RE: [Leaf-user] routing more than 1 hop
Wow. I got a headache trying to follow all of those routes. Truly complicated stuff. Let's dig in! Site 1: 10.10.1.0 eth0 10.10.1.40/24 eth1 192.168.1.254/24 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 10.10.1.254eth0 (to internet) 10.10.1.0255.255.255.0 10.10.1.40 eth0 (wired interface) 10.10.12.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 10.10.13.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 192.168.1.0 255.255.255.0 192.168.1.254 eth1 (wireless interface) 192.168.2.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) As a side note here, you can do some trimming down of routes pretty thoroughly. For example, the 10.10.12.x and 10.10.13.x can be condensed into 10.10.12.0 255.255.254.0 with a gateway of 192.168.1.253. Remember, the router only needs to know how to send to the next hop on the path; the next hop's job is to determine what to do with it. This is the same reasoning behind what Matt said regarding using a 0.0.0.0 gateway. With the subnet your worried about, there should be some hop in there between the site's individual router and that destination net that will examine the destination traffic and send it correctly. Sending stuff straight out the default gateway should work just fine as long as there's something between you and the Internet that can catch the traffic and redirect it (locally). In the one I pointed out, Site 2 is going to be doing all the work to determine where the IPs in those two /24s are going to be going. All Site 1 needs to know is how to get it to site two. If whatever has the 10.10.1.254 IP has routes for public IPs that are NOT destined for the general internet (and any devices it sends to also have those routes) shoving it out default gateway works. Now, you stated that the problem seems to be coming from trying to reach Site 3 from Site 1, yes? Site 1 sends traffic from - for example - 10.10.1.8 to a host on Site 3 at 10.10.13.20. Assuming 10.10.1.40 is Default Gateway for all hosts on 10.10.1.0/24 except for the 254 host. 10.10.1.8 - 10.10.1.40 - 192.168.1.253 - 10.10.12.253 - 192.168.2.253 - 10.10.13.20. Response would be: 10.10.13.20 - 10.10.13.254 - 192.168.2.254 - 10.10.12.254 - 192.168.1.254 - 10.10.1.8 Site 3 appears to be the problem, though without knowing for sure what the firewalling is doing there I can't say that the firewalling or the routing is actually the issue here. Check to make sure IP Forwarding is turned on as was suggested, and if it is, try adding a specific route for 10.10.1.0/24 pointing to 192.168.1.254 on Site 3. There's no real reason why it SHOULD work, but stranger things have happened before. The default routes your using in the later sites should do the job, and indeed do up until Site 3. It's possible that somewhere, somehow something got altered by accident routing wise, but it SHOULD show up in the routing tables (something like a 10.10.13.0 255.255.0.0 would REALLY confuse the routing...) in at least some form. This is an interesting problem (for me, at any rate, probably very frustrating to you) so I'll bang my head on it for a bit and see if I come up with anything interesting. -- George Metz Commercial Routing Engineer [EMAIL PROTECTED] We know what deterrence was with 'mutually assured destruction' during the Cold War. But what is deterrence in information warfare? -- Brigadier General Douglas Richardson, USAF, Commander - Space Warfare Center ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] routing more than 1 hop
It's funny how the keys slip sometimes, huh :-) There's definitely no unsend button :-) It wasn't until after my third or fourth time reading this e-mail that I figured out what you were talking about. Oops! Ok. Be aware that you're going to want to check your syslog a lot during this phase to see what's really going on. Hopefully, all denied or rejected packets will be logged and we can get somewhere. Even without Shorewall? Yes, it looks complete, and it seems to make sense. I don't see any lo, localhost routes. Why not? Did you just omit them? I just didn't bother typing them out here, but they do exist. They are the same as what you have listed in your routing table. There's also an occasion or two where I'd think the gateway would simply be 0.0.0.0, but I'm not convinced that's an issue. The routes look logical. I point that out inllne. Most likely, we're at the point of traceroute and ping to bang our heads against any rules that are getting in the way. From a workstation at Site 1, I can ping the segment at Site 2 including all the interfaces in between, and the 10.10.12.253 interface (which is the router from Site 2b to Site 3, but I get unreachable messages for everything beyond. I did this because that router is connected via 100Mb fibre to another building where the rest of the routing happens. eth0 on Site 1 connects to a switch, and 10.10.1.254 (my main gateway router) connects to a different port on that same switch. Ok. I get that now. As long as you're not using some really expensive 3COM switch or router that has traffic filtering/routing rules, we should be in good shape. Didn't you mention this exact setup worked with a full blown RH distro? If that's the case, I'm leaning more toward Shorewall, heh heh. It's a Nortel Accelar 1150R-B, but there's no filtering on it. And, yes it does work with a full blown RH distro. Since I haven't used the ip route tool before, I thought there might be more parameters that I need to be including when I build my routes. And I took Shorewall out to try and make things easier on myself, but it doesn't seem to make a difference. Because you're not saying to the kernel that 192.168.1.254 is *another router*, *another gateway* or a thing that does routing, but rather you're just trying to say, put all that traffic out eth1. Although I know netstat and routing in general, I've never set something up this complicated and can't be sure. I just know how a routing table usually looks, and it does not specify the external nic ip address for routes like this one. Here's mine, for example: Destination Gateway Genmask Flags Iface 10.1.1.0 0.0.0.0255.255.255.0 U eth1 63.194.213.0 0.0.0.0255.255.255.0 U eth0 127.0.0.00.0.0.0255.0.0.0 U lo 0.0.0.0 63.194.213.254 0.0.0.0UG eth0 Ok then. I'll leave it at this point until we find out about the localhost route (127.0.0.0/8) sort of thing and the 0.0.0.0 gateway issue. I'll give this a try, but at first glance it seems that it would direct all outbound traffic to the next hop, but what about traffic destined for hosts on the 63.194.213.0/24 segment? That's why I got specific with the gateway definitions. Btw, how do you pronounce Pocius? Poe'-shuss? Poe'-she-us? It's Poe'-shuss..and I'm very impressed that you were able to guess that. No one ever pronounces it right! Bob Pocius ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] routing more than 1 hop
Hello Bob, Matt You wrote about trouble routing to a second network useing a bering disk As far as I understood you post you can ping from one site to the next one but not beyond. your routing seems to be ok, Did you check cat /proc/sys/net/ipv4/ip_forward if this is set 0 then the kernel doesn't forward the ip-packets. even if you are able to reach them by route. You can change this with echo 1 /proc/sys/net/ipv4/ip_forward. BTW this is also one of the things Shorewall does ;) look in /etc/network/options here is the line ip_forward=no you can change this to ip_forward=yes. good luck Eric Wolzak Bering_ http://leaf.sf.net/devel/ericw http://leaf.sf.net/devel/jnilo Original Message and answers below I just didn't bother typing them out here, but they do exist. They are the same as what you have listed in your routing table. There's also an occasion or two where I'd think the gateway would simply be 0.0.0.0, but I'm not convinced that's an issue. The routes look logical. I point that out inllne. Most likely, we're at the point of traceroute and ping to bang our heads against any rules that are getting in the way. From a workstation at Site 1, I can ping the segment at Site 2 including all the interfaces in between, and the 10.10.12.253 interface (which is the router from Site 2b to Site 3, but I get unreachable messages for everything beyond. I did this because that router is connected via 100Mb fibre to another building where the rest of the routing happens. eth0 on Site 1 connects to a switch, and 10.10.1.254 (my main gateway router) connects to a different port on that same switch. Ok. I get that now. As long as you're not using some really expensive 3COM switch or router that has traffic filtering/routing rules, we should be in good shape. Didn't you mention this exact setup worked with a full blown RH distro? If that's the case, I'm leaning more toward Shorewall, heh heh. It's a Nortel Accelar 1150R-B, but there's no filtering on it. And, yes it does work with a full blown RH distro. Since I haven't used the ip route tool before, I thought there might be more parameters that I need to be including when I build my routes. And I took Shorewall out to try and make things easier on myself, but it doesn't seem to make a difference. Because you're not saying to the kernel that 192.168.1.254 is *another router*, *another gateway* or a thing that does routing, but rather you're just trying to say, put all that traffic out eth1. Although I know netstat and routing in general, I've never set something up this complicated and can't be sure. I just know how a routing table usually looks, and it does not specify the external nic ip address for routes like this one. Here's mine, for example: Destination Gateway Genmask Flags Iface 10.1.1.0 0.0.0.0255.255.255.0 U eth1 63.194.213.0 0.0.0.0255.255.255.0 U eth0 127.0.0.00.0.0.0255.0.0.0 U lo 0.0.0.0 63.194.213.254 0.0.0.0UG eth0 Ok then. I'll leave it at this point until we find out about the localhost route (127.0.0.0/8) sort of thing and the 0.0.0.0 gateway issue. I'll give this a try, but at first glance it seems that it would direct all outbound traffic to the next hop, but what about traffic destined for hosts on the 63.194.213.0/24 segment? That's why I got specific with the gateway definitions. Btw, how do you pronounce Pocius? Poe'-shuss? Poe'-she-us? It's Poe'-shuss..and I'm very impressed that you were able to guess that. No one ever pronounces it right! Bob Pocius ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] routing more than 1 hop
Bob Pocius wrote: Sometimes LEAF distros are configured to block traffic destined for the private address space from going out eth0. It's designed that way because private addresses are in general for internal use only. Rarely, an ISP uses these, and adjustments are made to ipfilter.conf or wherever your rules are defined. That makes good sense, but I stripped Whorewall out to try to simplify things for myself. It's funny how the keys slip sometimes, huh :-) There's definitely no unsend button :-) Ok. Be aware that you're going to want to check your syslog a lot during this phase to see what's really going on. Hopefully, all denied or rejected packets will be logged and we can get somewhere. I'm deciding not to comment on the routes at all until you post the output of ifconfig -a on all four sites. I've included the useful data with each of the routing tables (I hope I didn't leave out anything that you were looking for). Yes, it looks complete, and it seems to make sense. I don't see any lo, localhost routes. Why not? Did you just omit them? There's also an occasion or two where I'd think the gateway would simply be 0.0.0.0, but I'm not convinced that's an issue. The routes look logical. I point that out inllne. Most likely, we're at the point of traceroute and ping to bang our heads against any rules that are getting in the way. I will mention that I don't get the concept of having both 10.10.1.254 and 10.10.1.40 assigned to the same eth0, for instance. I did this because that router is connected via 100Mb fibre to another building where the rest of the routing happens. eth0 on Site 1 connects to a switch, and 10.10.1.254 (my main gateway router) connects to a different port on that same switch. Ok. I get that now. As long as you're not using some really expensive 3COM switch or router that has traffic filtering/routing rules, we should be in good shape. Didn't you mention this exact setup worked with a full blown RH distro? If that's the case, I'm leaning more toward Shorewall, heh heh. Site 1: 10.10.1.0 eth0 10.10.1.40/24 eth1 192.168.1.254/24 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 10.10.1.254eth0 (to internet) 10.10.1.0255.255.255.0 10.10.1.40 eth0 (wired interface) 10.10.12.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 10.10.13.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 192.168.1.0 255.255.255.0 192.168.1.254 eth1 (wireless interface) 192.168.2.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) Above is a line that I thought would have 0.0.0.0 for the gateway, like this 192.168.1.0 255.255.255.0 0.0.0.0eth1 (wireless interface) Because you're not saying to the kernel that 192.168.1.254 is *another router*, *another gateway* or a thing that does routing, but rather you're just trying to say, put all that traffic out eth1. Although I know netstat and routing in general, I've never set something up this complicated and can't be sure. I just know how a routing table usually looks, and it does not specify the external nic ip address for routes like this one. Here's mine, for example: Destination Gateway Genmask FlagsIface 10.1.1.00.0.0.0 255.255.255.0 Ueth1 63.194.213.00.0.0.0 255.255.255.0 Ueth0 127.0.0.0 0.0.0.0 255.0.0.0 Ulo 0.0.0.0 63.194.213.254 0.0.0.0 UG eth0 Now it's done on Oxygen. So it looks a bit different, but still. To be honest, I think ip route show does a better job of detailing the low level workings, but it's hard to read. Ok then. I'll leave it at this point until we find out about the localhost route (127.0.0.0/8) sort of thing and the 0.0.0.0 gateway issue. If that's not it, then try a ping from one end to the other. Try to decipher if NAT is occuring and getting in the way. Try to get all packets logged into your syslog. You can write the rules yourself for that. 1) Set default policies to ACCEPT 2) Flush all routes 3) Add a rule that logs all traffic in one direction for one nic, and watch the log to see if the traffic gets through that nic. Let me know if you need examples of that. Btw, how do you pronounce Pocius? Poe'-shuss? Poe'-she-us? Regards, Matthew Site 2a: 10.10.12.0 eth0 10.10.12.254/24 eth1 192.168.1.253/24 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 192.168.1.254 eth1 (wireless to site 1) 10.10.12.0 255.255.255.0 10.10.12.254 eth0 (wired interface) 10.10.13.0 255.255.255.0 10.10.12.253 eth0 (to other local router) 192.168.1.0 255.255.255.0 192.168.1.253 eth1 (wireless interface) 192.168.2.0 255.255.255.0 10.10.12.253 eth0 (to other local router) (Site 2a and 2b are connected to the same switch)
RE: [Leaf-user] routing more than 1 hop
Sometimes LEAF distros are configured to block traffic destined for the private address space from going out eth0. It's designed that way because private addresses are in general for internal use only. Rarely, an ISP uses these, and adjustments are made to ipfilter.conf or wherever your rules are defined. That makes good sense, but I stripped Whorewall out to try to simplify things for myself. Btw, tabs mess up your tables. I converted them to spaces. Thanks!! I'm deciding not to comment on the routes at all until you post the output of ifconfig -a on all four sites. I've included the useful data with each of the routing tables (I hope I didn't leave out anything that you were looking for). I will mention that I don't get the concept of having both 10.10.1.254 and 10.10.1.40 assigned to the same eth0, for instance. I did this because that router is connected via 100Mb fibre to another building where the rest of the routing happens. eth0 on Site 1 connects to a switch, and 10.10.1.254 (my main gateway router) connects to a different port on that same switch. Site 1: 10.10.1.0 eth0 10.10.1.40/24 eth1 192.168.1.254/24 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 10.10.1.254eth0 (to internet) 10.10.1.0255.255.255.0 10.10.1.40 eth0 (wired interface) 10.10.12.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 10.10.13.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 192.168.1.0 255.255.255.0 192.168.1.254 eth1 (wireless interface) 192.168.2.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) Site 2a: 10.10.12.0 eth0 10.10.12.254/24 eth1 192.168.1.253/24 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 192.168.1.254 eth1 (wireless to site 1) 10.10.12.0 255.255.255.0 10.10.12.254 eth0 (wired interface) 10.10.13.0 255.255.255.0 10.10.12.253 eth0 (to other local router) 192.168.1.0 255.255.255.0 192.168.1.253 eth1 (wireless interface) 192.168.2.0 255.255.255.0 10.10.12.253 eth0 (to other local router) (Site 2a and 2b are connected to the same switch) Site 2b: 10.10.12.0 eth0 10.10.12.253/24 eth1 192.168.2.254/24 Destination MaskGateway Dev 0.0.0.0 0.0.0.0 10.10.12.254eth0 (to other local router) 10.10.12.0255.255.255.0 10.10.12.253eth0 (wired interface) 10.10.13.0255.255.255.0 192.168.2.253 eth1 (wireless to site 3) 192.168.2.0 255.255.255.0 192.168.2.254 eth1 (wireless interface) Site 3: 10.10.13.0 eth0 10.10.13.254/24 eth1 192.168.2.253/24 Destination MaskGateway Dev 0.0.0.0 0.0.0.0 192.168.2.254 eth1 (wireless to site 2) 10.10.13.0255.255.255.0 10.10.13.254eth0 (wired interface) 192.168.2.0 255.255.255.0 192.168.2.253 eth1 (wireless interface) Bob Pocius ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] routing more than 1 hop
I'm using Bering as a platform to help me route between buildings connected to my network. In some cases, routing has to hop more than once (up to 3 times). Using standard routing commands, I don't seem to be able to fix this. Here is what my network looks like. Site 1 is the main segment. Site 2 connects directly to Site 1. Site 3 connects directly to Site 2. Below are the (what I feel are necessary) routes to make things work. Not a very good picture of what your network looks like. How about something more like: Internet | eth0 Site1 eth1 10.10.1.254 | 10.10.1.0/24 | eth0 10.10.1.253 Site2 eth1 10.10.12.254 | 10.10.12.0/24 | eth0 10.10.12.253 Site 3 eth1 10.10.13.254 | 10.10.13.0/24 Routing for this network (other than the implicit routes for directly attached networks): Site 3: eth0_DEFAULT_GW=10.10.12.254 Site 2: eth0_DEFAULT_GW=10.10.1.254 eth1_ROUTES=10.10.13.0/24_via_10.10.12.253 Site 1: eth0_DEFAULT_GW=internet gateway eth1_ROUTES=10.10.12.0/24_via 10.10.1.253 10.10.13.0/24_via_10.10.1.253 Provide more details on your network if you're still stuck, and the above doesn't match what you've actually got setup... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] routing more than 1 hop
Bob Pocius wrote: Thanks for the replies guys. On my way home (after I had some time to think about what I wrote), I realized that I didn't describe my problem properly. As well as being lazy about transcribing my routing tables, I didn't include some of the connection info. Sites 1, 2 and 3 are connected by wireless cards. Laughter is heard in the galleries... The links between the routers are defined by 192.168 addresses. I have 2 routers setup at Site 2 to keep things simple for myself while I try to get things working. I have this setup working currently using Redhat boxes, and I defined my routes using the old route command. I'm confused because as far as I know my routes are setup the same. I had to use ip route to set things up in Bering, so I'm wondering if there's more syntax involved in setting up a route to do more than 1 hop (it sounds far fetched, but I can't see anything else wrong)? Sometimes LEAF distros are configured to block traffic destined for the private address space from going out eth0. It's designed that way because private addresses are in general for internal use only. Rarely, an ISP uses these, and adjustments are made to ipfilter.conf or wherever your rules are defined. Btw, tabs mess up your tables. I converted them to spaces. I'm deciding not to comment on the routes at all until you post the output of ifconfig -a on all four sites. That info is really needed to understand this. If you don't have ifconfig, use ip addr show. I will mention that I don't get the concept of having both 10.10.1.254 and 10.10.1.40 assigned to the same eth0, for instance. Regards, Matt Site 1: 10.10.1.0 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 10.10.1.254eth0 (to internet) 10.10.1.0255.255.255.0 10.10.1.40 eth0 (wired interface) 10.10.12.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 10.10.13.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) 192.168.1.0 255.255.255.0 192.168.1.254 eth1 (wireless interface) 192.168.2.0 255.255.255.0 192.168.1.254 eth1 (wireless interface) Site 2a: 10.10.12.0 Destination MaskGatewayDev 0.0.0.0 0.0.0.0 192.168.1.254 eth1 (wireless to site 1) 10.10.12.0 255.255.255.0 10.10.12.254 eth0 (wired interface) 10.10.13.0 255.255.255.0 10.10.12.253 eth0 (to other local router) 192.168.1.0 255.255.255.0 192.168.1.253 eth1 (wireless interface) 192.168.2.0 255.255.255.0 10.10.12.253 eth0 (to other local router) Site 2b: 10.10.12.0 Destination MaskGateway Dev 0.0.0.0 0.0.0.0 10.10.12.254eth0 (to other local router) 10.10.12.0255.255.255.0 10.10.12.253eth0 (wired interface) 10.10.13.0255.255.255.0 192.168.2.253 eth1 (wireless to site 3) 192.168.2.0 255.255.255.0 192.168.2.254 eth1 (wireless interface) Site 3: 10.10.13.0 Destination MaskGateway Dev 0.0.0.0 0.0.0.0 192.168.2.254 eth1 (wireless to site 2) 10.10.13.0255.255.255.0 10.10.13.254eth0 (wired interface) 192.168.2.0 255.255.255.0 192.168.2.253 eth1 (wireless interface) Bob Pocius ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] routing more than 1 hop
Bob Pocius wrote: I'm using Bering as a platform to help me route between buildings connected to my network. In some cases, routing has to hop more than once (up to 3 times). Using standard routing commands, I don't seem to be able to fix this. Here is what my network looks like. Site 1 is the main segment. Site 2 connects directly to Site 1. Site 3 connects directly to Site 2. Below are the (what I feel are necessary) routes to make things work. Site 1: 10.10.1.0 Destination MaskGateway 0.0.0.0 0.0.0.0 10.10.1.254 10.10.12.0255.255.255.0 192.168.1.253 10.10.13.0255.255.255.0 192.168.1.253 Why doesn't data destined for the 10.10.12.0 network go out a nic that's on the 10.10.12.0 network? It looks like you're trying to move that data out a nic that's not even on the same subnet. Site 2: 10.10.12.0 Destination MaskGateway 0.0.0.0 0.0.0.0 192.168.1.254 10.10.12.0255.255.255.0 10.10.12.254 10.10.13.0255.255.255.0 192.168.2.253 Site 3: 10.10.13.0 Destination MaskGateway 0.0.0.0 0.0.0.0 192.168.2.254 10.10.13.0255.255.255.0 10.10.13.254 I've been using this command to create my tables. #ip route add address /masklen via gateway Any thoughts or suggestions would be appreciated. Bob In addition to what I mentioned above, how does the 10.10.12.0 network know how to route packets back to the 10.10.1.0? I don't see any route to get that data back there. How does the 10.10.13.0 network know how to get data to the 10.10.12.0 network? I think that needs a route also. Without return routes, the data goes out the default GWs. Is that where you want them going? Do you ipchains or iptables? Feel like posting the ruleset? It might help if the routes aren't the problems, but I think they are. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
