Re: routing help
On Tuesday 27 January 2004 11:57, Demian Wandelow wrote: On Mon, Jan 26, 2004 at 12:59:03PM +0800, Jason Lim wrote: I believe there is a way to force a refresh or such of the ARP cache. Not sure how... but it can be done somehow. I'd be interested to learn the method under Linux as well, so if you find out, share it with the group ip route flush cache No that flushes the routing cache, not the arp cache. With the ip command you'd flush the arp cache with ip neigh flush all, you can also cycle through all arp entries and delete them with arp -d address Original poster's question (sorry lost original mail) ... On Mon, 26 Jan 2004 14:02:21 +1100 Lauchlin wrote: If I simply do ifconfig eth0:1 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.3 I can ping the IP address from the machine that is on the same switch (e.g. from 203.221.41.1) but I can not ping or trace to the ip aliased interface. I have searched around on google but can't seem to find what I am doing wrong! Is the router at 203.220.47.153 aware of the 203.221.41.0/27 network? If the router doesn't know about the local 203.221.41.0/27 network it will assume that the network is not local and try to reach it through the Internet. -- Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing help
On Mon, Jan 26, 2004 at 12:59:03PM +0800, Jason Lim wrote: I believe there is a way to force a refresh or such of the ARP cache. Not sure how... but it can be done somehow. I'd be interested to learn the method under Linux as well, so if you find out, share it with the group :-) ip route flush cache or: sysctl -w net.ipv4.route.flush=n (n = seconds before flush, AFAIK) -- signature: command not found
Re: routing help
On Tuesday 27 January 2004 11:57, Demian Wandelow wrote: On Mon, Jan 26, 2004 at 12:59:03PM +0800, Jason Lim wrote: I believe there is a way to force a refresh or such of the ARP cache. Not sure how... but it can be done somehow. I'd be interested to learn the method under Linux as well, so if you find out, share it with the group ip route flush cache No that flushes the routing cache, not the arp cache. With the ip command you'd flush the arp cache with ip neigh flush all, you can also cycle through all arp entries and delete them with arp -d address Original poster's question (sorry lost original mail) ... On Mon, 26 Jan 2004 14:02:21 +1100 Lauchlin wrote: If I simply do ifconfig eth0:1 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.3 I can ping the IP address from the machine that is on the same switch (e.g. from 203.221.41.1) but I can not ping or trace to the ip aliased interface. I have searched around on google but can't seem to find what I am doing wrong! Is the router at 203.220.47.153 aware of the 203.221.41.0/27 network? If the router doesn't know about the local 203.221.41.0/27 network it will assume that the network is not local and try to reach it through the Internet. -- Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: routing help
If it works, don't fix it is my theory.. May be a better way but I don't know it. As Jason Lim says in his post, let the list know what happens as I'm sure others will have the problem. Only change I'd consider is using the up command (man interfaces) which would execute your script after the interface was brought up, instead of on boot. That MIGHT be better. The modification would look like: auto eth0 eth1 iface eth0 inet static address 203.221.41.11 netmask 255.255.255.224 network 203.221.41.0 broadcast 203.221.41.31 up /path/to/your/script You can also, according to the man page, simply put your script directly into /etc/interfaces, preceding each command with up, and the commands would happen in order, ie: auto eth0 eth1 iface eth0 inet static address 203.221.41.11 netmask 255.255.255.224 network 203.221.41.0 broadcast 203.221.41.31 up /sbin/route add -net 203.220.47.152/30 eth0 up /sbin/route add default gw 203.220.47.153 up /bin/ping -c1 203.220.238.152 up /sbin/ifconfig eth0 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.31 . . . etc Rod Hi Rod, After a bit more playing and a bit more thinking I finally figured it out..I think What it looks like is that the router I am using as the gateway (203.220.47.153) needed to have its ARP table updated or flushed or something. I don't have control over it so I can't be sure. What I now have is a script that runs after boot time that looks like: /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.13 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.11 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/ifconfig eth0:0 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/ifconfig eth0:1 203.221.41.13 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 it basically cycles through the ip addresses pinging a host on just the other side of the router so it flushes the ARP cache. Does this sound correct or am I totally off the track here? Anyway it is all working now but I guess I'd like to know if what I had to do was correct or not? Cheers, Lauchlin On 26/01/2004, at 2:31 PM, Rod Rodolico wrote: Sorry to be vague, but there was a command I remember once when I had this problem before. Seems like I had to do a route add in /network/interfaces. Seems like there is some parameter to an interface that allows you to execute a command after the interface is brought up, and I had to do a route add . . . . to get it to work. However, I'm doing a similar thing, on my server and the only difference is that my netmask is not 255.255.255.255, mine is 255.255.255.224. The first line in the route output was a host entry that I don't seem to need after all. which I think is incorrect on yours. Maybe it is the fact that your netmask is not correct? Following are the first two entries in my /etc/network/interfaces, and it works just fine. If I read your output correctly, your netmask should be a .224 instead of the .0 I use (since you only have two IP's). auto eth0 iface eth0 inet static address 66.17.131.182 netmask 255.255.255.0 network 66.17.131.0 broadcast 66.17.131.255 gateway 66.17.131.1 auto eth0:0 iface eth0:0 inet static address 66.17.131.183 netmask 255.255.255.0 auto eth0 eth1 iface eth0 inet static address 203.221.41.11 netmask 255.255.255.224 network 203.221.41.0 broadcast 203.221.41.31 is what I have. Of course, I could be 100% wrong, in which case someone here will correct me. Rod Hi, I have an issue with routing that I just can't figure out. What I have at the moment is a box set up with an IP and route as follows (some of the details have route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 203.221.41.11 0.0.0.0 255.255.255.255 UH0 0 0 eth0 203.220.47.152 0.0.0.0 255.255.255.252 U 0 0 0 eth0 203.221.41.00.0.0.0 255.255.255.224 U 0 0 0 eth0 0.0.0.0 203.220.47.153 0.0.0.0 UG0 0 0 eth0 eth0 Link encap:Ethernet HWaddr 00:05:1C:0B:48:A8 inet addr:203.221.41.11 Bcast:203.221.41.31 Mask:255.255.255.224 As can be seen from above the
Re: routing help
Sorry to be vague, but there was a command I remember once when I had this problem before. Seems like I had to do a route add in /network/interfaces. Seems like there is some parameter to an interface that allows you to execute a command after the interface is brought up, and I had to do a route add . . . . to get it to work. However, I'm doing a similar thing, on my server and the only difference is that my netmask is not 255.255.255.255, which I think is incorrect on yours. Maybe it is the fact that your netmask is not correct? Following are the first two entries in my /etc/network/interfaces, and it works just fine. If I read your output correctly, your netmask should be a .224 instead of the .0 I use (since you only have two IP's). auto eth0 iface eth0 inet static address 66.17.131.182 netmask 255.255.255.0 network 66.17.131.0 broadcast 66.17.131.255 gateway 66.17.131.1 auto eth0:0 iface eth0:0 inet static address 66.17.131.183 netmask 255.255.255.0 Of course, I could be 100% wrong, in which case someone here will correct me. Rod Hi, I have an issue with routing that I just can't figure out. What I have at the moment is a box set up with an IP and route as follows (some of the details have route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 203.221.41.11 0.0.0.0 255.255.255.255 UH0 00 eth0 203.220.47.152 0.0.0.0 255.255.255.252 U 0 00 eth0 203.221.41.00.0.0.0 255.255.255.224 U 0 00 eth0 0.0.0.0 203.220.47.153 0.0.0.0 UG0 00 eth0 eth0 Link encap:Ethernet HWaddr 00:05:1C:0B:48:A8 inet addr:203.221.41.11 Bcast:203.221.41.31 Mask:255.255.255.224 As can be seen from above the default route is set up to go to a gateway on a static route. What I want to do is add an ip alias to eth0 with an ip address of 203.221.41.12 and have it route out through the same gateway. If I simply do ifconfig eth0:1 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.3 I can ping the IP address from the machine that is on the same switch (e.g. from 203.221.41.1) but I can not ping or trace to the ip aliased interface. I have searched around on google but can't seem to find what I am doing wrong! Thanks, -- Lauchlin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Media Ethics is an oxymoron, much like Jumbo Shrimp and Microsoft Works. Not to mention NT Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing help
Hi Rod, After a bit more playing and a bit more thinking I finally figured it out..I think What it looks like is that the router I am using as the gateway (203.220.47.153) needed to have its ARP table updated or flushed or something. I don't have control over it so I can't be sure. What I now have is a script that runs after boot time that looks like: /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.13 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.11 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/ifconfig eth0:0 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/ifconfig eth0:1 203.221.41.13 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 it basically cycles through the ip addresses pinging a host on just the other side of the router so it flushes the ARP cache. Does this sound correct or am I totally off the track here? Anyway it is all working now but I guess I'd like to know if what I had to do was correct or not? Cheers, Lauchlin On 26/01/2004, at 2:31 PM, Rod Rodolico wrote: Sorry to be vague, but there was a command I remember once when I had this problem before. Seems like I had to do a route add in /network/interfaces. Seems like there is some parameter to an interface that allows you to execute a command after the interface is brought up, and I had to do a route add . . . . to get it to work. However, I'm doing a similar thing, on my server and the only difference is that my netmask is not 255.255.255.255, mine is 255.255.255.224. The first line in the route output was a host entry that I don't seem to need after all. which I think is incorrect on yours. Maybe it is the fact that your netmask is not correct? Following are the first two entries in my /etc/network/interfaces, and it works just fine. If I read your output correctly, your netmask should be a .224 instead of the .0 I use (since you only have two IP's). auto eth0 iface eth0 inet static address 66.17.131.182 netmask 255.255.255.0 network 66.17.131.0 broadcast 66.17.131.255 gateway 66.17.131.1 auto eth0:0 iface eth0:0 inet static address 66.17.131.183 netmask 255.255.255.0 auto eth0 eth1 iface eth0 inet static address 203.221.41.11 netmask 255.255.255.224 network 203.221.41.0 broadcast 203.221.41.31 is what I have. Of course, I could be 100% wrong, in which case someone here will correct me. Rod Hi, I have an issue with routing that I just can't figure out. What I have at the moment is a box set up with an IP and route as follows (some of the details have route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 203.221.41.11 0.0.0.0 255.255.255.255 UH0 0 0 eth0 203.220.47.152 0.0.0.0 255.255.255.252 U 0 0 0 eth0 203.221.41.00.0.0.0 255.255.255.224 U 0 0 0 eth0 0.0.0.0 203.220.47.153 0.0.0.0 UG0 0 0 eth0 eth0 Link encap:Ethernet HWaddr 00:05:1C:0B:48:A8 inet addr:203.221.41.11 Bcast:203.221.41.31 Mask:255.255.255.224 As can be seen from above the default route is set up to go to a gateway on a static route. What I want to do is add an ip alias to eth0 with an ip address of 203.221.41.12 and have it route out through the same gateway. If I simply do ifconfig eth0:1 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.3 I can ping the IP address from the machine that is on the same switch (e.g. from 203.221.41.1) but I can not ping or trace to the ip aliased interface. I have searched around on google but can't seem to find what I am doing wrong! Thanks, -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing help
it basically cycles through the ip addresses pinging a host on just the other side of the router so it flushes the ARP cache. Does this sound correct or am I totally off the track here? Anyway it is all working now but I guess I'd like to know if what I had to do was correct or not? I believe there is a way to force a refresh or such of the ARP cache. Not sure how... but it can be done somehow. I'd be interested to learn the method under Linux as well, so if you find out, share it with the group :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing help
Sorry to be vague, but there was a command I remember once when I had this problem before. Seems like I had to do a route add in /network/interfaces. Seems like there is some parameter to an interface that allows you to execute a command after the interface is brought up, and I had to do a route add . . . . to get it to work. However, I'm doing a similar thing, on my server and the only difference is that my netmask is not 255.255.255.255, which I think is incorrect on yours. Maybe it is the fact that your netmask is not correct? Following are the first two entries in my /etc/network/interfaces, and it works just fine. If I read your output correctly, your netmask should be a .224 instead of the .0 I use (since you only have two IP's). auto eth0 iface eth0 inet static address 66.17.131.182 netmask 255.255.255.0 network 66.17.131.0 broadcast 66.17.131.255 gateway 66.17.131.1 auto eth0:0 iface eth0:0 inet static address 66.17.131.183 netmask 255.255.255.0 Of course, I could be 100% wrong, in which case someone here will correct me. Rod Hi, I have an issue with routing that I just can't figure out. What I have at the moment is a box set up with an IP and route as follows (some of the details have route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 203.221.41.11 0.0.0.0 255.255.255.255 UH0 00 eth0 203.220.47.152 0.0.0.0 255.255.255.252 U 0 00 eth0 203.221.41.00.0.0.0 255.255.255.224 U 0 00 eth0 0.0.0.0 203.220.47.153 0.0.0.0 UG0 00 eth0 eth0 Link encap:Ethernet HWaddr 00:05:1C:0B:48:A8 inet addr:203.221.41.11 Bcast:203.221.41.31 Mask:255.255.255.224 As can be seen from above the default route is set up to go to a gateway on a static route. What I want to do is add an ip alias to eth0 with an ip address of 203.221.41.12 and have it route out through the same gateway. If I simply do ifconfig eth0:1 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.3 I can ping the IP address from the machine that is on the same switch (e.g. from 203.221.41.1) but I can not ping or trace to the ip aliased interface. I have searched around on google but can't seem to find what I am doing wrong! Thanks, -- Lauchlin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Media Ethics is an oxymoron, much like Jumbo Shrimp and Microsoft Works. Not to mention NT Security
Re: routing help
Hi Rod, After a bit more playing and a bit more thinking I finally figured it out..I think What it looks like is that the router I am using as the gateway (203.220.47.153) needed to have its ARP table updated or flushed or something. I don't have control over it so I can't be sure. What I now have is a script that runs after boot time that looks like: /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.13 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 /sbin/ifconfig eth0 203.221.41.11 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/ifconfig eth0:0 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/ifconfig eth0:1 203.221.41.13 netmask 255.255.255.224 broadcast 203.221.41.31 /sbin/route add -net 203.220.47.152/30 eth0 /sbin/route add default gw 203.220.47.153 /bin/ping -c1 203.220.238.152 it basically cycles through the ip addresses pinging a host on just the other side of the router so it flushes the ARP cache. Does this sound correct or am I totally off the track here? Anyway it is all working now but I guess I'd like to know if what I had to do was correct or not? Cheers, Lauchlin On 26/01/2004, at 2:31 PM, Rod Rodolico wrote: Sorry to be vague, but there was a command I remember once when I had this problem before. Seems like I had to do a route add in /network/interfaces. Seems like there is some parameter to an interface that allows you to execute a command after the interface is brought up, and I had to do a route add . . . . to get it to work. However, I'm doing a similar thing, on my server and the only difference is that my netmask is not 255.255.255.255, mine is 255.255.255.224. The first line in the route output was a host entry that I don't seem to need after all. which I think is incorrect on yours. Maybe it is the fact that your netmask is not correct? Following are the first two entries in my /etc/network/interfaces, and it works just fine. If I read your output correctly, your netmask should be a .224 instead of the .0 I use (since you only have two IP's). auto eth0 iface eth0 inet static address 66.17.131.182 netmask 255.255.255.0 network 66.17.131.0 broadcast 66.17.131.255 gateway 66.17.131.1 auto eth0:0 iface eth0:0 inet static address 66.17.131.183 netmask 255.255.255.0 auto eth0 eth1 iface eth0 inet static address 203.221.41.11 netmask 255.255.255.224 network 203.221.41.0 broadcast 203.221.41.31 is what I have. Of course, I could be 100% wrong, in which case someone here will correct me. Rod Hi, I have an issue with routing that I just can't figure out. What I have at the moment is a box set up with an IP and route as follows (some of the details have route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 203.221.41.11 0.0.0.0 255.255.255.255 UH0 0 0 eth0 203.220.47.152 0.0.0.0 255.255.255.252 U 0 0 0 eth0 203.221.41.00.0.0.0 255.255.255.224 U 0 0 0 eth0 0.0.0.0 203.220.47.153 0.0.0.0 UG0 0 0 eth0 eth0 Link encap:Ethernet HWaddr 00:05:1C:0B:48:A8 inet addr:203.221.41.11 Bcast:203.221.41.31 Mask:255.255.255.224 As can be seen from above the default route is set up to go to a gateway on a static route. What I want to do is add an ip alias to eth0 with an ip address of 203.221.41.12 and have it route out through the same gateway. If I simply do ifconfig eth0:1 203.221.41.12 netmask 255.255.255.224 broadcast 203.221.41.3 I can ping the IP address from the machine that is on the same switch (e.g. from 203.221.41.1) but I can not ping or trace to the ip aliased interface. I have searched around on google but can't seem to find what I am doing wrong! Thanks,
Re: routing help
it basically cycles through the ip addresses pinging a host on just the other side of the router so it flushes the ARP cache. Does this sound correct or am I totally off the track here? Anyway it is all working now but I guess I'd like to know if what I had to do was correct or not? I believe there is a way to force a refresh or such of the ARP cache. Not sure how... but it can be done somehow. I'd be interested to learn the method under Linux as well, so if you find out, share it with the group :-)
RE: Routing back via incoming NIC
It is possible, take a peek at: http://www.lartc.org/howto/ http://www.lartc.org/howto/lartc.rpdb.html hope this answers your question. BR, Boyan Krosnov, CCIE#8701 | http://boyan.ludost.net/ this time speaking for himself. -Original Message- From: Sanjeev Ghane Gupta [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 10:29 AM To: [EMAIL PROTECTED] Subject: Routing back via incoming NIC Folks, I have a machine with 2 NICs, both connected to the net. One (A) is used for low pirority traffic, surfing, etc. The other (B) is used for mail, ssh, etc. What I want is that when a connection is opened to the machine, it should reply back via the interface the connection came in. Currently, it uses (B), that being the default gateway. Is this possible? -- Sanjeev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Am 20:42 2003-03-05 +0100 hat Russell Coker geschrieben: On Wed, 5 Mar 2003 18:14, Gregory Wood wrote: LRP is dead and has been for a long time. Portslave is in Debian, I don't think that LRP offers anything else of much use. Just install a small Debian system. It is not death... Look at https://lists.sourceforge.net/lists/listinfo/leaf-user Michelle -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Hello, Am 17:20 2003-03-05 +0100 hat Burner geschrieben: I've read some iptables and iproute2 howtos, but i realy do not know where to begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram and two good NIC's. Hmmm, do you like to root an OC3 with heavy traffic ??? I have a client with a 34 MBit and the Roter is an old K5 166 with 32 MByte of memory... The monthly middle is arround 1.3 MByte/Second We don't need any advanced routing like bandwith balancing etc. I just need to block most ports from public access and allow the servers (win) to update from the internet. Can be done with a 486/100 and LRP http://www.linuxrouter.org which is based on Debian. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? I have done this before, blocked all ports and have done Portforwarding to the Servers. Never I have had problems... I would be happy to recive any hints from someone who has done anything like this before. //Burner Michelle -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
On Wed, 12 Mar 2003 11:13, Michelle Konzack wrote: Am 20:42 2003-03-05 +0100 hat Russell Coker geschrieben: On Wed, 5 Mar 2003 18:14, Gregory Wood wrote: LRP is dead and has been for a long time. Portslave is in Debian, I don't think that LRP offers anything else of much use. Just install a small Debian system. It is not death... Look at https://lists.sourceforge.net/lists/listinfo/leaf-user LEAF is different. The original LRP pages are still online and still years out of date. LRP is dead. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
On Wed, 2003-03-12 at 21:09, Michelle Konzack wrote: [...] Can be done with a 486/100 and LRP http://www.linuxrouter.org which is based on Debian. You go to the trouble to point people at the LEAF lists in another post, but then refer to LRP here... the LRP project has not been touched since mid 2001. The LEAF project continued the work started by LRP, and the based on Debian you are referring to is probably the Bearing variant of the LEAF project available at; http://leaf.sourceforge.net/ -- -- ABO: finger [EMAIL PROTECTED] for more info, including pgp key -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
On Mon, 17 Mar 2003 23:22, Donovan Baarda wrote: mid 2001. The LEAF project continued the work started by LRP, and the based on Debian you are referring to is probably the Bearing variant of the LEAF project available at; Another thing that should be mentioned is that Portslave (which was a core component of LRP) was not in Debian until I took it over (and none of my work was ever accepted back into LRP because it was dead first). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Am 20:42 2003-03-05 +0100 hat Russell Coker geschrieben: On Wed, 5 Mar 2003 18:14, Gregory Wood wrote: LRP is dead and has been for a long time. Portslave is in Debian, I don't think that LRP offers anything else of much use. Just install a small Debian system. It is not death... Look at https://lists.sourceforge.net/lists/listinfo/leaf-user Michelle
Re: Routing with Linux
Hello, Am 17:20 2003-03-05 +0100 hat Burner geschrieben: I've read some iptables and iproute2 howtos, but i realy do not know where to begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram and two good NIC's. Hmmm, do you like to root an OC3 with heavy traffic ??? I have a client with a 34 MBit and the Roter is an old K5 166 with 32 MByte of memory... The monthly middle is arround 1.3 MByte/Second We don't need any advanced routing like bandwith balancing etc. I just need to block most ports from public access and allow the servers (win) to update from the internet. Can be done with a 486/100 and LRP http://www.linuxrouter.org which is based on Debian. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? I have done this before, blocked all ports and have done Portforwarding to the Servers. Never I have had problems... I would be happy to recive any hints from someone who has done anything like this before. //Burner Michelle
Re: Routing with Linux
On Wed, 2003-03-12 at 21:09, Michelle Konzack wrote: [...] Can be done with a 486/100 and LRP http://www.linuxrouter.org which is based on Debian. You go to the trouble to point people at the LEAF lists in another post, but then refer to LRP here... the LRP project has not been touched since mid 2001. The LEAF project continued the work started by LRP, and the based on Debian you are referring to is probably the Bearing variant of the LEAF project available at; http://leaf.sourceforge.net/ -- -- ABO: finger [EMAIL PROTECTED] for more info, including pgp key --
Re: Routing with Linux
On Mon, 17 Mar 2003 23:22, Donovan Baarda wrote: mid 2001. The LEAF project continued the work started by LRP, and the based on Debian you are referring to is probably the Bearing variant of the LEAF project available at; Another thing that should be mentioned is that Portslave (which was a core component of LRP) was not in Debian until I took it over (and none of my work was ever accepted back into LRP because it was dead first). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Small Debian Installs (was Re: Routing with Linux)
On Thu, 6 Mar 2003, Randy Kramer wrote: What's the smallest someone on the list has installed, and what's the easiest way to go about doing it? One floppy. This is the smallest one I know of: http://www.zelow.no/floppyfw/ Not a Debian, but based on and built using Debian. Actively maintained and developed. Cheers, Cristian
Re: Routing with Linux
On Wednesday 05 March 2003 02:41 pm, Burner wrote: load average is about 5Mbyte/s spikes at 10MByte/s, all traffic is webcontent. That seems to be large volume -- three to seven T1s unless my math is off (my coffee hasn't kicked in yet). I'd almost expect a firewall per T1, or what kind of performance can you get out of a Linux box serving as a router?? (Well, it is just within the capability of a single 100 mbps Ethernet card, but it's a lot of traffic.) Randy Kramer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
On Thu, 2003-03-06 at 13:16, Randy Kramer wrote: On Wednesday 05 March 2003 02:41 pm, Burner wrote: load average is about 5Mbyte/s spikes at 10MByte/s, all traffic is webcontent. That seems to be large volume -- three to seven T1s unless my math is off (my coffee hasn't kicked in yet). I'd almost expect a firewall per T1, or what kind of performance can you get out of a Linux box serving as a router?? (Well, it is just within the capability of a single 100 mbps Ethernet card, but it's a lot of traffic.) To give some indication: we run a complete ISP backbone based on Debian boxes running Zebra for routing. This is all done on fairly standard hardware (usually Pentium III, 256Mb RAM), which can easily handle the load. Actually, the greater part of the load is caused by SNMP calls and user interaction. You can see some public statistics of our network on http://noc.luna.nl. We also have a router connecting 5 T1 lines. It has been up for over 600 days now, with a load average of about 0.05, also on very standard hardware. So I'd say a fairly recent box should be able to handle this amount of traffic without any problems... Regards, Teun Vink Luna.nl NOC -- -- Luna.nl B.V. -- Puntegaalstraat 109Postbus 63000 Tel : (010) 750 2000 3024 EB ROTTERDAM 3002 JA ROTTERDAMFax : (010) 750 2002 www.luna.nl[EMAIL PROTECTED] Helpdesk: (010) 750 2020 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Burner schrieb: [-snip-] i guess iptables will do the trick with somthing like this: iptables -t nat -A POSTROUTING -o eth3 -s 192.168.1.135 -j SNAT --to 1.2.3.135 yup and ja can add a snat rule for the returning traffic too :-) iproute2 looks way more flexible than iptables though, is this flexibility at the cost of performance, or is it just a new wonderland for network admins? :) iproute2 (ip) is used for routing not for setting nat or packet filter rules you can do everthing you used ifconfig and route for an a lot more have a look at the Linux Advanced Routing Traffic Control HOWTO http://lartc.org/ I realy do like what i learned about iproute2 so far. We're using it for 3 years now and with a little hel of zebra http://www.zebra.org/ we were able to replace all cisco routers in our internal network. Oh and it all works a lot better now :-) It seems to be worth reading the documentation in any case. That's a good idea. Without the map-to argument, the traffic would just go out with the default address (likely 1.2.3.129 in the case of my example). I haven't done enough testing with netfilter to know if this problem is still existing in the 2.4 kernel, my experience was from testing kernels up to 2.2.19. yes it is. So you have to make sure to disable spoofprotect in /etc/network/options as soon as you have to work with async routs I would be happy to recive any hints from someone who has done anything like this before. Put your boxes in a private IPv4 network Use iptables SNAT/DNAT and ip aliasing. Put your old public IPs up on your firewall and write a good policy to protect your firewallbox. Should be dune in less then 30 Minutes on a installed debian woody box. You don't need special routing tables to do that. //Burner greets Uwe -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ IPv6: http://www.ipv6.x-tec.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Greetings! On Thu, 06 Mar 2003 14:38:08 +0100 Uwe A. P. Wuerdinger [EMAIL PROTECTED] wrote: Depens on the harware. We got 750 mbits on a single box with a 2 channel intel gigabit card (Intel PRO/1000 MT Dual Port (64bit/66MHZ PCI) in a Fujits-Siemens PRIMERGY L200 with 2 Intel PIII (1.40 GHZ) and 2 GB SDRAM. The important fact is the (64bit/66MHZ PCI) part - as standard PCI ([EMAIL PROTECTED]) will not transfer much more than 1Gbit/s. So two Gbit/s cards on the same Standard PCI bus would only let ~500Mbit/s pass (half-duplex). Even the fast+wide PCI barely is just fast enough for a full Gbit/s line run full-duplex. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3461 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Volker Tanger schrieb: Greetings! On Thu, 06 Mar 2003 14:38:08 +0100 Uwe A. P. Wuerdinger [EMAIL PROTECTED] wrote: Depens on the harware. We got 750 mbits on a single box with a 2 channel intel gigabit card (Intel PRO/1000 MT Dual Port (64bit/66MHZ PCI) in a Fujits-Siemens PRIMERGY L200 with 2 Intel PIII (1.40 GHZ) and 2 GB SDRAM. The important fact is the (64bit/66MHZ PCI) part - as standard PCI ([EMAIL PROTECTED]) will not transfer much more than 1Gbit/s. So two Gbit/s cards on the same Standard PCI bus would only let ~500Mbit/s pass (half-duplex). Even the fast+wide PCI barely is just fast enough for a full Gbit/s line run full-duplex. Bye that's right :-) Volker Tanger IT-Security Consulting greets Uwe -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ IPv6: http://www.ipv6.x-tec.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Small Debian Installs (was Re: Routing with Linux)
On Thu, Mar 06, 2003 at 07:08:45AM -0500, Randy Kramer wrote: What's the smallest someone on the list has installed, and what's the easiest way to go about doing it? $ df -h FilesystemSize Used Avail Use% Mounted on /dev/hda2 129M 111M 11M 91% / $ That includes 2MB of logs :) The box is a AMD 586-clone with 16MB of mem. It's a VPN endpoint. Here's the _full_ list of installed packages -- note it even includes python and ntp :) apt base-files base-passwd bash bsdutils carpaltunnel cramfsprogs cron debconf debianutils diff dpkg e2fsprogs ed fileutils findutils grep grub gzip hostname ifupdown initrd-tools iproute iptables isapnptools kernel-image-2.4.18-386 klogd ldso libc6 libpam-modules libpam-runtime libpam0g libreadline4 libssl0.9.6 libstdc++2.10-glibc2.2 login modutils mount ncurses-base ncurses-bin net-tools netkit-ping ntp-simple nvi openvpn passwd perl-base procps python2.2-opti sed shellutils smail ssh sudo sysklogd sysvinit tar textutils util-linux zlib1g -- :(){ :|:};: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
On Thu, 2003-03-06 at 07:16, Peter Hicks wrote: On Wed, Mar 05, 2003 at 08:42:57PM +0100, Russell Coker wrote: On Wed, 5 Mar 2003 18:14, Gregory Wood wrote: [...] If the volume is higher or you just want a linux box then: www.linuxrouter.org -- linux router project. LRP is dead and has been for a long time. I think there is a project offshoot called LEAF http://leaf-project.org/ LEAF is active and evolved from the now stagnant LRP project. It is a collection of various variants and extensions of the original LRP project. The latest bearing variant is based on Debian (Debian trimmed and re-packaged in lrp packages). But I agree that installing a small Debian system is an easy way to go. I recently did this with a 486DX2-66 with 16M RAM and 250M HDD, acting as a router/firewall for two upstream links (ADSL and modem) to a rather convoluted network (shorewall rocks). It works fine with no speed/memory issues, and is rather nice. The biggest problem is dpkg is _sooo sloow_ on a machine that under powered. Is a funny thing when a distro's package manager is a bigger overhead than the rest of the distro. If I had to do it again, I would probably take another hard look at LEAF-bearing. -- -- ABO: finger [EMAIL PROTECTED] for more info, including pgp key --
Small Debian Installs (was Re: Routing with Linux)
On Wednesday 05 March 2003 02:42 pm, Russell Coker wrote: Just install a small Debian system. That might be exactly what I want to do (for a different purpose). What's the smallest someone on the list has installed, and what's the easiest way to go about doing it? I'd like to have a small Linux partition on a dos \ Windows disk to include a bootloader (lilo) and some utilities for partitioning, formatting, and making and restoring disk images. I started working with a Vector root / boot set and have made progress, but I have a lot to learn and many problems remain -- if there is an easier way I'd like to try it. Randy Kramer
Re: Routing with Linux
On Wednesday 05 March 2003 02:41 pm, Burner wrote: load average is about 5Mbyte/s spikes at 10MByte/s, all traffic is webcontent. That seems to be large volume -- three to seven T1s unless my math is off (my coffee hasn't kicked in yet). I'd almost expect a firewall per T1, or what kind of performance can you get out of a Linux box serving as a router?? (Well, it is just within the capability of a single 100 mbps Ethernet card, but it's a lot of traffic.) Randy Kramer
Re: Routing with Linux
On Thu, 2003-03-06 at 13:16, Randy Kramer wrote: On Wednesday 05 March 2003 02:41 pm, Burner wrote: load average is about 5Mbyte/s spikes at 10MByte/s, all traffic is webcontent. That seems to be large volume -- three to seven T1s unless my math is off (my coffee hasn't kicked in yet). I'd almost expect a firewall per T1, or what kind of performance can you get out of a Linux box serving as a router?? (Well, it is just within the capability of a single 100 mbps Ethernet card, but it's a lot of traffic.) To give some indication: we run a complete ISP backbone based on Debian boxes running Zebra for routing. This is all done on fairly standard hardware (usually Pentium III, 256Mb RAM), which can easily handle the load. Actually, the greater part of the load is caused by SNMP calls and user interaction. You can see some public statistics of our network on http://noc.luna.nl. We also have a router connecting 5 T1 lines. It has been up for over 600 days now, with a load average of about 0.05, also on very standard hardware. So I'd say a fairly recent box should be able to handle this amount of traffic without any problems... Regards, Teun Vink Luna.nl NOC -- -- Luna.nl B.V. -- Puntegaalstraat 109Postbus 63000 Tel : (010) 750 2000 3024 EB ROTTERDAM 3002 JA ROTTERDAMFax : (010) 750 2002 www.luna.nl[EMAIL PROTECTED] Helpdesk: (010) 750 2020
Re: Routing with Linux
Randy Kramer schrieb: On Wednesday 05 March 2003 02:41 pm, Burner wrote: load average is about 5Mbyte/s spikes at 10MByte/s, all traffic is webcontent. That seems to be large volume -- three to seven T1s unless my math is off (my coffee hasn't kicked in yet). I'd almost expect a firewall per T1, or what kind of performance can you get out of a Linux box serving as a router?? (Well, it is just within the capability of a single 100 mbps Ethernet card, but it's a lot of traffic.) Depens on the harware. We got 750 mbits on a single box with a 2 channel intel gigabit card (Intel PRO/1000 MT Dual Port (64bit/66MHZ PCI) in a Fujits-Siemens PRIMERGY L200 with 2 Intel PIII (1.40 GHZ) and 2 GB SDRAM. Oh and the box has very low load and we're sure that it is able to handle nearly 1 GBit FD. Randy Kramer Uwe -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ IPv6: http://www.ipv6.x-tec.de/
Re: Routing with Linux
Burner schrieb: [-snip-] i guess iptables will do the trick with somthing like this: iptables -t nat -A POSTROUTING -o eth3 -s 192.168.1.135 -j SNAT --to 1.2.3.135 yup and ja can add a snat rule for the returning traffic too :-) iproute2 looks way more flexible than iptables though, is this flexibility at the cost of performance, or is it just a new wonderland for network admins? :) iproute2 (ip) is used for routing not for setting nat or packet filter rules you can do everthing you used ifconfig and route for an a lot more have a look at the Linux Advanced Routing Traffic Control HOWTO http://lartc.org/ I realy do like what i learned about iproute2 so far. We're using it for 3 years now and with a little hel of zebra http://www.zebra.org/ we were able to replace all cisco routers in our internal network. Oh and it all works a lot better now :-) It seems to be worth reading the documentation in any case. That's a good idea. Without the map-to argument, the traffic would just go out with the default address (likely 1.2.3.129 in the case of my example). I haven't done enough testing with netfilter to know if this problem is still existing in the 2.4 kernel, my experience was from testing kernels up to 2.2.19. yes it is. So you have to make sure to disable spoofprotect in /etc/network/options as soon as you have to work with async routs I would be happy to recive any hints from someone who has done anything like this before. Put your boxes in a private IPv4 network Use iptables SNAT/DNAT and ip aliasing. Put your old public IPs up on your firewall and write a good policy to protect your firewallbox. Should be dune in less then 30 Minutes on a installed debian woody box. You don't need special routing tables to do that. //Burner greets Uwe -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ IPv6: http://www.ipv6.x-tec.de/
Re: Routing with Linux
Greetings! On Thu, 06 Mar 2003 14:38:08 +0100 Uwe A. P. Wuerdinger [EMAIL PROTECTED] wrote: Depens on the harware. We got 750 mbits on a single box with a 2 channel intel gigabit card (Intel PRO/1000 MT Dual Port (64bit/66MHZ PCI) in a Fujits-Siemens PRIMERGY L200 with 2 Intel PIII (1.40 GHZ) and 2 GB SDRAM. The important fact is the (64bit/66MHZ PCI) part - as standard PCI ([EMAIL PROTECTED]) will not transfer much more than 1Gbit/s. So two Gbit/s cards on the same Standard PCI bus would only let ~500Mbit/s pass (half-duplex). Even the fast+wide PCI barely is just fast enough for a full Gbit/s line run full-duplex. Bye Volker Tanger IT-Security Consulting -- discon gmbh Wrangelstraße 100 D-10997 Berlin Telefon (030) 6104-3307 Telefax (030) 6104-3461 [EMAIL PROTECTED] http://www.discon.de/
Re: Routing with Linux
Volker Tanger schrieb: Greetings! On Thu, 06 Mar 2003 14:38:08 +0100 Uwe A. P. Wuerdinger [EMAIL PROTECTED] wrote: Depens on the harware. We got 750 mbits on a single box with a 2 channel intel gigabit card (Intel PRO/1000 MT Dual Port (64bit/66MHZ PCI) in a Fujits-Siemens PRIMERGY L200 with 2 Intel PIII (1.40 GHZ) and 2 GB SDRAM. The important fact is the (64bit/66MHZ PCI) part - as standard PCI ([EMAIL PROTECTED]) will not transfer much more than 1Gbit/s. So two Gbit/s cards on the same Standard PCI bus would only let ~500Mbit/s pass (half-duplex). Even the fast+wide PCI barely is just fast enough for a full Gbit/s line run full-duplex. Bye that's right :-) Volker Tanger IT-Security Consulting greets Uwe -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ IPv6: http://www.ipv6.x-tec.de/
Re: Small Debian Installs (was Re: Routing with Linux)
On Thu, Mar 06, 2003 at 07:08:45AM -0500, Randy Kramer wrote: What's the smallest someone on the list has installed, and what's the easiest way to go about doing it? $ df -h FilesystemSize Used Avail Use% Mounted on /dev/hda2 129M 111M 11M 91% / $ That includes 2MB of logs :) The box is a AMD 586-clone with 16MB of mem. It's a VPN endpoint. Here's the _full_ list of installed packages -- note it even includes python and ntp :) apt base-files base-passwd bash bsdutils carpaltunnel cramfsprogs cron debconf debianutils diff dpkg e2fsprogs ed fileutils findutils grep grub gzip hostname ifupdown initrd-tools iproute iptables isapnptools kernel-image-2.4.18-386 klogd ldso libc6 libpam-modules libpam-runtime libpam0g libreadline4 libssl0.9.6 libstdc++2.10-glibc2.2 login modutils mount ncurses-base ncurses-bin net-tools netkit-ping ntp-simple nvi openvpn passwd perl-base procps python2.2-opti sed shellutils smail ssh sudo sysklogd sysvinit tar textutils util-linux zlib1g -- :(){ :|:};:
Re: Routing with Linux
On Thu, Mar 06, 2003 at 04:01:29PM +0100, Volker Tanger wrote: Greetings! On Thu, 06 Mar 2003 14:38:08 +0100 Uwe A. P. Wuerdinger [EMAIL PROTECTED] wrote: Depens on the harware. We got 750 mbits on a single box with a 2 channel intel gigabit card (Intel PRO/1000 MT Dual Port (64bit/66MHZ PCI) in a Fujits-Siemens PRIMERGY L200 with 2 Intel PIII (1.40 GHZ) and 2 GB SDRAM. The important fact is the (64bit/66MHZ PCI) part - as standard PCI ([EMAIL PROTECTED]) will not transfer much more than 1Gbit/s. So two Gbit/s cards on the same Standard PCI bus would only let ~500Mbit/s pass (half-duplex). Even the fast+wide PCI barely is just fast enough for a full Gbit/s line run full-duplex. Last time I checked (several months ago), no one made a GigE card fast enough to actually do 1Gb/s; the best card could do about 425 Mb/s. Has this changed, or are you arguing theoreticals? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] This disclaimer is priviledged information and may not be read by anyone except the intended recipient, whoever that is. If you are not the intended recipient and have read this disclaimer, you are naughty and shan't be allowed any pudding. How can you have any pudding if you don't take your meat?
Re: Routing with Linux
On Wednesday 05 March 2003 11:20, Burner wrote: I would like to keep the public IP addresses on the servers if possible. Your servers can keep their public addresses if you wish, that should make the job of firewalling a little easier (no masquerading to worry about). Let's say you had a public range 1.2.3.0/24, you might wish to allocate 1.2.3.128/25 (the last half of the class C) to the firewall and machines behind the firewall. Let's say your firewall had the IP 1.2.3.129, you would then have to add a route like this to your Internet router something like this: route add -net 1.2.3.128 netmask 255.255.255.128 gw 1.2.3.129 Since your Internet router is most likely not Linux the above of course won't be syntactically correct. If you don't want to set up a subnet within your router then you can simply have the firewall respond to arp requests for those IP addresses that are behind it. To respond to arp requests for addresses that are not your own is called proxy arp (I think), you can achieve that with a command like this: arp -s 1.2.3.135 00:80:80:80:80:80 -i eth3 pub This assumes a machine with the IP address 1.2.3.130 is in your DMZ, it assumes that the your public interface is eth3 with a MAC address of 00:80:80:80:80:80. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? With either a proper subnet or proxy arp you can use public IPs in your DMZ. Private IPs give you a lot more flexibility but at the expense of complexity. FWIW, we almost always use private IPs in the DMZ. I have had problems with masquerading multiple IPs in that the masquerade doesn't match the inbound IP. If you port forward using masquerading (using ipvs/ipmasqadm/???) then the return traffic must also be masqueraded. I have found that all return traffic is masqueraded to the first IP on your public interface, instead of with the same IP as the inbound traffic was masqueraded from. The only way to ensure that outbound traffic goes back out with the correct IP is with iproute2. A rule such as this does the trick: ip rule from 192.168.1.135 lookup main map-to 1.2.3.135 Without the map-to argument, the traffic would just go out with the default address (likely 1.2.3.129 in the case of my example). I haven't done enough testing with netfilter to know if this problem is still existing in the 2.4 kernel, my experience was from testing kernels up to 2.2.19. I would be happy to recive any hints from someone who has done anything like this before. //Burner -- Fraser Campbell [EMAIL PROTECTED] http://wehave.net/ Brampton, Ontario, CanadaLinux 2.4.20 AuthenticAMD -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
On Wed, 5 Mar 2003 18:14, Gregory Wood wrote: You didn't mention volume. Also, public address and firewall seems to be a contridiction. If the volume is small, many of the $100 USD firewall boxes will work. There will be some work redirecting IP through the firewall. If the volume is higher or you just want a linux box then: www.linuxrouter.org -- linux router project. LRP is dead and has been for a long time. Portslave is in Debian, I don't think that LRP offers anything else of much use. Just install a small Debian system. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Thanks for the quick answer :) On Wednesday 05 March 2003 18:14, Gregory Wood wrote: You didn't mention volume. Also, public address and firewall seems to be a contridiction. load average is about 5Mbyte/s spikes at 10MByte/s, all traffic is webcontent. If the volume is small, many of the $100 USD firewall boxes will work. There will be some work redirecting IP through the firewall. I choose linux for several reasons, partly because i had some bad experiences with cheap firewalls, like random crashes and resets for no apparent reason, this doesn't make me feel safe. Linux has given us little trouble so far, so why not protect the troublesome windows servers with a nice linux box. If the volume is higher or you just want a linux box then: www.linuxrouter.org -- linux router project linuxrouter.org seems usefull for this, i'll have a look and hope it'll fit my needs. It maybe that you can port scan your network and turn off everything but what you really want on. Best of luck. -Original Message- From: Burner [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: Routing with Linux Hi My boos just asked me to build a Linux firewall to protect our servers, we have about 20 servers, all configured with only the public (internet) IP, and connected through a switch directly to our IPS's router. I've only build firewalls for small lan networks using NAT with iptables/ipchains. I've read some iptables and iproute2 howtos, but i realy do not know where to begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram and two good NIC's. We don't need any advanced routing like bandwith balancing etc. I just need to block most ports from public access and allow the servers (win) to update from the internet. I would like to keep the public IP addresses on the servers if possible. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? I would be happy to recive any hints from someone who has done anything like this before. //Burner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
Burner, Wed, Mar 05, 2003 at 05:20:37PM +0100: Hi My boos just asked me to build a Linux firewall to protect our servers, we have about 20 servers, all configured with only the public (internet) IP, and connected through a switch directly to our IPS's router. I've only build firewalls for small lan networks using NAT with iptables/ipchains. A bridging firewall might be a good idea in this situation. A bridge is transparent to the network so you won't have to reconfigure any of the machines behind the firewall. You'll need to patch your kernel to get the desired functionality, patches are available at http://bridge.sf.net. You want bridge-nf-0.0.7-against-2.4.19.diff . Very useful docs are also linked to from the same site. Also, you can configure bridges in /etc/network/interfaces, which makes it really easy to get going. I've read some iptables and iproute2 howtos, but i realy do not know where to begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram and two good NIC's. Might want to increase RAM if you want to run a NIDS like snort. We don't need any advanced routing like bandwith balancing etc. I just need to block most ports from public access and allow the servers (win) to update from the internet. I would like to keep the public IP addresses on the servers if possible. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? I would be happy to recive any hints from someone who has done anything like this before. I run a bridging firewall across two T1's with a PIII 930 MHz/256 MB RAM machines running snort and it works great. The best thing about the bridge is that it makes configuration of machines behind the firewall straitforward. g pgp0.pgp Description: PGP signature
RE: Routing with Linux
You didn't mention volume. Also, public address and firewall seems to be a contridiction. If the volume is small, many of the $100 USD firewall boxes will work. There will be some work redirecting IP through the firewall. If the volume is higher or you just want a linux box then: www.linuxrouter.org -- linux router project. It maybe that you can port scan your network and turn off everything but what you really want on. Best of luck. -Original Message- From: Burner [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 10:21 AM To: debian-isp@lists.debian.org Subject: Routing with Linux Hi My boos just asked me to build a Linux firewall to protect our servers, we have about 20 servers, all configured with only the public (internet) IP, and connected through a switch directly to our IPS's router. I've only build firewalls for small lan networks using NAT with iptables/ipchains. I've read some iptables and iproute2 howtos, but i realy do not know where to begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram and two good NIC's. We don't need any advanced routing like bandwith balancing etc. I just need to block most ports from public access and allow the servers (win) to update from the internet. I would like to keep the public IP addresses on the servers if possible. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? I would be happy to recive any hints from someone who has done anything like this before. //Burner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing with Linux
like Greg(ory) says, knowing the volume is important -- or at least tell us what kind of connection you have to your ISP -- dial up ;-), DSL, ISDN, Cable, T1, T3. If DSL or Cable, do you know what kind of uplink and downlink bandwidth you are allowed (or use)? Randy Kramer On Wednesday 05 March 2003 12:14 pm, Gregory Wood wrote: You didn't mention volume. Also, public address and firewall seems to be a contridiction. If the volume is small, many of the $100 USD firewall boxes will work. There will be some work redirecting IP through the firewall. If the volume is higher or you just want a linux box then: www.linuxrouter.org -- linux router project. It maybe that you can port scan your network and turn off everything but what you really want on. Best of luck. -Original Message- From: Burner [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 10:21 AM To: debian-isp@lists.debian.org Subject: Routing with Linux Hi My boos just asked me to build a Linux firewall to protect our servers, we have about 20 servers, all configured with only the public (internet) IP, and connected through a switch directly to our IPS's router. I've only build firewalls for small lan networks using NAT with iptables/ipchains. I've read some iptables and iproute2 howtos, but i realy do not know where to begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram and two good NIC's. We don't need any advanced routing like bandwith balancing etc. I just need to block most ports from public access and allow the servers (win) to update from the internet. I would like to keep the public IP addresses on the servers if possible. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? I would be happy to recive any hints from someone who has done anything like this before. //Burner
Re: Routing with Linux
On Wednesday 05 March 2003 11:20, Burner wrote: I would like to keep the public IP addresses on the servers if possible. Your servers can keep their public addresses if you wish, that should make the job of firewalling a little easier (no masquerading to worry about). Let's say you had a public range 1.2.3.0/24, you might wish to allocate 1.2.3.128/25 (the last half of the class C) to the firewall and machines behind the firewall. Let's say your firewall had the IP 1.2.3.129, you would then have to add a route like this to your Internet router something like this: route add -net 1.2.3.128 netmask 255.255.255.128 gw 1.2.3.129 Since your Internet router is most likely not Linux the above of course won't be syntactically correct. If you don't want to set up a subnet within your router then you can simply have the firewall respond to arp requests for those IP addresses that are behind it. To respond to arp requests for addresses that are not your own is called proxy arp (I think), you can achieve that with a command like this: arp -s 1.2.3.135 00:80:80:80:80:80 -i eth3 pub This assumes a machine with the IP address 1.2.3.130 is in your DMZ, it assumes that the your public interface is eth3 with a MAC address of 00:80:80:80:80:80. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? With either a proper subnet or proxy arp you can use public IPs in your DMZ. Private IPs give you a lot more flexibility but at the expense of complexity. FWIW, we almost always use private IPs in the DMZ. I have had problems with masquerading multiple IPs in that the masquerade doesn't match the inbound IP. If you port forward using masquerading (using ipvs/ipmasqadm/???) then the return traffic must also be masqueraded. I have found that all return traffic is masqueraded to the first IP on your public interface, instead of with the same IP as the inbound traffic was masqueraded from. The only way to ensure that outbound traffic goes back out with the correct IP is with iproute2. A rule such as this does the trick: ip rule from 192.168.1.135 lookup main map-to 1.2.3.135 Without the map-to argument, the traffic would just go out with the default address (likely 1.2.3.129 in the case of my example). I haven't done enough testing with netfilter to know if this problem is still existing in the 2.4 kernel, my experience was from testing kernels up to 2.2.19. I would be happy to recive any hints from someone who has done anything like this before. //Burner -- Fraser Campbell [EMAIL PROTECTED] http://wehave.net/ Brampton, Ontario, CanadaLinux 2.4.20 AuthenticAMD
Re: Routing with Linux
On Wed, 5 Mar 2003 18:14, Gregory Wood wrote: You didn't mention volume. Also, public address and firewall seems to be a contridiction. If the volume is small, many of the $100 USD firewall boxes will work. There will be some work redirecting IP through the firewall. If the volume is higher or you just want a linux box then: www.linuxrouter.org -- linux router project. LRP is dead and has been for a long time. Portslave is in Debian, I don't think that LRP offers anything else of much use. Just install a small Debian system. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Routing with Linux
Thanks for the quick answer :) On Wednesday 05 March 2003 18:14, Gregory Wood wrote: You didn't mention volume. Also, public address and firewall seems to be a contridiction. load average is about 5Mbyte/s spikes at 10MByte/s, all traffic is webcontent. If the volume is small, many of the $100 USD firewall boxes will work. There will be some work redirecting IP through the firewall. I choose linux for several reasons, partly because i had some bad experiences with cheap firewalls, like random crashes and resets for no apparent reason, this doesn't make me feel safe. Linux has given us little trouble so far, so why not protect the troublesome windows servers with a nice linux box. If the volume is higher or you just want a linux box then: www.linuxrouter.org -- linux router project linuxrouter.org seems usefull for this, i'll have a look and hope it'll fit my needs. It maybe that you can port scan your network and turn off everything but what you really want on. Best of luck. -Original Message- From: Burner [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 10:21 AM To: debian-isp@lists.debian.org Subject: Routing with Linux Hi My boos just asked me to build a Linux firewall to protect our servers, we have about 20 servers, all configured with only the public (internet) IP, and connected through a switch directly to our IPS's router. I've only build firewalls for small lan networks using NAT with iptables/ipchains. I've read some iptables and iproute2 howtos, but i realy do not know where to begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram and two good NIC's. We don't need any advanced routing like bandwith balancing etc. I just need to block most ports from public access and allow the servers (win) to update from the internet. I would like to keep the public IP addresses on the servers if possible. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? I would be happy to recive any hints from someone who has done anything like this before. //Burner
Re: Routing with Linux
On Wed, Mar 05, 2003 at 08:42:57PM +0100, Russell Coker wrote: On Wed, 5 Mar 2003 18:14, Gregory Wood wrote: You didn't mention volume. Also, public address and firewall seems to be a contridiction. If the volume is small, many of the $100 USD firewall boxes will work. There will be some work redirecting IP through the firewall. If the volume is higher or you just want a linux box then: www.linuxrouter.org -- linux router project. LRP is dead and has been for a long time. I think there is a project offshoot called LEAF http://leaf-project.org/ But I agree that installing a small Debian system is an easy way to go.
Re: Routing with Linux
On Wednesday 05 March 2003 19:54, Fraser Campbell wrote: On Wednesday 05 March 2003 11:20, Burner wrote: I would like to keep the public IP addresses on the servers if possible. Your servers can keep their public addresses if you wish, that should make the job of firewalling a little easier (no masquerading to worry about). Let's say you had a public range 1.2.3.0/24, you might wish to allocate 1.2.3.128/25 (the last half of the class C) to the firewall and machines behind the firewall. Let's say your firewall had the IP 1.2.3.129, you would then have to add a route like this to your Internet router something like this: route add -net 1.2.3.128 netmask 255.255.255.128 gw 1.2.3.129 Since your Internet router is most likely not Linux the above of course won't be syntactically correct. If you don't want to set up a subnet within your router then you can simply have the firewall respond to arp requests for those IP addresses that are behind it. To respond to arp requests for addresses that are not your own is called proxy arp (I think), you can achieve that with a command like this: arp -s 1.2.3.135 00:80:80:80:80:80 -i eth3 pub This assumes a machine with the IP address 1.2.3.130 is in your DMZ, it assumes that the your public interface is eth3 with a MAC address of 00:80:80:80:80:80. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? With either a proper subnet or proxy arp you can use public IPs in your DMZ. Private IPs give you a lot more flexibility but at the expense of complexity. FWIW, we almost always use private IPs in the DMZ. I see your point here, i think it would be wise to choose the flexible solution, not that i need it right now, but as the load increases so does the need for flexibility. I have had problems with masquerading multiple IPs in that the masquerade doesn't match the inbound IP. If you port forward using masquerading (using ipvs/ipmasqadm/???) then the return traffic must also be masqueraded. I have found that all return traffic is masqueraded to the first IP on your public interface, instead of with the same IP as the inbound traffic was masqueraded from. The only way to ensure that outbound traffic goes back out with the correct IP is with iproute2. A rule such as this does the trick: ip rule from 192.168.1.135 lookup main map-to 1.2.3.135 i guess iptables will do the trick with somthing like this: iptables -t nat -A POSTROUTING -o eth3 -s 192.168.1.135 -j SNAT --to 1.2.3.135 iproute2 looks way more flexible than iptables though, is this flexibility at the cost of performance, or is it just a new wonderland for network admins? :) I realy do like what i learned about iproute2 so far. It seems to be worth reading the documentation in any case. Without the map-to argument, the traffic would just go out with the default address (likely 1.2.3.129 in the case of my example). I haven't done enough testing with netfilter to know if this problem is still existing in the 2.4 kernel, my experience was from testing kernels up to 2.2.19. I would be happy to recive any hints from someone who has done anything like this before. //Burner
Re: Routing with Linux
Burner, Wed, Mar 05, 2003 at 05:20:37PM +0100: Hi My boos just asked me to build a Linux firewall to protect our servers, we have about 20 servers, all configured with only the public (internet) IP, and connected through a switch directly to our IPS's router. I've only build firewalls for small lan networks using NAT with iptables/ipchains. A bridging firewall might be a good idea in this situation. A bridge is transparent to the network so you won't have to reconfigure any of the machines behind the firewall. You'll need to patch your kernel to get the desired functionality, patches are available at http://bridge.sf.net. You want bridge-nf-0.0.7-against-2.4.19.diff . Very useful docs are also linked to from the same site. Also, you can configure bridges in /etc/network/interfaces, which makes it really easy to get going. I've read some iptables and iproute2 howtos, but i realy do not know where to begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram and two good NIC's. Might want to increase RAM if you want to run a NIDS like snort. We don't need any advanced routing like bandwith balancing etc. I just need to block most ports from public access and allow the servers (win) to update from the internet. I would like to keep the public IP addresses on the servers if possible. Maybe i should configure the linux router with all the external IP's on one NIC, and give the protected servers local IP addresses. then NAT the public IP/ports to the servers using iptables, this is a way to do it, but is it i good way? I would be happy to recive any hints from someone who has done anything like this before. I run a bridging firewall across two T1's with a PIII 930 MHz/256 MB RAM machines running snort and it works great. The best thing about the bridge is that it makes configuration of machines behind the firewall straitforward. g pgppaERPvQZFX.pgp Description: PGP signature
Re Routing
Hi peoples I am doing something wrong here and cant figure it out(must be a friday thing) On eth0 I have 2 class c's On ppp0 I have another one (our isdn has gone kaput and this is a temp measure) I have another class c on the ppp0 I need to make the machine visable on the eth0 and also I need the machine to route the class c of the ppp0 I have it so it can do either but not both 203.24.120.0/24 and 202.129.104.0/24 on eth0 203.55.214.0/24 is on the ppp0 interface Samantha Scafe Network / System Administrator AUSSIEWIDE INTERNET Unlimited Plans anywhere in OZ for $24.95 (Ask for the 20% discount and it is yours) Phone: 1300-554911 www.aussiewide.com IT Solutions for Females www.femtech.com.au Email: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re Routing
On Fri, Dec 06, 2002 at 07:48:24PM +1000, Samantha Scafe wrote: On eth0 I have 2 class c's On ppp0 I have another one (our isdn has gone kaput and this is a temp measure) I have another class c on the ppp0 I need to make the machine visable on the eth0 and also I need the machine to route the class c of the ppp0 I have it so it can do either but not both 203.24.120.0/24 and 202.129.104.0/24 on eth0 203.55.214.0/24 is on the ppp0 interface Hi Samantha Im a little confused? what are you trying to do? have you turned on ip_forward? ie: echo 1 /proc/sys/net/ipv4/ip_forward /24 for a ppp link? seems a bit extreme? or is this a router so that customers can dial into it? do you have a network plan? ascii art would be sufficient What exactly doesnt work... everyone can ping the machine? have you got the correct routes set on all your machines? where does your default route point to??? Regards Andrew PS: Classful routing isnt really used anymore today... so its probably better to refer to a /24 and not a 'class c' network -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re Routing
On December 6, 2002 04:48 am, the great Samantha Scafe wrote: I have it so it can do either but not both 203.24.120.0/24 and 202.129.104.0/24 on eth0 203.55.214.0/24 is on the ppp0 interface I think I understand what you want to do. You need to use multiple routing tables enabled by advanced routing (iproute2). See http://lartc.org/ for a decent howto. In a nutshell I believe your situation will be solved by having routing rules to ensure that locally destined traffic goes through the main routing table and everything else goes through connection specific routing tables. Roughly like this: # Set up correct gateway for ppp0 addresses in routing table 50 ip route add default via 203.55.214.254 table 50 # Set up correct gateway for eth0 addresses in routing table 51 ip route add default via 203.24.120.254 table 51 # Add a rule to ensure that traffic with a local destination stays local ip rule add to 203.24.120.0/24 lookup main pri 1000 ip rule add to 203.55.214.0/24 lookup main pri 1000 ip rule add from 203.24.120.0/24 lookup table 51 pri 2000 ip rule add from 203.55.214.0/24 lookup table 50 pri 2000 This would give you routing rules looking something like this (seen with ip rule list): 0: from all lookup local 1000: from all to 203.24.120.0/24 lookup main 1000: from all to 203.55.214.0/24 lookup main 2000: from 203.24.120.0/24 lookup 51 2000: from 203.55.214.0/24 lookup 50 32766: from all lookup main 32767: from all lookup 253 Hopefully this becomes clearer once once your read the LARTC howto. Fraser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 25 November 2002 01:02, Donovan Baarda wrote: the ISDN stuff is a mess... stuff scattered between /etc/isdn/ and /etc/ppp. man interfaces The ppp Method This method uses pon/poff to configure a PPP interface. See those commands for details. provider name Use name as the provider (from /etc/ppp/peers). This fixes a lot, but for ipppd you still have to edit some things manually. - -- We should not be trying to use technical solutions to solve a social problem. [Thomas R. Stephenson (about SPAM - Pegasus list 16.12.1999)] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE94fcgEyTmlrVpUvwRAhBxAJwMlszvDIafbd/pQzyqbsPU8gp6LwCfa7EV aMu4noxiMR2NvFVJ+j+9X28= =YBKy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing policy
On Fri, Nov 22, 2002 at 07:30:49PM +0100, Marc Haber wrote: On Fri, 22 Nov 2002 17:19:47 +0100, mathias daus [EMAIL PROTECTED] wrote: i wonder if there is a debian policy how to handle routing on boot time. is there any solution as ifupdown? i read something about iproute. but i'm not sure if i like it. till now i have a self made script called /etc/init.d/route. it's simply adding all routes. Add your routes in the up and down clause in /etc/network/interfaces. Does this work for ppp, ippp and other such devices? It would be nice if it did, but I bet it doesn't :-) At the moment all this stuff is going into /etc/ppp/ip-(up|down).d/ it would be good if these could be made /etc/network/interfaces aware, and for them to work with ifup/ifdown. the ISDN stuff is a mess... stuff scattered between /etc/isdn/ and /etc/ppp. -- -- ABO: finger [EMAIL PROTECTED] for more info, including pgp key -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing policy
On Mon, 25 Nov 2002 11:02:26 +1100, [EMAIL PROTECTED] (Donovan Baarda) wrote: On Fri, Nov 22, 2002 at 07:30:49PM +0100, Marc Haber wrote: Add your routes in the up and down clause in /etc/network/interfaces. Does this work for ppp, ippp and other such devices? Not yet flawlessly. the ISDN stuff is a mess... stuff scattered between /etc/isdn/ and /etc/ppp. Are there ISPs that do ISDN with Linux? If not, we are offtopic here. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing which depends on source address?
ip rule add from 192.168.1.11 table 10 ip route add default via xxx.xxx.xxx.xxx table 10 ip rule add from 192.168.1.12 table 11 ip route add default via xxx.xxx.xxx.xxx table 11 pretty easy really. The ip command is in the iproute2 package. Markus Garscha wrote: hi! I've the following problem: i have a private network with lets say two workstations an one router ws1 : 192.168.1.11 ws2 : 192.168.1.12 gw : 192.168.1.1 the gw is running debian. the goal is to use two different dialups depending on the source address, e.g use default route over ppp0 device when data comes from 192.168.1.11 and use default route over ppp0 device when data comes from 192.168.1.12. i heard that iptables can do this, examples? any further sugestions? cu markus -- --- Markus Garschaemail: [EMAIL PROTECTED] Hartmannstr. 129fon: 09131/626715 91058 Erlangen fax: +49 89 244356966 pgp-keyid: 0xEE18AF3B --- -- Part 1.2Type: application/pgp-signature -- Regards, Robert Davidson. http://www.mlug.org.au/
Re: routing routable IPs over non-routable IPs
On Sat, 02 Jun 2001 17:44:19 -0400, [EMAIL PROTECTED] (Chris Wagner) wrote: While we're on this subject, does anyone know what IANA plans to do with the vast number of reserved ip ranges. There are atleast 75 reserved class A ranges that I don't know what they're reserved for. People are claiming we're running out of ip addresses but as far as I can see there's more than enough left for decades to come. They just recently started to assign 217.0.0.0/8 to RIPE which has been previously assigned. Greeings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
While we're on this subject, does anyone know what IANA plans to do with the vast number of reserved ip ranges. There are atleast 75 reserved class A ranges that I don't know what they're reserved for. People are claiming we're running out of ip addresses but as far as I can see there's more than enough left for decades to come. At 09:28 PM 6/1/01 +0200, Marc Haber wrote: On Tue, 22 May 2001 08:00:01 +0200, Robert Waldner [EMAIL PROTECTED] wrote: On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? I prefer to say site local which is both almost accurate and terse. This is not offical terminology, but there is an RFC that calls the 169.254.0.0/16 link local, so site local seems fine. Greetings Marc ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: routing routable IPs over non-routable IPs
On Mon, 21 May 2001 07:27:44 +0200, Robert Waldner [EMAIL PROTECTED] wrote: Yes, but you should specify the netmask in 255.x.x.x-notation, route on linux sometimes tends to get classful when facing /-notation... I'd recommend the ip program from the iproute package which groks prefix notation perfectly. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
On Tue, 22 May 2001 08:00:01 +0200, Robert Waldner [EMAIL PROTECTED] wrote: On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? I prefer to say site local which is both almost accurate and terse. This is not offical terminology, but there is an RFC that calls the 169.254.0.0/16 link local, so site local seems fine. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29
Re: routing routable IPs over non-routable IPs
At 07:27 AM 5/21/01 +0200, Robert Waldner wrote: On Mon, 21 May 2001 13:46:14 +1000, Jeremy Lunn writes: I know this isn't Debian specific. But I'm just wondering if it's fine to route routable IP addresses over non-routable IP addresess. Yes, although many would consider it bad practice (I am an example), because you´ll face trouble when you have to debug something, and have non-routable IPs on some path. We should probably clarify non-routable by saying non-publicly routable. Routers have no concept of restricted ip ranges other than what is programed into them. As long as you are debugging from a place that knows about your private ip's, there shouldn't be a problem. At GE we cross privates to go from public to public all the time. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: routing routable IPs over non-routable IPs
On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? Routers have no concept of restricted ip ranges other than what is programed into them. As long as you are debugging from a place that knows about your private ip's, there shouldn't be a problem. At GE we cross privates to go from public to public all the time. Well, there are several issues, none of them really bad, but if you want a clean setup..: - DNS, you´ll have to set up split DNS for your RFC1918- and external IPs - in Real Life, you sometimes _will_ have to debug from the outside of your network - in Real Life, someone else _will_ debug from the outside (and quite probably complain about the RFC1918-IPs or simply be fed up) cheers, rw -- / Ing. Robert Waldner | [EMAIL PROTECTED] \ \ Xsoft GmbH | T: +43 1 796 36 36 692 /
Re: routing routable IPs over non-routable IPs
At 08:00 AM 5/22/01 +0200, Robert Waldner wrote: On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? LOL - DNS, you´ll have to set up split DNS for your RFC1918- and external IPs I consider that to be good sense from a security standpoint regardless. - in Real Life, you sometimes _will_ have to debug from the outside of your network - in Real Life, someone else _will_ debug from the outside (and quite probably complain about the RFC1918-IPs or simply be fed up) Hehe, yeah I receive complaints from those people from time to time. :D But it's a moot point since the firewalls filter anything useful... ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: routing routable IPs over non-routable IPs
At 07:27 AM 5/21/01 +0200, Robert Waldner wrote: On Mon, 21 May 2001 13:46:14 +1000, Jeremy Lunn writes: I know this isn't Debian specific. But I'm just wondering if it's fine to route routable IP addresses over non-routable IP addresess. Yes, although many would consider it bad practice (I am an example), because you´ll face trouble when you have to debug something, and have non-routable IPs on some path. We should probably clarify non-routable by saying non-publicly routable. Routers have no concept of restricted ip ranges other than what is programed into them. As long as you are debugging from a place that knows about your private ip's, there shouldn't be a problem. At GE we cross privates to go from public to public all the time. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? Routers have no concept of restricted ip ranges other than what is programed into them. As long as you are debugging from a place that knows about your private ip's, there shouldn't be a problem. At GE we cross privates to go from public to public all the time. Well, there are several issues, none of them really bad, but if you want a clean setup..: - DNS, you´ll have to set up split DNS for your RFC1918- and external IPs - in Real Life, you sometimes _will_ have to debug from the outside of your network - in Real Life, someone else _will_ debug from the outside (and quite probably complain about the RFC1918-IPs or simply be fed up) cheers, rw -- / Ing. Robert Waldner | [EMAIL PROTECTED] \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
At 08:00 AM 5/22/01 +0200, Robert Waldner wrote: On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? LOL - DNS, you´ll have to set up split DNS for your RFC1918- and external IPs I consider that to be good sense from a security standpoint regardless. - in Real Life, you sometimes _will_ have to debug from the outside of your network - in Real Life, someone else _will_ debug from the outside (and quite probably complain about the RFC1918-IPs or simply be fed up) Hehe, yeah I receive complaints from those people from time to time. :D But it's a moot point since the firewalls filter anything useful... ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
Yes, many people do it with ciscos all the time, linux should be no different. However, there are a couple of downsides (speaking from cisco experience only) It hurts for troubleshooting... you cant trace/ping directly to an interface, only a net... On Mon, 21 May 2001, Jeremy Lunn wrote: I know this isn't Debian specific. But I'm just wondering if it's fine to route routable IP addresses over non-routable IP addresess. For example: (in this example assume that 10.0.0.0/8 is a routable range). ++ | 10.1.1.4 (internet)| || | gateway| || | 172.16.5.1 | ++ | | | ++ | 172.16.5.2 | || | DSLAM/NAS | || | 10.1.2.0/24 routed to a| | client | ++ So is it just a matter of setting up something like /sbin/route -net 10.1.2.0/24 gw 172.16.5.2 on the gateway? I would assume this would work but I've never tested it. I didn't use a real routable subnet in this example because we haven't been allocated any yet and I wopuldn't use someone else's IPs in an example :) -- Jeremy Lunn Melbourne, Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- John Gonzalez / [EMAIL PROTECTED] / [EMAIL PROTECTED] Tularosa Communications, Inc. (505) 439-0200 voice / (505) 443-1228 fax http://www.tularosa.net / ASN 11711 / JG6416 [--[ sys info ]---] 10:00pm up 256 days, 3:29, 5 users, load average: 0.01, 0.08, 0.05
Re: routing routable IPs over non-routable IPs
On Mon, 21 May 2001 13:46:14 +1000, Jeremy Lunn writes: I know this isn't Debian specific. But I'm just wondering if it's fine to route routable IP addresses over non-routable IP addresess. Yes, although many would consider it bad practice (I am an example), because you´ll face trouble when you have to debug something, and have non-routable IPs on some path. So is it just a matter of setting up something like /sbin/route -net 10.1.2.0/24 gw 172.16.5.2 on the gateway? Yes, but you should specify the netmask in 255.x.x.x-notation, route on linux sometimes tends to get classful when facing /-notation... cheers, rw -- / Ing. Robert Waldner | [EMAIL PROTECTED] \ \ Xsoft GmbH | T: +43 1 796 36 36 692 /
Re: routing routable IPs over non-routable IPs
Yes, many people do it with ciscos all the time, linux should be no different. However, there are a couple of downsides (speaking from cisco experience only) It hurts for troubleshooting... you cant trace/ping directly to an interface, only a net... On Mon, 21 May 2001, Jeremy Lunn wrote: I know this isn't Debian specific. But I'm just wondering if it's fine to route routable IP addresses over non-routable IP addresess. For example: (in this example assume that 10.0.0.0/8 is a routable range). ++ | 10.1.1.4 (internet)| || | gateway| || | 172.16.5.1 | ++ | | | ++ | 172.16.5.2 | || | DSLAM/NAS | || | 10.1.2.0/24 routed to a| | client | ++ So is it just a matter of setting up something like /sbin/route -net 10.1.2.0/24 gw 172.16.5.2 on the gateway? I would assume this would work but I've never tested it. I didn't use a real routable subnet in this example because we haven't been allocated any yet and I wopuldn't use someone else's IPs in an example :) -- Jeremy Lunn Melbourne, Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- John Gonzalez / [EMAIL PROTECTED] / [EMAIL PROTECTED] Tularosa Communications, Inc. (505) 439-0200 voice / (505) 443-1228 fax http://www.tularosa.net / ASN 11711 / JG6416 [--[ sys info ]---] 10:00pm up 256 days, 3:29, 5 users, load average: 0.01, 0.08, 0.05 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
On Mon, 21 May 2001 13:46:14 +1000, Jeremy Lunn writes: I know this isn't Debian specific. But I'm just wondering if it's fine to route routable IP addresses over non-routable IP addresess. Yes, although many would consider it bad practice (I am an example), because you´ll face trouble when you have to debug something, and have non-routable IPs on some path. So is it just a matter of setting up something like /sbin/route -net 10.1.2.0/24 gw 172.16.5.2 on the gateway? Yes, but you should specify the netmask in 255.x.x.x-notation, route on linux sometimes tends to get classful when facing /-notation... cheers, rw -- / Ing. Robert Waldner | [EMAIL PROTECTED] \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing problem.
Hello, For your problem you maybe can solve it with a arp publication on box2 ? eg: ARP -i fxp0 -Ds 213.219.39.198 fxp1 pub Friedrich Clausen wrote: Greetings all, I will try and make myself as clear as possible so please excuse my poor ascii picture but it seems to help explanations better. I hope this question is appropriate for the list but I dont know where else to ask. First I will give some info : Internet | Router | | --- | tl0|- --- | Box2||Hub|--|eth0 Box3| | fxp1fxp0|- --- --- | / | | / | | / --- / / - |Hub|--- - | | | | | | | -- |eth0 Box1 eth1| -- Networks Involved : 192.168.1.0/24 213.219.39.192/29 213.219.39.196/29 213.219.39.200/28 Router - 213.219.39.193 Box1 - Debian Linux workstation eth0 : 192.168.1.92 Box2 - OpenBSD gateway fxp0 : 192.168.1.50 fxp1 : 213.219.39.204 alias : 213.219.39.197 tl0 : 213.219.39.194 Box3 - Debian Linux Server eth0 : 213.219.39.202 eth1 : 213.219.39.198 The problem is I cannot ping 213.219.39.198 from anywhere other than Box2 or Box1. However I can ping 213.219.39.202 from anywhere. At first I thought that it was because eth1 did not have a default route but I discovered that default routes are assigned per computer not per interface. I put up a virtual interface (213.219.39.197) on box2 so it can talk to 213.219.39.198 on box1. The weird thing is that if I ping 213.219.39.198 from box3 then it recieves the echo request, here is tcpdump -i eth1 icmp on box1 : 14:08:27.201192 192.168.1.92 213.219.39.198: icmp: echo request (DF) 14:08:28.197807 192.168.1.92 213.219.39.198: icmp: echo request (DF) But it just never replies and I cannot figure out why. However if I ping from box2 or box1 then it works : 14:10:50.909501 213.219.39.197 213.219.39.198: icmp: echo request 14:10:50.910048 213.219.39.198 213.219.39.197: icmp: echo reply (DF) It appears that the eth1 interface does not know how to send a reply to the host that pings it so that is why I tried to assign a default gateway to it but that just stopped everything from working. So the question is, how can I make eth1 on box1 reachable from everywhere. Thank you very much for your time and I hope I have made my problem clear. Regards, Friedrich. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing problem.
Hello, For your problem you maybe can solve it with a arp publication on box2 ? eg: ARP -i fxp0 -Ds 213.219.39.198 fxp1 pub Friedrich Clausen wrote: Greetings all, I will try and make myself as clear as possible so please excuse my poor ascii picture but it seems to help explanations better. I hope this question is appropriate for the list but I dont know where else to ask. First I will give some info : Internet | Router | | --- | tl0|- --- | Box2||Hub|--|eth0 Box3| | fxp1fxp0|- --- --- | / | | / | | / --- / / - |Hub|--- - | | | | | | | -- |eth0 Box1 eth1| -- Networks Involved : 192.168.1.0/24 213.219.39.192/29 213.219.39.196/29 213.219.39.200/28 Router - 213.219.39.193 Box1 - Debian Linux workstation eth0 : 192.168.1.92 Box2 - OpenBSD gateway fxp0 : 192.168.1.50 fxp1 : 213.219.39.204 alias : 213.219.39.197 tl0 : 213.219.39.194 Box3 - Debian Linux Server eth0 : 213.219.39.202 eth1 : 213.219.39.198 The problem is I cannot ping 213.219.39.198 from anywhere other than Box2 or Box1. However I can ping 213.219.39.202 from anywhere. At first I thought that it was because eth1 did not have a default route but I discovered that default routes are assigned per computer not per interface. I put up a virtual interface (213.219.39.197) on box2 so it can talk to 213.219.39.198 on box1. The weird thing is that if I ping 213.219.39.198 from box3 then it recieves the echo request, here is tcpdump -i eth1 icmp on box1 : 14:08:27.201192 192.168.1.92 213.219.39.198: icmp: echo request (DF) 14:08:28.197807 192.168.1.92 213.219.39.198: icmp: echo request (DF) But it just never replies and I cannot figure out why. However if I ping from box2 or box1 then it works : 14:10:50.909501 213.219.39.197 213.219.39.198: icmp: echo request 14:10:50.910048 213.219.39.198 213.219.39.197: icmp: echo reply (DF) It appears that the eth1 interface does not know how to send a reply to the host that pings it so that is why I tried to assign a default gateway to it but that just stopped everything from working. So the question is, how can I make eth1 on box1 reachable from everywhere. Thank you very much for your time and I hope I have made my problem clear. Regards, Friedrich. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Routing Question
nr == Nathan Ridge [EMAIL PROTECTED] writes: nr Im setting a broadband Internet connection on a Debian box, I nr have the sat interface installed and working and can see the nr icmp packets coming in from a ping on the sat interface using nr tcpdump so im confident that side of things is working. I am nr having a bit of trouble with the dialup. Lets say our network nr is 203.66.77.0, border gateway is 203.66.77.1 and have a Cisco nr access server on the 203.66.77.11 and radius server on nr 203.66.77.2. Now if I assign a static ip from a dialup pool nr on our network, say 203.66.77.55 I can ping out from the nr dialup no problems, but the static needs to be that of the ip nr address that is attached to the mac ID of the sat card so when nr I change the static to 203.173.176.99, it connects to our nr network, authenticates ok but cannot ping any machine except nr for the access server 203.66.77.11. I know I must just be nr missing a route somewhere, and I was assuming on the access nr server, but when I also setup a NT server with the same setup nr it seem to work fine, any ideas what I am doing wrong? I'm not sure I've the picture completely clear (an ASCII scheme would help); however, in my past experiences with satellite-based connections, you have to make sure to disable the rp_filter on the satellite interface: echo 0 /proc/sys/net/ipv4/conf/`your sat interface`/rp_filter To see if this is necessary, try to: echo 1 /proc/sys/net/ipv4/conf/`your sat interface`/log_martians and check your logs (on stock debian systems martian packets should be logged in auth.log, I think). If you see and martian packets being blocked, I suggest you try to disable rp_filter on the sat interface. By the way, what's your satellite provider? Bye, Andrea Glorioso -- Non e' abbastanza fare dei passi che un giorno ci porteranno ad uno scopo, ogni passo deve essere lui stesso uno scopo, nello stesso tempo in cui ci porta avanti. pgpygET2ChGsp.pgp Description: PGP signature
RE: routing
Alright I've run into another problem or maybe I'm just dumb. 208.3.69.1 is the main router connected to the internet. 208.3.69.2 (eth0) is the device connected via ethernet to the main router on the linux router/bridge. 208.3.69.4 (eth1) goes to the client (208.3.69.3). The main router is a cisco and its routes look like: ip route 0.0.0.0 0.0.0.0 Serial0/1 ip route 208.3.69.0 255.255.255.0 Ethernet0/0 ip route 208.3.69.3 255.255.255.255 208.3.69.2 The linux router/bridge has routes of: 208.3.69.3 * 255.255.255.255 UH0 00 eth1 208.3.69.0 * 255.255.255.0 U 0 00 eth0 default 208.3.69.1 0.0.0.0 UG1 00 eth0 The client has a gw of 208.3.69.4. When I try to ping the main router from the client it doesn't work. tcpdump on eth1 shows: 06:33:35.687012 arp who-has 208.3.69.1 tell 208.3.69.3 (repeated) Nothing shows up on eth0. When I try to ping 208.3.69.3 from the main router (208.3.69.1) tcpdump on eth0 shows: 06:48:45.166405 208.3.69.1 208.3.69.3: icmp: echo request (repeated) On eth1: 6:49:50.926361 208.3.69.1 208.3.69.3: icmp: echo request 06:49:50.929978 arp who-has 208.3.69.1 tell 208.3.69.3 06:49:52.928131 208.3.69.1 208.3.69.3: icmp: echo request 06:49:52.931469 arp who-has 208.3.69.1 tell 208.3.69.3 Is it something wrong with my routes? Or do I just suck? Thanks. -- Kevin - [EMAIL PROTECTED]
RE: routing
You are setting 255.255.255.0 netmasks so the machines are expecting to find .1 .2 .3 machines on the local ethernet interfaces. I don't know why you are doing it like that, but what would fix your problem is getting the Linux router machine to do a proxy-arp. You can turn this on by echo'ing the apporiate incantation to proc. Documentation/proc.txt in your linux source directory should give you the details. cheers, BM
Re: Routing
On Tue, 29.08.00 09:48 -0700, Kevin wrote: I've got my network on 10.0.0.0/24. The gateway is 10.0.0.1 and the bridge/router is on 10.0.0.1. I need to setup a static route in the gateway that says anything for 10.1.1.0/24 should use 10.0.0.1 as its next hop. From my view I can't do it with normal route as it will only take an interface as the destination. Any ideas? You want this? route add -net 10.1.1.0 netmask 255.255.255.0 gw 10.0.0.1 bye, -christian- -- Did You know that MicroSoft was named after Bill Gates' penis ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Routing
On Tue, 29.08.00 09:48 -0700, Kevin wrote: I've got my network on 10.0.0.0/24. The gateway is 10.0.0.1 and the bridge/router is on 10.0.0.1. I need to setup a static route in the gateway that says anything for 10.1.1.0/24 should use 10.0.0.1 as its next hop. From my view I can't do it with normal route as it will only take an interface as the destination. Any ideas? You want this? route add -net 10.1.1.0 netmask 255.255.255.0 gw 10.0.0.1 bye, -christian- -- Did You know that MicroSoft was named after Bill Gates' penis ?