On Thu, 1 Sep 2005 08:11:28 -0400, Bill wrote: > >Date: Thu, 1 Sep 2005 08:09:24 -0400 >From: Bill <[EMAIL PROTECTED]> >To: "Rod.. Whitworth" <[EMAIL PROTECTED]> >Subject: Re: routing question - why one way? > > >On Thu, 01 Sep 2005 16:36:13 +1000 >"Rod.. Whitworth" <[EMAIL PROTECTED]> wrote: > >> On Thu, 1 Sep 2005 01:01:08 -0400, Bill wrote: >> >> >OBSD 3.7 - new install >> > >> >I am building a router. And I am having a routing problem. I am not >> >doing any packet filtering, NAT or anything... its all strictly private >> >address space nets I also most definately have ip forwarding set in >> >sysctl >> > >> >Right now I have the router installed with two active interfaces... >> > >> >Segment A (192.168.0.4) interface on the router >> >Segment B (10.3.0.1) interface on the router >> > >> >Now I have a machine on each segment also: >> > >> >192.168.0.2 (Segment A) >> >10.3.50.1 (Segment B) >> > >> >Segment B has the default gateway set to 192.168.0.2 >> >(192.168.0.2 then passes out to the internet ) >> > >> >From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I >> >can ping any of the other interface cards on the router (there are a >> >few) including the 192.168.0.4 interface on the router. But I cannot >> >ping the 192.168.0.2 machine. >> > >> >* WAIT * I know what you are going to say... but I DO have the ip >> >forwarding set >> > >> ># sysctl -a | grep forward >> >net.inet.ip.forwarding=1 >> > >> >I checked many times since. >> > >> >Now, if I go to the 192.168.0.2 machine, I added a route so it knows >> >where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no >> >problem. I can also ping all the other nic's on the router. So the >> >router is forwarding packets. >> > >> >So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping >> >responses from 10.3.50.1 should be able to be returned from the >> >192.168.0.2 box back no problem. >> > >> >I am not sure where the pings are being lost... if the machine on >> >segment A knows how to reach segment B and can ping it... doesn't that >> >mean the segment B machine essentially can get pings back if it sends >> >them to Segment A? Segment A is its default route. >> > >> >Confused... >> > >> >Any help would be greatly appreciated >> > >> >All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux > >--- >> > >> >Bill Chmura >> >Director of Internet Technology >> >Explosivo ITG >> >Wolcott, CT >> > >> >p: 860.621.8693 >> >e: [EMAIL PROTECTED] >> >w. http://www.explosivo.com >> > >> > >> I'm sure that you know what you mean but what you have stated about the >> networks and host is ambiguous. >> >> Let's see if I guess correctly in phrasing it a little differently. If >> not you have a better chance to correct the impression. >> >> There are 2 private networks: >> 192.168.0.0/24 >> 10.3.0.0/8 <- maybe you use a /24 but /8 is the "natural" for a 10. >> network >> >> You have 3 hosts: >> A router with 2 NICs, 192.168.0.4 and 10.3.0.1 >> One with a NIC = 192.168.0.2 (connected to the router on its >> 192.168.0.4 NIC) It also has another NIC that connects to the internet >> (somehow) >> One with a NIC = 10.3.50.1 (connected to the router NIC 10.3.0.1) >> >> So far so good? >> >> Well really you have 2 routers there. The one you called a router plus >> the 192.168.0.2 host. >> The latter will need to have forwarding on as well as the one you >> called Router in your post. >> >> Your first router will need to have its default gateway set to >> 192.168.0.2 for traffic from the 10. network to get to the 'net. >> >> Looking at nststat -rnf inet on your Openbsd boxes might be >> enlightening and should be posted as a part of your question. >> The Linux box only needs netstat -rn as it defaults to the inet >> family. >> >> Forget the term segments. It is confusing where you have no >> segmentation. >> Make sure ALL machines on your 10. network have a netmask of 255.0.0.0 >> for "purity" because you need at least 255.255.192.0 (math done in head >> at end of day - please check!) to get that third octet (50) covered. >> >> Let's see where that gets you..... >> From the land "down under": Australia. >> Do we look <umop apisdn> from up over? >> >> Do NOT CC me - I am subscribed to the list. >> Replies to the sender address will fail except from the list-server. >> > >Hi Rod, > >Your rephrasing of my layout is accurate. Routing on the 192.168.0.2 >box is fine (the rest of the network on the 192.168.0.0/24 segment can >get through there fine. > >Here is the netstat for the inner router... As you can see I have the >default set (I think) to use the 192.168.0.2 > >Internet: >Destination Gateway Flags Refs Use Mtu >Interface default 192.168.0.2 UGS 9 >1516 - em0 10.2/16 link#2 UC >0 0 - em1 10.3/16 link#3 >UC 0 0 - em2 10.4/16 >link#4 UC 1 0 - em3 10.4.50.1 >link#4 UHLc 2 30 - em3 >10.5/16 link#5 UC 0 0 - >em4 10.6/16 link#7 UC 0 0 >- em6 10.7/16 link#8 UC 0 >0 - em7 127/8 127.0.0.1 UGRS >0 0 33224 lo0 127.0.0.1 127.0.0.1 >UH 2 3574 33224 lo0 192.168.0/24 >link#1 UC 2 0 - em0 192.168.0.2 >0:60:97:5b:72:45 UHLc 1 388 - em0 >192.168.0.198 0:b:cd:7:8f:45 UHLc 1 1934 - >em0 224/4 127.0.0.1 URS 0 0 >33224 lo0 > > >Its got to be something simple as I can ping from the 192.168.0.2 box >through the inner router to the box on the 10.3.0.0/16 segment, but >cannot ping the reverse of that (from 10.3.0.0/16 to 192.168.0.2) > >Thanks for any insight and patience as I try to express this problem >-- > >Bill Chmura >Director of Internet Technology >Explosivo ITG >Wolcott, CT > >p: 860.621.8693 >e: [EMAIL PROTECTED] >w. http://www.explosivo.com > >
Aaaarrrrgh! You are trying to turn us into mad inquisitors! Why, oh why is getting the real guts such a task? Finally (I fervently hope!) we have a network plan that represents reality. It is way too complex for someone who cannot work this out alone (due to lots of interfaces that may be misconfigured). How about removing all those NICs not involved in the original question and making sure that both interfaces on the remaining 10.?/16 concerned have the same netmask, /16, and that both are addressed within that network. STOP calling them segments! They are networks. YOU subnetted them out of a class A to form your own /16 networks. Call them subnets if you like - they ain't segments! OK? Now do we know what the netmask is for the 10.3.50.1 box? (Or is it now 10.4. ? Stand still for a moment - you will have us as confused as you are soon.) One small step at a time, please. Tell us EXACTLY what is involved. Call your hosts (routers or whatever) by some simple name and stick with it. Alpha, beta, or Red, Orange or whatever and then tell us what the NIC IPs are on that host (with netmask) and which host/NIC pairs are joined by a cable. With your complexity I hope you are just using a simple crossover cable where a switch isn't needed or you'll have even more problems most likely when the poor darling (simple unmanaged switch)tries to sort out all the traffic. I'm off to bed now after 16 hours at the grinder. If you do your stuff and respond as I'd like you will probably either (a) find out that you have it working or (b) your message will be clear enough that you'll get an answer straight off. Good luck! and I'll see that traffic tomorrow morning, so be good, eh? >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
