On Fri, Aug 30, 2002 at 09:24:25AM +1200, C Falconer wrote: > Gidday all. I'm going to describe a problem that I was having with my > work machines, and I'm going to see who comes closest to the correct > answer to the problem (which took three days to solve) > > I have a Ppro 166 doing firewall duties. It has eth0, 192.168.1.1 with > netmask of 255.255.0.0 for internal, and eth1, 202.0.37.196 / > 255.255.255.0 for the cablemodem side. On the firewall, ping works fine > to internet hosts, localhost, and internal hosts. It is runningf 2.4.19 > with an iptables firewall script. > > Internally there is a machine called belt, which is the main linux box. > It runs bind9, squid, exim, and samba. belt has two nics > eth0 Link encap:Ethernet HWaddr 00:02:E3:16:7F:FE > inet addr:192.168.1.2 Bcast:192.168.255.255 Mask:255.255.0.0 > eth1 Link encap:Ethernet HWaddr 00:02:E3:15:D4:CB > inet addr:192.168.1.12 Bcast:192.168.255.255 Mask:255.255.0.0 > > eth0 is bound to squid and other IP related stuff, eth1 is used for > samba and windowsie stuff. Both NICs are plugged into the same 100 Mbit > switch. > > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.0.0 * 255.255.0.0 U 0 0 0 eth1 > default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 > > All internal pinging from belt works fine. What seems to be the > problem?
I'd haszard to guess it's because you're running two interfaces on the same subnet, and you're binding to one ethernet interface, and the packets are being sent with a source address of 192.168.1.12, and then you're sending them out eth0, but receiving via eth1. You should turn reverse path filtering off, which seems to default to on for some brain-dead reason. Or it's doing some kind of load-balancing and using both interfaces. If you wanted to use two interfaces, wouldn't it make more sense to make them both into a bridge, and both be virtual interfaces, hooked up to two different switches. Assuming you can do STP on your switch. Or maybe you can just do trunking on your switch, and make one 200 megabit interface out of both interfaces? The other thing is that the ping problem could partially be rate-limiting icmp-echo/icmp-reply packets. (RedHat seems to default this way now days) Also why are you using 192.168.0.0/16 when it's an area set aside for /24s? It means you're sure to get a clash if you connect your network with another using address space within 192.168.0.0/16. Ben.
