weird routing problem

2002-05-06 Thread martin f krafft 
hi debian folk, i am in desperate need of your wisdom, patience, and
help!

i have a network setup as follows:


 212.54.xxx.12   router   192.168.14.1
  |
  |
  |
192.168.14.31   fw   192.168.31.1
|
|
|
host  192.168.31.2


the only thing doing PAT (masquerading) is the router, the firewall
does *not* NAT!

my probem is as follows:

  when i sit at the 192.168.31.2 machine, and i ping 192.168.14.1,
  then the echo request properly traverses the firewall (its default
  route), and the firewall hands it off its 192.168.14.31 IP to the
  router at 192.168.14.1.

  in order for replies to come back, i have added a static route to
  the router with the following command:

  # route add -net 192.168.31.0 netmask 255.255.255.0 \
   gw 192.168.14.31 metric 1

  which makes the routing table look like this:

  # route -n
  212.54.xxx.10.0.0.0 255.255.255.255 UH  0  0  0   eth0
  192.168.14.00.0.0.0 255.255.255.0   U   0  0  0   eth1
  192.168.31.0192.168.14.31   255.255.255.0   UG  1  0  0   eth1
  0.0.0.0 212.54.xxx.10.0.0.0 UG  0  0  0   eth0

  however, the echo replies never get there. and best of all, here's
  tcpdump's output on the router:

  # tcpdump -ni any
  tcpdump: listening on any
  22:54:17.981373 192.168.31.2  192.168.14.1: icmp: echo request (DF)
  22:54:17.982174 192.168.14.1  192.168.14.1: icmp: echo reply
  22:54:18.981352 192.168.31.2  192.168.14.1: icmp: echo request (DF)
  22:54:18.982102 192.168.14.1  192.168.14.1: icmp: echo reply

  *but*: sitting at the router and pinging 192.168.31.2:

  % ping -nc1 192.168.31.2
  PING 192.168.31.2 (192.168.31.2): 56 data bytes
  64 bytes from 192.168.31.2: icmp_seq=0 ttl=128 time=3.6 ms

would you agree with me that there's something wrong?

but in any case, would you like to tell me _what_ is wrong?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
  
two manic depressives named mastick
had marital problems, quite drastic.
her mood swings were mild,
but his were quite wild.
the two were not homoscedastic.


pgpbhwGX1Nefi.pgp
Description: PGP signature

Re: weird routing problem

2002-05-06 Thread martin f krafft 
also sprach martin f krafft [EMAIL PROTECTED] [2002.05.06.2302 +0200]:
  212.54.xxx.12   router   192.168.14.1
   |
   |
   |
 192.168.14.31   fw   192.168.31.1
 |
 |
 |
 host  192.168.31.2

oh, and before i forget,

192.168.31.2 can ping any of the one-legged hosts in 192.168.14.0/24.
192.168.31.2 can *not* ping any other fw like 192.168.14.31 in
  192.168.14.0/24, even though the fw allows icmp ping requests.
  (the fw's are fw-1's on windoze, so debugging's like impossible)
192.168.14.17 and any other host on 192.168.14.0/24 can not ping
  192.168.14.1 with the static routes in place. if i remove the
  static routes on the router, then everything's fine.

this looks to me like a massive linux routing problem, or i really
screwed up (which is hard to imagine for i've done this things many
times before).

the router is debian woody, custom 2.4.18 kernel with HTB+IMQ (QoS)
patches.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
  
women love us for our defects.
 if we have enough of them,
 they will forgive us everything,
 even our gigantic intellects.
-- oscar wilde


pgpdAh8U53uNw.pgp
Description: PGP signature

[SOLVED] Re: weird routing problem

2002-05-06 Thread martin f krafft 
the problem is solved, but i don't understand why. the reason for the
weird pings from 192.168.31.2 to 192.168.14.1, which resulted in:

  echo request: 192.168.31.2 - 192.168.14.1
  echo reply:   192.168.14.1 - 192.168.14.1

but which weren't a problem the other way:
  
  echo request: 192.168.14.1 - 192.168.31.2
  echo reply:   192.168.31.2 - 192.168.14.1

are the following netfilter/iptables mangle rules:

  iptables -t mangle -N mark-embryo
  iptables -t mangle -A mark-embryo -j MARK --set-mark 192168141
  iptables -t mangle -A INPUT -j mark-embryo

which i use for QoS to mark all packets entering the router with the
decimal mark 192168141. this caused the echo replies to be
rewritten/affected somehow, which is something that i can't explain,
and which definitely looks like a bug to me. the MARK netfilter target
doesn't (shouldn't) have any effect on the actual IP information!!!

any thoughts?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
  
this site has moved.
we'd tell you where, but then
we'd have to delete you.


pgpxLH3yfEyMp.pgp
Description: PGP signature

Re: weird routing problem??

2001-05-23 Thread Kevin Ross 
   ezekiel:/home/thoover# route -n
   Kernel IP routing table
   Destination Gateway Genmask Flags Metric RefUse
Iface
   192.168.1.0 0.0.0.0 255.255.255.0   U 0  00
eth0
   0.0.0.0 192.168.1.110.0.0.0 UG0  00
eth0

There's your problem.  Your gateway should be 192.168.1.10, not
192.168.1.11.

-- Kevin

Re: weird routing problem??

2001-05-23 Thread Iwan Mouwen 
  Internet
 |
 | (external NIC)
 |
   ariel 
   |   |
(192.168.1.10) |   | (192.168.247.10) --- (two internal NICs)
   |   |
   |   |___
  ||
  ||
  ||
 wiredSubnet wirelessSubnet
 -   ---
 taz (192.168.1.2)   paltiel (192.168.247.6)
 woody (192.168.1.3)
 ezekiel (192.168.1.4)
 noah (192.168.1.5)
 
ezekiel:/home/thoover# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse 
 Iface
192.168.1.0 0.0.0.0 255.255.255.0   U 0  00 
 eth0
0.0.0.0 192.168.1.110.0.0.0 UG0  00 
 eth0
   ^^
This should be 10.
With the current setting Ezekiel can indeed connect to Ariel (that's on
the same subnet), but it doesn't know how to reach other networks.


Iwan.

Re: weird routing problem??

2001-05-23 Thread Tom Hoover 
Duh...thanks for pointing out the obvious...I knew that it had to be something
simple!  I now remember changing ezekiel's gateway to bethel (.11) when I
needed to temporarily take ariel down for a harddrive change.  I hadn't used
the laptop since that time, and I evidently forgot to change the gateway back.
I'll bet that I'll find that my son changed the gateway on woody at the same
time, so that he could continue to access the Internet while ariel was down.

Thanks to all!

On Wed, May 23, 2001 at 01:06:38AM -0700, Kevin Ross wrote:
ezekiel:/home/thoover# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
 Iface
192.168.1.0 0.0.0.0 255.255.255.0   U 0  00
 eth0
0.0.0.0 192.168.1.110.0.0.0 UG0  00
 eth0
 
 There's your problem.  Your gateway should be 192.168.1.10, not
 192.168.1.11.

-- 
Tom Hoover N5NTM [EMAIL PROTECTED] - http://www.hisword.net/tom
- checkout HisWord(tm) Palmtop Bible at the above URL -
 --- finger [EMAIL PROTECTED] for PGP key

weird routing problem??

2001-05-22 Thread Tom Hoover 
My network at home is setup as follows:

 Internet
|
| (external NIC)
|
  ariel 
  |   |
   (192.168.1.10) |   | (192.168.247.10) --- (two internal NICs)
  |   |
  |   |___
 ||
 ||
 ||
wiredSubnet wirelessSubnet
-   ---
taz (192.168.1.2)   paltiel (192.168.247.6)
woody (192.168.1.3)
ezekiel (192.168.1.4)
noah (192.168.1.5)


This setup has worked fine for months, properly routing traffic between the
wired and wireless subnets, and also allowing both subnets to access the
Internet using IPMasq.  I hadn't used the laptop for over a month, and when I
fired it up today is when I noticed these usual problems.

1. paltiel (on the wireless subnet) can still access the Internet just fine,
but it is acting weird when accessing the wiredSubnet.  paltiel can access
taz and noah, but cannot access ezekiel nor woody (neither ssh nor ping works).
The following traceroute to taz is normal:

   paltiel:/home/thoover# traceroute taz  
   traceroute to taz (192.168.1.2), 30 hops max, 38 byte packets
   1  192.168.247.10 (192.168.247.10)  8.991 ms  10.798 ms *
   2  taz (192.168.1.2)  10.672 ms  10.282 ms  10.465 ms

but the following traceroute to ezekiel doesn't work:

   paltiel:/home/thoover# traceroute ezekiel
   traceroute to ezekiel (192.168.1.4), 30 hops max, 38 byte packets
   1  192.168.247.10 (192.168.247.10)  137.452 ms  10.118 ms  24.051 ms
   2  * * *
   3  * * *
   4  * * *
   5  * * *

2. From the wired side, taz and noah can ping paltiel, but neither ezekiel nor
woody can ping paltiel (which I think confirms a routing problem).  For some
reason ariel is able to properly route between paltiel and either taz or noah,
but not between paltiel and either ezekiel or woody.  All machines can connect
to ariel, and ariel can connect to all other machines (including ezekiel and
woody).  I thought it was some kind of weird routing problem, so here's the
routing tables for both paltiel, ariel and ezekiel (which all appear normal to
me):

   paltiel:/home/thoover# route -n
   Kernel IP routing table
   Destination Gateway Genmask Flags Metric RefUse Iface
   192.168.247.0   0.0.0.0 255.255.255.0   U 0  00 eth0
   0.0.0.0 192.168.247.10  0.0.0.0 UG1  00 eth0

   ariel:/home/thoover# route -n
   Kernel IP routing table
   Destination Gateway Genmask Flags Metric RefUse Iface
   216.87.138.200  0.0.0.0 255.255.255.248 U 0  00 eth0
   192.168.1.0 0.0.0.0 255.255.255.0   U 0  00 eth1
   192.168.247.0   0.0.0.0 255.255.255.0   U 0  00 eth2
   0.0.0.0 216.87.138.201  0.0.0.0 UG0  00 eth0

   ezekiel:/home/thoover# route -n
   Kernel IP routing table
   Destination Gateway Genmask Flags Metric RefUse Iface
   192.168.1.0 0.0.0.0 255.255.255.0   U 0  00 eth0
   0.0.0.0 192.168.1.110.0.0.0 UG0  00 eth0


HELP!!  Does anyone have any idea what I should check next?  The only change
that has been made to any of the systems since they were working normally is a
couple of apt-get update; apt-get upgrades over the past month.  BTW- all
machines are running potato with kernel 2.2.15.

-- 
Tom Hoover N5NTM [EMAIL PROTECTED] - http://www.hisword.net/tom
- checkout HisWord(tm) Palmtop Bible at the above URL -
 --- finger [EMAIL PROTECTED] for PGP key

weird routing problem

1998-04-13 Thread Hamish Moffatt 
Weird routing problem here. I have a network which looks like this:

  pc1 -ethernet- linux1 -ppp- central -ppp- linux2 -ethernet- pc2
 |
 V
 internet

That is, there are two separate ethernets, which both have a linux router
with PPP to the central system. They are both halves of a class C;
pc1 and linux1 are on (say) 192.168.1.0/25, and pc2 and linux2 are
on 192.168.1.128/25. Both linux1 and linux2 do masquerading for
hosts that are on the internet and not the private network.

Everybody can reach the internet just fine, and everybody can reach
the central machine just fine. However, pc1 (running Linux)
can ping pc2, but neither pc2 nor linux2 can ping pc1. They can both
ping linux1 though. Traceroute shows that the route gets stuck
after reaching linux1 (on linux1's PPP interface address).

tcpdump shows that pc1 receives the ICMP echo request packets
and sends an ICMP echo reply, but linux1 never sees them going over
the PPP link.

I am completely baffled as to how ping can work in one direction
but not another. (And it's not just ping; pc1 can telnet to linux2,
but linux2 can't telnet to pc1 -- it never connects.)

Here is the IP forwarding/masq setup script from linux1:

# set default policy
ipfwadm -F -p deny

# allow local hosts to talk to yodeller and the dialups direct
# -b is for bidirectional
ipfwadm -F -a a -b -S 192.168.1.0/25 -D yodeller/32
ipfwadm -F -a a -b -S 192.168.1.0/25 -D dialup-1/32
ipfwadm -F -a a -b -S 192.168.1.0/25 -D dialup-2/32

# set up the ip masquerading 
ipfwadm -F -a m -S 192.168.1.0/25 -D 0.0.0.0/0

(yodeller is the central machine, dialup-1 and dialup-2 are the names
for the PPP interfaces on linux1 and linux2).

linux2 has an identical script with 192.168.1.128 instead of .1.0.
This gives:

bash-2.00# ipfwadm -F -l
IP firewall forward rules, default policy: deny
type  prot source   destination  ports
acc   all  localnet/25  yodeller.rising.com.au n/a
acc   all  localnet/25  dialup-1.rising.com.au n/a
acc   all  localnet/25  dialup-2.rising.com.au n/a
acc/m all  localnet/25  anywhere n/a

Routes on linux1 look fine:

bash-2.00# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
yodeller.rising *   255.255.255.255 UH0  02 ppp0
yodeller.rising *   255.255.255.255 UH1  0   11 sl0
localnet*   255.255.255.128 U 0  0   58 eth0
127.0.0.0   *   255.0.0.0   U 0  0   32 lo
default *   0.0.0.0 U 0  0   11 ppp0
default *   0.0.0.0 U 1  0   16 sl0

(linux1 is running diald, just to confuse the issue.)

Route table on pc1:

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.1.0 0.0.0.0 255.255.255.128 U 0  02 eth0
127.0.0.0   0.0.0.0 255.0.0.0   U 0  01 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG1  0   16 eth0

I just added 

ipfwadm -F -a a -b -S 192.168.1.0/25 -D 192.168.1.128/25

and vice-versa to the machines too and it still doesn't work -- I can
still ping linux2 from pc1, but not vice-versa.

Any ideas? It makes no sense to me!


thanks,
hamish
-- 
Hamish Moffatt, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Latest Debian packages at ftp://ftp.rising.com.au/pub/hamish. PGP#EFA6B9D5
CCs of replies from mailing lists are welcome.   http://hamish.home.ml.org


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]