Network configuration
Hi,
I am Raghava, currently working on Fedora. My application has to contact a remote server, accessible through VPN. VPN connection is successful. Before VPN connection is initiated, I did the following: ifconfig em1:0 10.223.102.254 netmask 255.255.255.0 up and then started the VPN and connection is successful. Now to ping the destination, I did in the following way: ping -I 10.223.102.254 10.123.102.1 which is working fine. But when I do like this: ping 10.123.102.1 it is not reaching the destination. To contact the remote server, I need to contact by the IP address (either through application programme or in web browser). But I am not able to contact because 10.123.102.1 is not reachable directly. Can you please suggest any settings do I need to do at my system. Please let me know if you need any additional information. Thanks and Regards Raghav |
What sort of VPN service are you using? And why would you need to set up an alias (em1:0) before activating the VPN tunnel?
The fact that "ping" doesn't work while "ping -I <address>" does, suggests that the ping command normally chooses an interface different from the one you specified with "ping -I", which in turn suggests duplicate or overlapping IP subnets. How is your system configured with regards to IP addresses and subnet masks? What's the output of ifconfig -a and route -n? |
linux NIC configuration - reply
Hi,
Thank you for the reply. I am using openvpn. em1:0 is needed to connect to remote server. em1 is used for internet connection. Output of ifconfig -a em1 Link encap:Ethernet HWaddr D4:BE:D9:74:1E:B1 inet addr:10.132.7.11 Bcast:10.132.7.255 Mask:255.255.254.0 inet6 addr: fe80::d6be:d9ff:fe74:1eb1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5830 errors:0 dropped:0 overruns:0 frame:0 TX packets:4288 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4747989 (4.5 MiB) TX bytes:630377 (615.6 KiB) Interrupt:20 Memory:f7e00000-f7e20000 em1:0 Link encap:Ethernet HWaddr D4:BE:D9:74:1E:B1 inet addr:10.223.102.254 Bcast:10.223.102.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:20 Memory:f7e00000-f7e20000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:20 errors:0 dropped:0 overruns:0 frame:0 TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1200 (1.1 KiB) TX bytes:1200 (1.1 KiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.23.1.6 P-t-P:10.23.1.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) output of route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.23.1.1 10.23.1.5 255.255.255.255 UGH 0 0 0 tun0 10.23.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.223.102.0 0.0.0.0 255.255.255.0 U 0 0 0 em1 10.132.6.0 0.0.0.0 255.255.254.0 U 1 0 0 em1 10.123.0.0 10.23.1.5 255.255.0.0 UG 0 0 0 tun0 0.0.0.0 10.132.6.1 0.0.0.0 UG 0 0 0 em1 Please let me know if you need any more details. Thanks and Regards Raghav |
Execute following command from your terminal window and check if it works for you or not.
route add -host 10.123.102.1 dev em1:0 Regards, Tabraiz |
Network Configuration
Hi,
Thank you for your suggestion. I did the same, but not destination is not reachable. Details: PING 10.123.102.1 (10.123.102.1) 56(84) bytes of data. From 10.223.102.254 icmp_seq=2 Destination Host Unreachable From 10.223.102.254 icmp_seq=3 Destination Host Unreachable From 10.223.102.254 icmp_seq=4 Destination Host Unreachable. Can you please suggest any other step to do. Thanks and Regards Raghav |
Hello,
You've moved one step forward, your destination IP now hitting the right interface; 1. Can you pls check if 10.123.102.1 is up and running? 2. Your 10.223.102.254 is allowed/trusted at far end (i.e. 10.123.102.1) to send requests? It seems that you're not trusted on far end side. 3. Can you enable Wireshark and capture packets of your requests on both sides (i.e. 10.123.102.1/10.223.102.254)? 4. Also pls provide output of "iptables -L -v". Regards, Tabraiz |
Quote:
You say you want to reach 10.123.102.1 using a VPN connection, but at the same time you add 10.123.102.254 as an alias to em1 with a netmask of 255.255.255.0. The netmask means 10.123.102.1 must be in the same local network as em1. 10.123.102.0/24 is either local or at the end of the tunnel. Which is it? Because right now you've explicitly told your machine that 10.123.102.0/24 is directly connected to em1. |
Quote:
Regards, Tabraiz |
Network configuration
2 Attachment(s)
Hi Tabraiz,
Here are the answers for the questions: 1. Can you pls check if 10.123.102.1 is up and running? After adding: route add -host 10.123.102.1 dev em1:0 I am not able to reach 10.123.102.1 in either ways: ping or ping -I. If I delete that by route del -host 10.123.102.1 dev em1:0 then I am able to ping with ping -I but not with ping. 2. Your 10.223.102.254 is allowed/trusted at far end (i.e. 10.123.102.1) to send requests? It seems that you're not trusted on far end side. Yes the remote server System Administrator told that the ip at my side should be 10.223.102.254 which is configured as part of vpn settings. 3. Can you enable Wireshark and capture packets of your requests on both sides (i.e. 10.123.102.1/10.223.102.254)? Please find the captures attached. with direct IP and with interface. Please remove the extention .log for those files to open in wireshark. 4. Also pls provide output of "iptables -L -v". output: Chain INPUT (policy ACCEPT 86074 packets, 21M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 19445 packets, 2424K bytes) pkts bytes target prot opt in out source destination Can you please suggest any other settings need to be done my side. Thanks and Regards Raghav |
Hi,
I checked both trace files but unfortunately they are of no use. I cant see any packet destined towards 10.123.102.1 in them. As far as I understood your objective, you're trying to reach destination IP 10.123.102.1 with Source IP as 10.223.102.254. Am I right? If yes then please follow below steps; 1. service iptables status (if status is "not running" go to step 2)/(if running, it will give some o/p & u shud move to step 3 then) 2. service iptables start. 3. iptables -t nat -A POSTROUTING -d 10.123.102.1 -j SNAT --to-source 10.223.102.254 4. service iptables save Execute these steps and share your results. ***Please note that all changes prior to these should be removed (like "route add -host 10.123.102.1 dev em1:0" etc). Best of luck. Regards, Tabraiz |
Quote:
Since the ping command succeeds when you choose the source address/interface manually, the problem is related to the source address (or the return route, depending on your point of view). When sending locally generated traffic through any interface, the IP stack will always select the address of the outgoing interface as the source address, unless you can somehow manually override that default, as one can with the ping "-I" switch. Try this: Code:
iptables -t nat -A OUTPUT -o tun0 -j SNAT --to-source 10.223.102.254 |
Hi Tabraiz,
Yes It worked. I followed the steps as suggested by you (iptables were stopped). Now I am able to ping with the ip address (without interface). This is really a great help. Just have one small doubt in continuation to that. Do I need to execute these commands for every system reboot or it will be saved permanently. Thanks and Regards Raghav |
Hi Olmy,
I tried the command as suggested by you. iptables -t nat -A OUTPUT -o tun0 -j SNAT --to-source 10.223.102.254 But got the following message: iptables: Invalid argument. Run `dmesg' for more information. so when I changed the command to iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.223.102.254 no error message and I am able to ping to the IP address. Thank you very much for your support. Best Regards Raghav |
Quote:
Glad to hear you solved the problem! |
Quote:
Point 4 (service iptables save) ensures that you don't need to do this every time system is rebooted. Cheers! Dear Olmy, I would humbly disagree with your argue that -o option is better suited here :) reasons for that are; 1. -o will only be effective on tun0 interface whereas -d option which I've chosen is not bonded to any specific interface and will always be effective regardless of any routing change takes place in future. 2. All traffic passes through tun0 interface will have source IP changed to 10.223.102.254 whereas -d ensures that source IP is only modified for a specific IP 10.123.102.1 in this case. Kindly have your say on these points because you're a senior pro of-course and I might be learning many things from you in future. Thanks, Tabraiz |
All times are GMT -5. The time now is 07:43 PM. |