RE: Woody routing question...
Hi All, Thanks in advance for all the responses I received to my question. Apologies for not replying to those who responded - I was in the process of drafting up some nice ASCII diagrams of the network(s) involved when J.J. van Gorkum responded with the following jewel of info: look at http://www.samag.com/documents/s=1824/sam0201h/0201h.htm This basically allowed me to get everything up and running more-or-less as I wanted by doing the following... # apt-get install iproute # ip rule add from xxx.yy.234.131 lookup 1 # ip route add 0/0 via xxx.yy.234.129 table 1 # ip rule add from aaa.bbb.80.144 lookup 2 # ip route add 0/0 via aaa.bbb.80.130 table 2 Fantastic!... Again, thank-you to everyone who pondered over this one for me... Sean
Re: Woody routing question...
On Fri, Aug 09, 2002 at 11:00:21PM +0200, Marc Haber wrote: On Fri, 9 Aug 2002 10:19:36 -0700, Ted Deppner [EMAIL PROTECTED] wrote: If you want to be able to use both IPs from either network (a common occurance even if you didn't plan it), you should probably turn off RP_FILTER in the kernel. Why? rp_filter will drop packets coming in interface A that have a source in the network of interface B. It essentially polices that packets that should come in B have to come in B. In a well connected mesh, it's possible to have network B devices route packets through to interface A (interface B's cable unplugged, route to B becomes available through A; arp behavior in two NIC networks on the same switch can exhibit this behavior sometimes as well). This is only usually a concern where you have two interfaces facing the same general network traffic. use tcpdump -e to actually see the MAC addresses where the packets are sent to. Good point! -- Ted Deppner http://www.psyber.com/~ted/
Re: Woody routing question...
On Sat, 10 Aug 2002 07:49:14 -0700, Ted Deppner [EMAIL PROTECTED] wrote: On Fri, Aug 09, 2002 at 11:00:21PM +0200, Marc Haber wrote: On Fri, 9 Aug 2002 10:19:36 -0700, Ted Deppner [EMAIL PROTECTED] wrote: If you want to be able to use both IPs from either network (a common occurance even if you didn't plan it), you should probably turn off RP_FILTER in the kernel. Why? rp_filter will drop packets coming in interface A that have a source in the network of interface B. It essentially polices that packets that should come in B have to come in B. Notice source address. So, rp_filter's setting is irrelevant when it comes to reaching _any_ ip address of the local host as long as it comes in from the interface that matches the source address. This is only usually a concern where you have two interfaces facing the same general network traffic. Or when you suspect IP spoofing. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29
Woody routing question...
Hi All, I've just setup a Debian Woody alpha machine and am currently having problems with routing... I'm not entirely sure this problem is appropriate for this list, but here goes... Appologies for the length of the mail too :) I've got 2 network cards in my machine - Each card is connected to different networks, but both have public IP addresses. eth0 = IP: aaa.bbb.80.144 Network: aaa.bbb.80.128 Mask: 255.255.255.128 eth1 = IP: xxx.yy.234.131 Network: xxx.yy.234.128 Mask: 255.255.255.192 My current routing table, as show by running route -n is as follows: DestinationGatewayGenmask Flags Metric Ref Use Iface xxx.yy.234.128 0.0.0.0255.255.255.192 U 0 0 0 eth1 aaa.bbb.80.128 0.0.0.0255.255.255.128 U 0 0 0 eth0 0.0.0.0xxx.yy.234.129 0.0.0.0 UG0 0 0 eth1 0.0.0.0aaa.bbb.80.130 0.0.0.0 UG1 0 0 eth0 eth0 is located on a subnet within a larger network - As follows: Network: aaa.bbb.80.0 Netmask: 255.255.248.0 eth1 is my main Internet connection, it is used for almost all Internet bound traffic. eth0 is a network connected to the Internet via a lower bandwidth connection. The main reason for this interface is to allow hosts on its network to connect directly to my machine at a higher speed than their external Internet connection allows. This interface should also communicate with Internet hosts if they connect to this ifaces IP address. On to the problem... Machines with eth0's local subnet can communicate with the server without a problem. Machines outside of the subnet - eg. aaa.bbb.81.36 - cannot communicate with this interface's ip address. aaa.bbb.81.36, as well as external Internet hosts, can however connect to xxx.yy.234.131 without a problem. I've tried adding routes to eth0's subnet and the larger network as a whole - Only result being aaa.bb.81.36 can now connect to eth0's ip, but no longer can get a response from xxx.yy.234.131 Can anyone shed some light on what to do?... My IP routing skills are a little lacking... Thanks in advance!... Sean _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
Re: Woody routing question...
On Fri, 09 Aug 2002 10:15:59 +0100, Sean Cardus [EMAIL PROTECTED] wrote: 0.0.0.0xxx.yy.234.129 0.0.0.0 UG0 0 0 eth1 0.0.0.0aaa.bbb.80.130 0.0.0.0 UG1 0 0 eth0 I'd remove one of these two default gateways first. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29
Re: Woody routing question...
On Fri, 9 Aug 2002 10:19:36 -0700, Ted Deppner [EMAIL PROTECTED] wrote: On Fri, Aug 09, 2002 at 10:15:59AM +0100, Sean Cardus wrote: eth0 = IP: aaa.bbb.80.144 Network: aaa.bbb.80.128 Mask: 255.255.255.128 eth1 = IP: xxx.yy.234.131 Network: xxx.yy.234.128 Mask: 255.255.255.192 If you want to be able to use both IPs from either network (a common occurance even if you didn't plan it), you should probably turn off RP_FILTER in the kernel. Why? I'd also suggest you use tcpdump -n -i ethX on each interface (watch eth0 on tty1, eth1 on tty2 so you can be sure), and make sure packets are actually reaching your interfaces. use tcpdump -e to actually see the MAC addresses where the packets are sent to. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29
Re: Routing Question
nr == Nathan Ridge [EMAIL PROTECTED] writes: nr Im setting a broadband Internet connection on a Debian box, I nr have the sat interface installed and working and can see the nr icmp packets coming in from a ping on the sat interface using nr tcpdump so im confident that side of things is working. I am nr having a bit of trouble with the dialup. Lets say our network nr is 203.66.77.0, border gateway is 203.66.77.1 and have a Cisco nr access server on the 203.66.77.11 and radius server on nr 203.66.77.2. Now if I assign a static ip from a dialup pool nr on our network, say 203.66.77.55 I can ping out from the nr dialup no problems, but the static needs to be that of the ip nr address that is attached to the mac ID of the sat card so when nr I change the static to 203.173.176.99, it connects to our nr network, authenticates ok but cannot ping any machine except nr for the access server 203.66.77.11. I know I must just be nr missing a route somewhere, and I was assuming on the access nr server, but when I also setup a NT server with the same setup nr it seem to work fine, any ideas what I am doing wrong? I'm not sure I've the picture completely clear (an ASCII scheme would help); however, in my past experiences with satellite-based connections, you have to make sure to disable the rp_filter on the satellite interface: echo 0 /proc/sys/net/ipv4/conf/`your sat interface`/rp_filter To see if this is necessary, try to: echo 1 /proc/sys/net/ipv4/conf/`your sat interface`/log_martians and check your logs (on stock debian systems martian packets should be logged in auth.log, I think). If you see and martian packets being blocked, I suggest you try to disable rp_filter on the sat interface. By the way, what's your satellite provider? Bye, Andrea Glorioso -- Non e' abbastanza fare dei passi che un giorno ci porteranno ad uno scopo, ogni passo deve essere lui stesso uno scopo, nello stesso tempo in cui ci porta avanti. pgpygET2ChGsp.pgp Description: PGP signature
Routing Question
Im setting a broadband Internet connection on a Debian box, I have the sat interface installed and working and can see the icmp packets coming in from a ping on the sat interface using tcpdump so im confident that side of things is working. I am having a bit of trouble with the dialup. Lets say our network is 203.66.77.0, border gateway is 203.66.77.1 and have a Cisco access server on the 203.66.77.11 and radius server on 203.66.77.2. Now if I assign a static ip from a dialup pool on our network, say 203.66.77.55 I can ping out from the dialup no problems, but the static needs to be that of the ip address that is attached to the mac ID of the sat card so when I change the static to 203.173.176.99, it connects to our network, authenticates ok but cannot ping any machine except for the access server 203.66.77.11. I know I must just be missing a route somewhere, and I was assuming on the access server, but when I also setup a NT server with the same setup it seem to work fine, any ideas what I am doing wrong? thanks Nathan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Routing Question
Im setting a broadband Internet connection on a Debian box, I have the sat interface installed and working and can see the icmp packets coming in from a ping on the sat interface using tcpdump so im confident that side of things is working. I am having a bit of trouble with the dialup. Lets say our network is 203.66.77.0, border gateway is 203.66.77.1 and have a Cisco access server on the 203.66.77.11 and radius server on 203.66.77.2. Now if I assign a static ip from a dialup pool on our network, say 203.66.77.55 I can ping out from the dialup no problems, but the static needs to be that of the ip address that is attached to the mac ID of the sat card so when I change the static to 203.173.176.99, it connects to our network, authenticates ok but cannot ping any machine except for the access server 203.66.77.11. I know I must just be missing a route somewhere, and I was assuming on the access server, but when I also setup a NT server with the same setup it seem to work fine, any ideas what I am doing wrong? thanks Nathan
