Network Routing - Help

This is a discussion on Network Routing - Help ; Apologies if this is not the correct list. I have a linux box with kernel 2.6.11.7 which I am trying to configure as a router. I have a cable modem connected to a firewall/router (192.168.2.1). The linux box (yoda 192.168.2.4, ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Network Routing

  1. Network Routing

    Apologies if this is not the correct list.

    I have a linux box with kernel 2.6.11.7 which I am trying to configure
    as a router. I have a cable modem connected to a firewall/router
    (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    connected to the firewall/router. Also connected to yoda is another
    network (with computer foo 192.168.1.3). I can access the internet from
    yoda and I can access yoda from foo, but I cannot access the internet
    from foo.

    yoda has the correct interface configuration and routing table

    192.168.2.0 * 255.255.255.0 eth1
    192.168.1.0 * 255.255.255.0 eth0
    default 192.168.2.1 0.0.0.0 eth1

    and I have ip forwarding enabled:

    $ cat /proc/sys/net/ipv4/ip_forward
    1

    From what I have found in the HOWTOs and documentation this is all I
    should have to do.

    I do not need to do any masquerading so I do not see the need for
    netfiltering, is this assumption correct?

    What am I missing?

    Thanks in advance.

    Vivian McPhail

  2. Re: Network Routing

    On Sun, 17 Apr 2005, Vivian McPhail wrote:
    > Apologies if this is not the correct list.
    >
    > I have a linux box with kernel 2.6.11.7 which I am trying to configure
    > as a router. I have a cable modem connected to a firewall/router
    > (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    > connected to the firewall/router. Also connected to yoda is another
    > network (with computer foo 192.168.1.3). I can access the internet from
    > yoda and I can access yoda from foo, but I cannot access the internet
    > from foo.
    >
    > yoda has the correct interface configuration and routing table
    >
    > 192.168.2.0 * 255.255.255.0 eth1
    > 192.168.1.0 * 255.255.255.0 eth0
    > default 192.168.2.1 0.0.0.0 eth1
    >
    > and I have ip forwarding enabled:
    >
    > $ cat /proc/sys/net/ipv4/ip_forward
    > 1
    >
    > From what I have found in the HOWTOs and documentation this is all I
    > should have to do.
    >
    > I do not need to do any masquerading so I do not see the need for
    > netfiltering, is this assumption correct?


    Not necessarily. Your router likely has no knowledge of, or any clue, how
    to route your 192.168.1.0/24 network.

    - If your router is capable of static routing, you could use yoda
    192.168.2.4 on it as a gateway for 192.168.1.0/24 network.

    - Or if your router is capable of setting a 255.255.0.0 netmask, you could
    enable proxy arp on eth1, so it would answer arp for eth0:

    echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

    - Or even if netmask on router is limited to 255.255.255.0 you could set
    eth0 to a portion of eth1 network and enable proxy_arp on eth1. For
    example based on my wireless subnet, you could set eth0 to 192.168.2.241
    netmask 255.255.255.249 broadcast 192.168.2.247 and have useable IPs on
    eth0 .242 - .246. PC(s) on eth0 would use eth0 IP as gateway. With
    proxy_arp enabled for eth1, it would answer arp requests for eth0 net,
    making it one happy LAN.

    - Or if all else fails, use iptables to masquerade your eth0 network as
    your eth1 IP.

  3. Re: Network Routing

    I use IPCOP. Its Great.
    http://www.ipcop.org

    "Vivian McPhail" wrote in message
    news:4261bc85$1@clear.net.nz...
    > Apologies if this is not the correct list.
    >
    > I have a linux box with kernel 2.6.11.7 which I am trying to configure as
    > a router. I have a cable modem connected to a firewall/router
    > (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is connected
    > to the firewall/router. Also connected to yoda is another network (with
    > computer foo 192.168.1.3). I can access the internet from yoda and I can
    > access yoda from foo, but I cannot access the internet from foo.
    >
    > yoda has the correct interface configuration and routing table
    >
    > 192.168.2.0 * 255.255.255.0 eth1
    > 192.168.1.0 * 255.255.255.0 eth0
    > default 192.168.2.1 0.0.0.0 eth1
    >
    > and I have ip forwarding enabled:
    >
    > $ cat /proc/sys/net/ipv4/ip_forward
    > 1
    >
    > From what I have found in the HOWTOs and documentation this is all I
    > should have to do.
    >
    > I do not need to do any masquerading so I do not see the need for
    > netfiltering, is this assumption correct?
    >
    > What am I missing?
    >
    > Thanks in advance.
    >
    > Vivian McPhail




  4. Re: Network Routing

    Vivian McPhail wrote:

    > Apologies if this is not the correct list.
    >
    > I have a linux box with kernel 2.6.11.7 which I am trying to configure
    > as a router. I have a cable modem connected to a firewall/router
    > (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    > connected to the firewall/router. Also connected to yoda is another
    > network (with computer foo 192.168.1.3). I can access the internet from
    > yoda and I can access yoda from foo, but I cannot access the internet
    > from foo.




    Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
    would try and put in the same ones that are on yoda.

    Peter F

  5. Re: Network Routing

    Peter F wrote:
    > Vivian McPhail wrote:
    >
    >
    >>Apologies if this is not the correct list.
    >>
    >>I have a linux box with kernel 2.6.11.7 which I am trying to configure
    >>as a router. I have a cable modem connected to a firewall/router
    >>(192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    >>connected to the firewall/router. Also connected to yoda is another
    >>network (with computer foo 192.168.1.3). I can access the internet from
    >>yoda and I can access yoda from foo, but I cannot access the internet
    >>from foo.

    >
    >
    >
    >
    > Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
    > would try and put in the same ones that are on yoda.
    >
    > Peter F


    I can't get from one card eth0 to the other eth1. Even when I use
    numbers not names.

  6. Re: Network Routing

    Vivian McPhail wrote:
    > Peter F wrote:
    >
    >> Vivian McPhail wrote:
    >>
    >>
    >>> Apologies if this is not the correct list.
    >>>
    >>> I have a linux box with kernel 2.6.11.7 which I am trying to configure
    >>> as a router. I have a cable modem connected to a firewall/router
    >>> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    >>> connected to the firewall/router. Also connected to yoda is another
    >>> network (with computer foo 192.168.1.3). I can access the internet from
    >>> yoda and I can access yoda from foo, but I cannot access the internet
    >>> from foo.

    >>
    >>
    >>
    >>
    >>
    >> Try checking /etc/resolv.conf on foo. It should have nameserver
    >> entries. I
    >> would try and put in the same ones that are on yoda.

    >
    > I can't get from one card eth0 to the other eth1. Even when I use
    > numbers not names.
    >

    What is foo's default gateway? Also, imagine the route that
    a packet will take to the Internet. foo puts it on the wire.
    If the default gateway is set to yoda, then it is sent to
    yoda. yoda picks it up and forwards it to the firewall. The
    firewall send it out, presumably NATting it at the same
    time. It travel to the destination on the Internet. When the
    reply is sent from the Internet host it is directed to the
    firewall (which stuck its address in the packet when it
    NATted it). It arrives back at the firewall which deNATs it
    to the correct address. Problem! The firewall doesn't know
    where to send it. The firewall needs a route to foo's
    network via yoda!

    Cheers,

    Cliff

    --

    Barzoomian the Martian - http://barzoomian.blogspot.com

  7. Re: Network Routing

    On Mon, 18 Apr 2005 16:39:46 +1200, Vivian McPhail wrote:

    > Peter F wrote:
    >> Vivian McPhail wrote:
    >>
    >>
    >>>Apologies if this is not the correct list.
    >>>
    >>>I have a linux box with kernel 2.6.11.7 which I am trying to configure
    >>>as a router. I have a cable modem connected to a firewall/router
    >>>(192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    >>>connected to the firewall/router. Also connected to yoda is another
    >>>network (with computer foo 192.168.1.3). I can access the internet from
    >>>yoda and I can access yoda from foo, but I cannot access the internet
    >>>from foo.

    >>
    >>
    >>
    >>
    >> Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
    >> would try and put in the same ones that are on yoda.
    >>
    >> Peter F

    >
    > I can't get from one card eth0 to the other eth1. Even when I use
    > numbers not names.


    I think you'll find that your firewall/router device has no knowledge of
    the 192.168.1.0/24 network so it is unable to route any traffic to foo.
    Read David's post for solution.


  8. Re: Network Routing

    Enkidu wrote:
    > Vivian McPhail wrote:
    >
    >> Peter F wrote:
    >>
    >>> Vivian McPhail wrote:
    >>>
    >>>
    >>>> Apologies if this is not the correct list.
    >>>>
    >>>> I have a linux box with kernel 2.6.11.7 which I am trying to configure
    >>>> as a router. I have a cable modem connected to a firewall/router
    >>>> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    >>>> connected to the firewall/router. Also connected to yoda is another
    >>>> network (with computer foo 192.168.1.3). I can access the internet
    >>>> from
    >>>> yoda and I can access yoda from foo, but I cannot access the internet
    >>>> from foo.
    >>>


    > >

    > What is foo's default gateway? Also, imagine the route that a packet
    > will take to the Internet. foo puts it on the wire. If the default
    > gateway is set to yoda, then it is sent to yoda. yoda picks it up and
    > forwards it to the firewall. The firewall send it out, presumably
    > NATting it at the same time. It travel to the destination on the
    > Internet. When the reply is sent from the Internet host it is directed
    > to the firewall (which stuck its address in the packet when it NATted
    > it). It arrives back at the firewall which deNATs it to the correct
    > address. Problem! The firewall doesn't know where to send it. The
    > firewall needs a route to foo's network via yoda!
    >
    > Cheers,
    >
    > Cliff
    >


    The gateway is yoda, but the problem is that yoda doesn't forward the
    packet from the eth0 interface to the eth1 interface. (i have ip
    forwarding enabled on yoda). So from your scenario, yoda picks up the
    packet, and never sends it to the firewall.

    In confusion,

    Vivian

  9. Re: Network Routing

    Reader wrote:
    > On Mon, 18 Apr 2005 16:39:46 +1200, Vivian McPhail wrote:
    >
    >
    >>Peter F wrote:
    >>
    >>>Vivian McPhail wrote:
    >>>
    >>>
    >>>
    >>>>Apologies if this is not the correct list.
    >>>>
    >>>>I have a linux box with kernel 2.6.11.7 which I am trying to configure
    >>>>as a router. I have a cable modem connected to a firewall/router
    >>>>(192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    >>>>connected to the firewall/router. Also connected to yoda is another
    >>>>network (with computer foo 192.168.1.3). I can access the internet from
    >>>>yoda and I can access yoda from foo, but I cannot access the internet
    >>>
    >>>>from foo.
    >>>
    >>>
    >>>
    >>>
    >>>Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
    >>>would try and put in the same ones that are on yoda.
    >>>
    >>>Peter F

    >>
    >>I can't get from one card eth0 to the other eth1. Even when I use
    >>numbers not names.

    >
    >
    > I think you'll find that your firewall/router device has no knowledge of
    > the 192.168.1.0/24 network so it is unable to route any traffic to foo.
    > Read David's post for solution.
    >


    foo 192.168.1.3
    yoda 192.168.1.1 and 192.168.2.4
    firewall 192.168.2.1 and external-ip

    from foo:

    ping yoda - works
    ping firewall - request times out.

    So, while I have to configure the firewall to route incoming traffic for
    the 192.168.1.0/24 network, that is not yet an issue, as packets can't
    get off the 192.168.1.0/24 network through my router.

  10. Re: Network Routing

    On Tue, 19 Apr 2005 15:08:54 +1200, Vivian McPhail
    wrote:

    >foo 192.168.1.3
    >yoda 192.168.1.1 and 192.168.2.4
    >firewall 192.168.2.1 and external-ip


    I notice your firewall isn't on the same Class C as the rest of the
    network. It's probably not important, but you may try it at
    192.168.1.2 and see if it makes a difference.

    --
    Joe Zeff
    The Guy With the Sideburns

    --
    Joe Zeff
    The Guy With the Sideburns
    Kill as many as you can; I have a morbid love of excess.
    http://www.lasfs.org http://home.earthlink.net/~sidebrnz
    http://www.lasfs.org http://home.earthlink.net/~sidebrnz

  11. Re: Network Routing

    David Efflandt wrote:
    > On Sun, 17 Apr 2005, Vivian McPhail wrote:
    >
    >>Apologies if this is not the correct list.
    >>
    >>I have a linux box with kernel 2.6.11.7 which I am trying to configure
    >>as a router. I have a cable modem connected to a firewall/router
    >>(192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    >>connected to the firewall/router. Also connected to yoda is another
    >>network (with computer foo 192.168.1.3). I can access the internet from
    >>yoda and I can access yoda from foo, but I cannot access the internet
    >>from foo.
    >>
    >>yoda has the correct interface configuration and routing table
    >>
    >>192.168.2.0 * 255.255.255.0 eth1
    >>192.168.1.0 * 255.255.255.0 eth0
    >>default 192.168.2.1 0.0.0.0 eth1
    >>
    >>and I have ip forwarding enabled:
    >>
    >>$ cat /proc/sys/net/ipv4/ip_forward
    >>1
    >>
    >> From what I have found in the HOWTOs and documentation this is all I
    >>should have to do.
    >>
    >>I do not need to do any masquerading so I do not see the need for
    >>netfiltering, is this assumption correct?

    >
    >
    > Not necessarily. Your router likely has no knowledge of, or any clue, how
    > to route your 192.168.1.0/24 network.
    >
    > - If your router is capable of static routing, you could use yoda
    > 192.168.2.4 on it as a gateway for 192.168.1.0/24 network.
    >
    > - Or if your router is capable of setting a 255.255.0.0 netmask, you could
    > enable proxy arp on eth1, so it would answer arp for eth0:
    >
    > echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
    >
    > - Or even if netmask on router is limited to 255.255.255.0 you could set
    > eth0 to a portion of eth1 network and enable proxy_arp on eth1. For
    > example based on my wireless subnet, you could set eth0 to 192.168.2.241
    > netmask 255.255.255.249 broadcast 192.168.2.247 and have useable IPs on
    > eth0 .242 - .246. PC(s) on eth0 would use eth0 IP as gateway. With
    > proxy_arp enabled for eth1, it would answer arp requests for eth0 net,
    > making it one happy LAN.
    >
    > - Or if all else fails, use iptables to masquerade your eth0 network as
    > your eth1 IP.


    First, the firewall has static routing with an entry to use yoda as the
    gateway for the 192.168.1.0/24 network, so packets should theoretically
    be able to be returned.

    However, all else failed and I tried to use iptables to masquerage the
    eth0 network. I had the most liberal forwarding policy possible.
    Unfortunately this did not work.

    It seems that, for some reason, packets are not being forwared from eth0
    to eth1.

    I can ping yoda from foo. I can ping the firewall from yoda. I cannot
    ping the firewall from foo.

    As I mentioned earlier, I have ip_forward enabled.

    TIA

    Vivian

  12. Re: Network Routing

    Vivian McPhail wrote:
    >>
    >> I think you'll find that your firewall/router device
    >> has no knowledge of the 192.168.1.0/24 network so it
    >> is unable to route any traffic to foo.
    >> Read David's post for solution.

    >
    > foo 192.168.1.3
    > yoda 192.168.1.1 and 192.168.2.4
    > firewall 192.168.2.1 and external-ip
    >
    > from foo:
    >
    > ping yoda - works
    > ping firewall - request times out.
    >
    > So, while I have to configure the firewall to route
    > incoming traffic for the 192.168.1.0/24 network, that
    > is not yet an issue, as packets can't get off the
    > 192.168.1.0/24 network through my router.
    >

    What makes you think that? For a ping to work a packet has
    to the destination *and* back to the source.

    If a packet is sent to the firewall from foo, it goes to
    yoda and yoda passes the packet to the firewall. The
    firewall doesn't know where to route the return packet, (it
    only has an IP address) so yoda never gets a packet back to
    send on to foo.

    Cheers,

    Cliff

    --

    Barzoomian the Martian - http://barzoomian.blogspot.com

  13. Re: Network Routing

    Vivian McPhail wrote:
    > Enkidu wrote:
    >
    >> Vivian McPhail wrote:
    >>
    >>> Peter F wrote:
    >>>
    >>>> Vivian McPhail wrote:
    >>>>
    >>>>
    >>>>> Apologies if this is not the correct list.
    >>>>>
    >>>>> I have a linux box with kernel 2.6.11.7 which I am trying to configure
    >>>>> as a router. I have a cable modem connected to a firewall/router
    >>>>> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    >>>>> connected to the firewall/router. Also connected to yoda is another
    >>>>> network (with computer foo 192.168.1.3). I can access the internet
    >>>>> from
    >>>>> yoda and I can access yoda from foo, but I cannot access the internet
    >>>>> from foo.
    >>>>
    >>>>

    >
    >
    >> >

    >> What is foo's default gateway? Also, imagine the route that a packet
    >> will take to the Internet. foo puts it on the wire. If the default
    >> gateway is set to yoda, then it is sent to yoda. yoda picks it up and
    >> forwards it to the firewall. The firewall send it out, presumably
    >> NATting it at the same time. It travel to the destination on the
    >> Internet. When the reply is sent from the Internet host it is directed
    >> to the firewall (which stuck its address in the packet when it NATted
    >> it). It arrives back at the firewall which deNATs it to the correct
    >> address. Problem! The firewall doesn't know where to send it. The
    >> firewall needs a route to foo's network via yoda!

    >
    > The gateway is yoda, but the problem is that yoda doesn't forward the
    > packet from the eth0 interface to the eth1 interface. (i have ip
    > forwarding enabled on yoda). So from your scenario, yoda picks up the
    > packet, and never sends it to the firewall.
    >

    Although it is common to loosely say "the router sends it to
    the firewall" or similar what actually happens is that the
    router puts the packet on the wire (leaving out a lot). "The
    router has a route to the firewall" means that it knows
    which interface to send on. So, the packet from foo arrives
    at yoda, and yoda *does have a route for it*. It knows that
    to reach the firewall, it has to put it on the right
    interface which it does, and the firewall picks it up. I'm
    convinced this is happening. At this stage the ping has not
    completed because the packet has to make it back to foo for
    the ping to succeed.

    The firewall looks at the packet. It *doesn't have a route
    for it* since it hasn't been told about the internal
    network. So it puts it on *it's* default gateway interface,
    probably to the Internet, where it dies.

    The packet never makes it *back* to yoda, and therefore
    never makes it back to foo, therefore the ping fails. But
    the original ping packet DID reach yoda and DID get
    forwarded to the firewall.

    In networking, it is crucial to realise that there needs to
    be a route defined *back* to the source from the
    destination. The packet doesn't magically know the route
    back. A return packet has to be routed the same aa the
    original packet.

    Cheers,

    Cliff

    --

    Barzoomian the Martian - http://barzoomian.blogspot.com

  14. Re: Network Routing

    On Tue, 19 Apr 2005 20:44:40 +1200, Enkidu
    wrote:

    >> So, while I have to configure the firewall to route
    > > incoming traffic for the 192.168.1.0/24 network, that
    > > is not yet an issue, as packets can't get off the
    > > 192.168.1.0/24 network through my router.
    > >

    >What makes you think that? For a ping to work a packet has
    >to the destination *and* back to the source.


    What does traceroute show?

    --
    Joe Zeff
    The Guy With the Sideburns
    If you can't play with words, what good are they?
    http://www.lasfs.org http://home.earthlink.net/~sidebrnz

  15. Re: Network Routing

    Vivian McPhail wrote:

    > Apologies if this is not the correct list.
    >
    > I have a linux box with kernel 2.6.11.7 which I am trying to configure
    > as a router. I have a cable modem connected to a firewall/router
    > (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
    > connected to the firewall/router. Also connected to yoda is another
    > network (with computer foo 192.168.1.3). I can access the internet from
    > yoda and I can access yoda from foo, but I cannot access the internet
    > from foo.




    Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
    would try and put in the same ones that are on yoda.

    Peter F

+ Reply to Thread