Re: Problems with IP forwarding

From: prg (rdgentry1_at_cablelynx.com)
Date: 02/09/05

Next message: David Schwartz: "Re: Multiple connections to the same service"
Previous message: Tosca Berisha: "Re: Multiple connections to the same service"
In reply to: trevorelbourne_at_gmail.com: "Re: Problems with IP forwarding"
Next in thread: trevorelbourne_at_gmail.com: "Re: Problems with IP forwarding"
Reply: trevorelbourne_at_gmail.com: "Re: Problems with IP forwarding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 8 Feb 2005 18:18:17 -0800

trevorelbourne@gmail.com wrote:
> You are indeed correct. We own a class C internet address,
> 203.1.78.0-203.1.78.255, and the LAN has been setup so that all our
> machines have an address in this range. I have only been here a month
> or so, so I don't quite understand why it has been setup this way. It
> may change in time.
>
> Even so, I don't see how the choice of LAN IP's could influence the
> problem I am seeing, i.e. my GW not forwarding traffic? Am I missing
> something?

Well, once ip_forward is turned on, the problems always lie in
misconfiguration. Question is, "Where?"

Did not note in previous post that loopback is not entered in GW/beaker
route table. You need a loopback interface entered. It can cause
difficulty with ICMP packets like arp, among others, without it.

Still no joy?

Select one lan machine and work with it till you get connectivity. On
it check/post:
$ /sbin/ifconfig -a
$ /sbin/route -n
Make sure the netmask is correct and that IP address is on the
203.1.78.0 subnet. The other available subnets will not work in the
lan. Configure loopback. Make sure there is a route entry for net
203.1.78.0 and GW/default route set to 203.1.78.3.

On GW/beaker turn off the firewall -- # /etc/init.d/iptables -stop
Add loopback interface to route table. Confirm ip_forward=1 is in
effect. On it check/post:
$ /sbin/ifconfig -a
$ /sbin/route -n
Confirm that route table still looks good -- with loopback added.

On FW/bunsen turn off firewall if possible. If you can't turn off the
firewall, make sure your rules are not dropping/rejecting ICMP traffic
or dropping pings or anything else that might interfere -- can't be
more specific since I don't know your rule setup/policies. It's always
easiest and _much_ less error prone just to turn it off if you can. On
it check/post:
$ /sbin/ifconfig -a
$ /sbin/route -n
Confirm loopback configured and is present in route table. Make sure
that route table net entries exist for _both_ 203.1.78.64 and
203.1.78.0. This assumes that it will have a default route/GW on the
ISP interface. You may need to add an explicit GW entry for 203.1.78.0
on the GW/beaker interface

Once the configs look OK -- ie., no obvious mistakes, etc. -- it's time
to systematically ping from one end to the other. From your chosen lan
host:

$ ping 127.0.0.1
$ ping hos.tIP.add.res <- host's IP
$ ping 203.1.78.3 <- GW's lan nic (default route)
$ ping 203.1.78.65 <- GW's FW nic
$ ping 203.1.78.?? <- FW's GW nic
$ ping 203.1.78.?? <- FW's ISP nic
$ ping 203.1.78.?? <- FW's default route

You can also try traceroute as it uses UDP packets -- in case something
is dropping the pings.

No joy?

Same procedure starting from FW end working toward the lan host using
the GW/beaker nic's address.
$ ping 127.0.0.1
$ ping hos.tIP.add.res <- FW host's IP
$ ping 203.1.78.65 <- GW's FW nic
$ ping 203.1.78.3 <- GW's lan nic
$ ping 203.1.78.?? <- lan host's nic

And last but not least, work from both nics' IP addresses on GW/beaker
to the FW's ISP nic IP and the lan host's IP. Use $ ping
-I[dev/address] target.

All I can think to do for now. I always, very boringly, follow the
same routine when locating a connectivity/networking problem. I always
know what I'm expecting and successes as well as failures are valuable
clues. If still no joy, I might try a few "hunches" but I would plan
on getting the sniffer out real soon.

good luck,
prg
email above disabled

Next message: David Schwartz: "Re: Multiple connections to the same service"
Previous message: Tosca Berisha: "Re: Multiple connections to the same service"
In reply to: trevorelbourne_at_gmail.com: "Re: Problems with IP forwarding"
Next in thread: trevorelbourne_at_gmail.com: "Re: Problems with IP forwarding"
Reply: trevorelbourne_at_gmail.com: "Re: Problems with IP forwarding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

RE: More help needed please
... I can now ping through the rh box to my main network. ... If so the use a client machine and set it's route to the f/w ... Both nics are set to come up at ...
(RedHat)
Re: [SLE] Two NICs
... Where is the DHCP server or does everything have ... > the internal/LAN device talks to the rest of the LAN on 192.168.2.x and ... NICs, whereas before, it would only light up for the NIC I was pinging from. ... All other boxes recognize each other, and I can ping via IP or host name. ...
(SuSE)
Re: Multihomed PC
... primary LAN IP, if the LAN connection goes down, I flush my DNS on WS ... A and ping WS B and it now picks up the Wireless IP. ... my workstation that the Wireless IP is up and not the LAN? ... I would simply team the NICs and get a cheapo or more expensive ...
(microsoft.public.win2000.dns)
RE: ping stucks/hangs on PCI 3com NIC sk0 interface but works on builtin NIC
... Now i assume that in order to configure the NICs with the same NETWORK and make them working i need to configure the System as router. ... ping stucks/hangs on PCI 3com NIC sk0 interface but works on builtin NIC ... Why do you want both interfaces to be configured on the same subnet? ... There can only be one route at any time for any given network. ...
(freebsd-questions)
Re: OpenVPN configuration problem
... I setup proper routes in others hosts of each LAN. ... route to 192.168.0.0 via 192.168.1.1 ... when i ping from the client a host on server's LAN, ...
(comp.os.linux.networking)