip_forward to 1.

Winanjaya · 04-09-2019, 06:12 AM

ip address:

Code:

57: enp8s0.100@enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:3e:aa:04:e9:e9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global noprefixroute enp8s0.100
       valid_lft forever preferred_lft forever
    inet6 fe80::7fe5:411a:7cfb:c07e/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
58: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 50:3e:aa:04:f3:e0 brd ff:ff:ff:ff:ff:ff
    inet 10.100.100.1/24 brd 10.100.100.255 scope global noprefixroute bond0
       valid_lft forever preferred_lft forever
    inet6 fe80::eb36:96d2:fbe9:abe1/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

bond0 is connected to LAN
enp8s0.100 is the VLAN (192.168.100.0/24)

ip route

Code:

default via 10.100.100.6 dev bond0 proto static metric 300
default via 192.168.100.1 dev enp8s0.100 proto static metric 400
10.100.100.0/24 dev bond0 proto kernel scope link src 10.100.100.1 metric 300
192.168.100.0/24 dev enp8s0.100 proto kernel scope link src 192.168.100.1 metric 400

Last try:

Code:

add /etc/sysctl.conf
net.ipv4.ip_forward=1

vi /etc/sysconfig/network-script/route-vlan100
10.100.100.0/24 via 10.100.100.1 dev bond0
systemctl network restart

still no luck

problem:

VLAN users (192.168.100.0/24) are unable to ping any hosts in LAN (10.100.100.0/24)

please help

Winanjaya · 04-09-2019, 08:20 AM

I tried below from centos:

[root@fw network-scripts]# traceroute -s 192.168.100.1 10.100.100.3
traceroute to 10.100.100.3 (10.100.100.3), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *

and I thought it makes sense, since the source is not from 10.100.100.0/24 ..
hmmm, is it possible to route to ifcfg-bond0 if the destination to 10.100.100.0/24?

Winanjaya · 04-09-2019, 10:05 AM

Hi..
I have better progress

I use this:

firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o bond0 -j MASQUERADE
firewall-cmd --drect --add-rule ipv4 filter FORWARD 0 -i vlan100 -o bond0 -j ACCEPT

now, VLAN users are able to ping to LAN users..

but now, I have another problem..
my VLAN users are not unable to do DNS queries..

please help

berndbausch · 04-09-2019, 03:18 PM

Quote:

Originally Posted by Winanjaya

my VLAN users are not unable to do DNS queries..

How do the VLAN clients query DNS, and what happens when they do it?
How is DNS configured on the VLAN clients?

berndbausch · 04-09-2019, 03:26 PM

Quote:

Originally Posted by Winanjaya

ip route

Code:

default via 10.100.100.6 dev bond0 proto static metric 300
default via 192.168.100.1 dev enp8s0.100 proto static metric 400
10.100.100.0/24 dev bond0 proto kernel scope link src 10.100.100.1 metric 300
192.168.100.0/24 dev enp8s0.100 proto kernel scope link src 192.168.100.1 metric 400

I don’t think two default routes without further routing rules is a good idea.

ferrari · 04-09-2019, 06:00 PM

Only the first should take effect (with the lower metric)?

ferrari · 04-09-2019, 06:10 PM

Quote:

my VLAN users are not unable to do DNS queries..

You haven't told us how your vlan hosts are configured. Static IP's or DHCP assigned? If the latter what DNS IP is assigned? (You should be able to perform check the IP path with traceroute etc).

Winanjaya · 04-09-2019, 06:36 PM

Code:

sorry for typo (it should be my VLAN users are not able to do DNS queries)

it's DHCP assigned

my VLAN 192.168.100.0/24 (enps8.100)

DNS is: 10.100.100.6 (via bond0)

as mentioned above, I made change to firewalld:

Code:

firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o bond0 -j MASQUERADE
firewall-cmd --drect --add-rule ipv4 filter FORWARD 0 -i vlan100 -o bond0 -j ACCEPT

because I need to forward vlan100 to bond0 (since VLAN is on 192.168.100.0/24 and bond0 is 10.100.100.0/24