Begin forwarded message: Date: Thu, 1 Sep 2005 08:09:24 -0400 From: Bill <[EMAIL PROTECTED]> To: "Rod.. Whitworth" <[EMAIL PROTECTED]> Subject: Re: routing question - why one way?
On Thu, 01 Sep 2005 16:36:13 +1000 "Rod.. Whitworth" <[EMAIL PROTECTED]> wrote: > On Thu, 1 Sep 2005 01:01:08 -0400, Bill wrote: > > >OBSD 3.7 - new install > > > >I am building a router. And I am having a routing problem. I am not > >doing any packet filtering, NAT or anything... its all strictly private > >address space nets I also most definately have ip forwarding set in > >sysctl > > > >Right now I have the router installed with two active interfaces... > > > >Segment A (192.168.0.4) interface on the router > >Segment B (10.3.0.1) interface on the router > > > >Now I have a machine on each segment also: > > > >192.168.0.2 (Segment A) > >10.3.50.1 (Segment B) > > > >Segment B has the default gateway set to 192.168.0.2 > >(192.168.0.2 then passes out to the internet ) > > > >From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I > >can ping any of the other interface cards on the router (there are a > >few) including the 192.168.0.4 interface on the router. But I cannot > >ping the 192.168.0.2 machine. > > > >* WAIT * I know what you are going to say... but I DO have the ip > >forwarding set > > > ># sysctl -a | grep forward > >net.inet.ip.forwarding=1 > > > >I checked many times since. > > > >Now, if I go to the 192.168.0.2 machine, I added a route so it knows > >where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no > >problem. I can also ping all the other nic's on the router. So the > >router is forwarding packets. > > > >So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping > >responses from 10.3.50.1 should be able to be returned from the > >192.168.0.2 box back no problem. > > > >I am not sure where the pings are being lost... if the machine on > >segment A knows how to reach segment B and can ping it... doesn't that > >mean the segment B machine essentially can get pings back if it sends > >them to Segment A? Segment A is its default route. > > > >Confused... > > > >Any help would be greatly appreciated > > > >All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux --- > > > >Bill Chmura > >Director of Internet Technology > >Explosivo ITG > >Wolcott, CT > > > >p: 860.621.8693 > >e: [EMAIL PROTECTED] > >w. http://www.explosivo.com > > > > > I'm sure that you know what you mean but what you have stated about the > networks and host is ambiguous. > > Let's see if I guess correctly in phrasing it a little differently. If > not you have a better chance to correct the impression. > > There are 2 private networks: > 192.168.0.0/24 > 10.3.0.0/8 <- maybe you use a /24 but /8 is the "natural" for a 10. > network > > You have 3 hosts: > A router with 2 NICs, 192.168.0.4 and 10.3.0.1 > One with a NIC = 192.168.0.2 (connected to the router on its > 192.168.0.4 NIC) It also has another NIC that connects to the internet > (somehow) > One with a NIC = 10.3.50.1 (connected to the router NIC 10.3.0.1) > > So far so good? > > Well really you have 2 routers there. The one you called a router plus > the 192.168.0.2 host. > The latter will need to have forwarding on as well as the one you > called Router in your post. > > Your first router will need to have its default gateway set to > 192.168.0.2 for traffic from the 10. network to get to the 'net. > > Looking at nststat -rnf inet on your Openbsd boxes might be > enlightening and should be posted as a part of your question. > The Linux box only needs netstat -rn as it defaults to the inet > family. > > Forget the term segments. It is confusing where you have no > segmentation. > Make sure ALL machines on your 10. network have a netmask of 255.0.0.0 > for "purity" because you need at least 255.255.192.0 (math done in head > at end of day - please check!) to get that third octet (50) covered. > > Let's see where that gets you..... > From the land "down under": Australia. > Do we look <umop apisdn> from up over? > > Do NOT CC me - I am subscribed to the list. > Replies to the sender address will fail except from the list-server. > Hi Rod, Your rephrasing of my layout is accurate. Routing on the 192.168.0.2 box is fine (the rest of the network on the 192.168.0.0/24 segment can get through there fine. Here is the netstat for the inner router... As you can see I have the default set (I think) to use the 192.168.0.2 Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.0.2 UGS 9 1516 - em0 10.2/16 link#2 UC 0 0 - em1 10.3/16 link#3 UC 0 0 - em2 10.4/16 link#4 UC 1 0 - em3 10.4.50.1 link#4 UHLc 2 30 - em3 10.5/16 link#5 UC 0 0 - em4 10.6/16 link#7 UC 0 0 - em6 10.7/16 link#8 UC 0 0 - em7 127/8 127.0.0.1 UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 2 3574 33224 lo0 192.168.0/24 link#1 UC 2 0 - em0 192.168.0.2 0:60:97:5b:72:45 UHLc 1 388 - em0 192.168.0.198 0:b:cd:7:8f:45 UHLc 1 1934 - em0 224/4 127.0.0.1 URS 0 0 33224 lo0 Its got to be something simple as I can ping from the 192.168.0.2 box through the inner router to the box on the 10.3.0.0/16 segment, but cannot ping the reverse of that (from 10.3.0.0/16 to 192.168.0.2) Thanks for any insight and patience as I try to express this problem -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com