[SOLVED] Can't SSH from out of subnet IP

TronCarter · 12-10-2013, 08:51 AM

I can SSH into my Solaris 10 box just fine from the same subnet, for instance:

server: 192.168.23.23
client: 192.168.23.46

Both are on the same side of the enterprise firewall. However, when I am on the outside of the firewall and use the company VPN, I am unable to SSH into the server. It just waits for a while and says "unable to connect". The VPN is in an entirely different IP range of:

10.40.x.x

This is the only thing I can see as a difference. I am able to SSH through the VPN to other linux boxes inside the firewall, just not this Solaris 10 box.

Is it a netmask issue? Currently it is 255.255.255.0.

I installed Solais myself, so I know I didn't set up any IP filtering.

Tron

acid_kewpie · 12-10-2013, 09:00 AM

Very little to go on, but presuming there are no other firewalls between your endpoints, and no restrictions on the VPN configuration itself, I'd be checking the return route. Maybe the default gateway on the server is wrong? Can you SSH to another local box and then connect to it?

zhjim · 12-10-2013, 09:00 AM

I guess the route to the 10.40.0.0/16 network is not know to the solaris machines. Also this depends on the overall network architecture.
Could just check what routes are present on the other machines and compare those with the faulty ones.

To make sure its a route issue you could run a tcpdump session or just create a log target from and to this network with iptables.

*damn to late*

TronCarter · 12-10-2013, 09:08 AM

Quote:

Originally Posted by acid_kewpie

Very little to go on, but presuming there are no other firewalls between your endpoints, and no restrictions on the VPN configuration itself, I'd be checking the return route. Maybe the default gateway on the server is wrong? Can you SSH to another local box and then connect to it?

Yes, I can SSH to other local boxes and then SSH to it.

Code:

netstat -rn

default              192.168.23.1         UG        1       2540 igb0

TronCarter · 12-10-2013, 09:09 AM

Quote:

Originally Posted by zhjim

I guess the route to the 10.40.0.0/16 network is not know to the solaris machines. Also this depends on the overall network architecture.
Could just check what routes are present on the other machines and compare those with the faulty ones.

To make sure its a route issue you could run a tcpdump session or just create a log target from and to this network with iptables.

*damn to late*

How do I check what routes are present on the other machines?

zhjim · 12-10-2013, 09:30 AM

Code:

ip route

or

Code:

route

should give you some output. The latter should be known by more than one OS.

TronCarter · 12-10-2013, 02:15 PM

From a working linux box (I can VPN SSH into it):

# route

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.23.1    0.0.0.0         UG    0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.23.0    *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     0      0        0 eth0

From the Solaris box (I believe the netstat command is equivalent on Solaris):

Code:

# netstat -rnv

IRE Table: IPv4
  Destination             Mask           Gateway          Device Mxfrg Rtt   Ref Flg  Out  In/Fwd 
-------------------- --------------- -------------------- ------ ----- ----- --- --- ----- ------ 
default              0.0.0.0         192.168.23.1         igb0    1500*    0   1 UG   58219      0 
10.0.0.0             255.0.0.0       10.0.0.10            igb1    1500*    0   1 U       17      0 
192.168.23.0         255.255.255.0   192.168.23.173       igb0    1500*    0   1 U       75      0 
192.168.169.0        255.255.255.0   192.168.169.110      ibd0    2044*    0   1 U        0      0 
224.0.0.0            240.0.0.0       192.168.23.173       igb0    1500*    0   1 U        0      0 
127.0.0.1            255.255.255.255 127.0.0.1            lo0     8232*    0   3 UH      36      0

ibd0 is an infiniband card, but I don't believe it's involved in the problem.

acid_kewpie · 12-11-2013, 01:56 AM

right, so you've a route for 10.0.0.0/8 via 10.0.0.10 which doesn't exist on the first box.

TronCarter · 12-11-2013, 05:56 AM

Quote:

Originally Posted by acid_kewpie

right, so you've a route for 10.0.0.0/8 via 10.0.0.10 which doesn't exist on the first box.

Oh, I forgot to mention that igb1 is connected to a SAN that has an IP of 10.0.0.50. igb1 doesn't "see the outside", it only sees a switch and the SAN. I think you might be on to something though, because the range of IP's that can't connect (on igb0) are all 10.40.x.x, 10.80.x.x, and 10.82.x.x. So if I were to change the subnet mask of that route to 255.255.255.0, would that (in theory) make only 10.0.0.x IP's route to igb1, and 10.40.x.x route normally?

acid_kewpie · 12-11-2013, 06:09 AM

yes, it would. But is that a locally attached subnet? If so there shouldn't be any route tehre at all., as it's already local.

zhjim · 12-11-2013, 06:31 AM

As far as the usage of ip addr add 10.0.0.10/24 goes it creates a route to the 10.0.0.0/24 network automaticaly. So I'd say that one needs a route. Or is there something I dont understand the word "local" wrong.

Anyways. Create a more specific route to the SAN. Either just a very small subnet like /30 and have the other 10.0.0.0/8 routes go through the default gateway (Could just delete that one). Or create routes for 10.40.0.0/16 through the default gw. Also add 10.80/16 and 10.82/16. Also I would just create a more strict subnet for the SAN.

TronCarter · 12-11-2013, 07:37 AM

Quote:

Originally Posted by acid_kewpie

yes, it would. But is that a locally attached subnet? If so there shouldn't be any route tehre at all., as it's already local.

Yes, the SAN and igb1 (as well as some igb1's in other computers) are manually configured for 10.0.0.x and they are only seen to each other. igb0 is the connection to the LAN that users log in on. I suppose we could have chosen any IP range when we initially set the SAN up, but didn't see this as being a problem.

zhjim, I am sort of following you, but I'm not real clear with the /24, /16, etc parts. You are saying to create a route to 10.40.0.0 with a mask of 255.255.0.0? (as well as 10.80.x.x and 10.82.x.x) Would I need to delete anything, or just add those three? I think it makes sense to also delete the 10.0.0.0 255.0.0.0, but it's early and I'm no expert.

If I were to just change the mask of the existing route to 255.255.0.0, would it just route all 10.0.x.x traffic to igb1, and all other traffic (10.40.x.x) would be handled normally by igb0, the adapter the request came in on?

zhjim · 12-11-2013, 08:59 AM

Quote:

Originally Posted by TronCarter

zhjim, I am sort of following you, but I'm not real clear with the /24, /16, etc parts.

The /24, /16 are just other notations for subnets. like /24 is 255.255.255.0. Its a binary thing. 255.255.255.0 has 24bits set to one.

Quote:

Originally Posted by TronCarter

If I were to just change the mask of the existing route to 255.255.0.0, would it just route all 10.0.x.x traffic to igb1, and all other traffic (10.40.x.x) would be handled normally by igb0, the adapter the request came in on?

Sounds good also I would go one subnet down to 255.255.255.0. This would leave you with 254 possible host address to use for the SAN and similar things.
This route (pun intended) would also make the creation of routes for 10.40.0.0 and alike unnecessary. Due to the default route handeling them as you already noted.

As a generel rule of thumb I normaly keep the netmask as small as possible. By this most of the time have the default route is doing its job and you dont have to worry that much.

TronCarter · 12-11-2013, 09:33 AM

IT WORKS!!!!!! In /etc/netmasks I added the line:

Code:

10.0.0.0       255.255.255.0

and restarted the network. I can now connect from the VPN.

Thank you zhjim and acid_kewpie for all of your help!!

zhjim · 12-11-2013, 09:47 AM

Your welcome. Please mark the thread as solve. Use the "Thread Tools" at the top of the page.