Routing questions
From: Dennis (dennis_at_somedomain.invalid)
Date: 04/28/04
- Next message: dfield: "dumb wyse question"
- Previous message: Submarine: "Unable to cancel print jobs remotely"
- Next in thread: P Gentry: "Re: Routing questions"
- Reply: P Gentry: "Re: Routing questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 28 Apr 2004 23:20:33 +0200
Hi,
I have the following configuration:
----------SWITCH-----------
VLAN1 VLAN2
| | | |
| +--Linux router---+ |
| eth1 eth0 |
| LAN2
| 10.0.2.x
|
+--- LAN1 10.0.1.x
|
Cisco router
|
MPLS/Internet
Cisco router: 10.0.1.1
Linux router:
eth1: 10.0.1.254
eth0: 10.0.2.254
default gateway: 10.0.1.1
This will be a rather long message so please hang on :)
The Linux router is only a router. No firewalling
whatsoever. Maybe in the future but right now our
provider will handle this for us.
Here is the output for the following commands:
route:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
10.0.1.0 * 255.255.255.0 U 0 0
0 eth1
10.0.2.0 * 255.255.255.0 U 0 0
0 eth0
default 10.0.1.1 0.0.0.0 UG 0 0
0 eth1
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:0D:88:6F:6F:5F
inet addr:10.0.2.254 Bcast:10.0.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:123042 errors:0 dropped:0 overruns:0 frame:0
TX packets:66701 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14387206 (13.7 Mb) TX bytes:8597285 (8.1 Mb)
Interrupt:11 Memory:d9000000-0
eth1 Link encap:Ethernet HWaddr 00:0D:88:6F:6F:65
inet addr:10.0.1.254 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83208 errors:0 dropped:0 overruns:0 frame:0
TX packets:122354 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10211944 (9.7 Mb) TX bytes:18027774 (17.1 Mb)
Interrupt:12 Memory:d9004000-0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1080 (1.0 Kb) TX bytes:1080 (1.0 Kb)
iptables -vL
Chain INPUT (policy ACCEPT 19907 packets, 1941K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 197K packets, 20M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 19839 packets, 5373K bytes)
pkts bytes target prot opt in out source
destination
iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 10078 packets, 1601K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1012 packets, 89515 bytes)
pkts bytes target prot opt in out source
destination
1163 85823 MASQUERADE all -- any any anywhere
!10.0.0.0/16
Chain OUTPUT (policy ACCEPT 7 packets, 539 bytes)
pkts bytes target prot opt in out source
destination
Chain CUSTOMPOSTROUTING (0 references)
pkts bytes target prot opt in out source
destination
Chain CUSTOMPREROUTING (0 references)
pkts bytes target prot opt in out source
destination
Chain PORTFW (0 references)
pkts bytes target prot opt in out source
destination
Chain POSTPORTFW (0 references)
pkts bytes target prot opt in out source
destination
Chain REDNAT (0 references)
pkts bytes target prot opt in out source
destination
Chain SQUID (0 references)
pkts bytes target prot opt in out source
destination
firewalling commands:
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -F -t nat
/sbin/iptables -t nat -A POSTROUTING -d ! 10.0.0.0/16 -j MASQUERADE
At first I didn't have the last rule.
Without this rule I was able to ping anything on the 10.0.1.x network
and anything on the 10.0.2.x network.
>From the 10.0.1.x network I was able to get on the internet but not
from the 10.0.2.x network
So I figured I needed the POSTROUTING rule in order to MASQUERADE any
trafic that is going to the internet.
So now everything seemed to work fine. Until I was getting some
rather strange things.
For some reason the domain controller on LAN1 sometimes couldn't
find the domain controller on LAN2. And when I started a ping I
would get a "request timed out" at first and the replies.
Or just a lot of timeouts and the if I wait a few minutes I
would get replies again.
After this I started to check some logs and I found a lot of
these kind of messages:
ll header: ff:ff:ff:ff:ff:ff:00:b0:c2:88:7d:28:08:06
martian source 10.0.1.11 from 10.0.2.254, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:00:b0:c2:88:7d:28:08:06
martian source 10.0.1.11 from 10.0.2.254, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:00:b0:c2:88:7d:28:08:06
martian source 10.0.1.11 from 10.0.2.254, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:00:b0:c2:88:7d:28:08:06
martian source 10.0.1.11 from 10.0.2.254, on dev eth0
ll header: ff:ff:ff:ff:ff:ff:00:b0:c2:88:7d:28:08:06
I don't know where these packets are coming from since eth0 only
should only receive 10.0.2.x packets.
Does anyone know what is causing these packets and if there could be
something wrong with my Linux config that causes the "request timed
out" messages?
Thanks,
Dennis
Btw.
I hope my ASCII-Art will make it through in one piece :)
- Next message: dfield: "dumb wyse question"
- Previous message: Submarine: "Unable to cancel print jobs remotely"
- Next in thread: P Gentry: "Re: Routing questions"
- Reply: P Gentry: "Re: Routing questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
