Hey Rob, I said "normally", this means: "not the only way to do it" ! You are of course right, it depends on how you handle your gateway definitions AND how you set up your routes. Supernetting and Subnetting is totally ok, but I doubt that every firewall script will handle this correctly. Regards, Philipp Rasp, Robert schrieb:
Hello Philipp,
i'm sorry but i think your wrong. You'r right about the network-calsses but yout can of course route a network with a /12 Network to a /19 Notwork.. and so an I Route 5 /19 Networks with 3 /16 Networks in every direction over one Router. As long as they ar not in one Subnet.... For routing-roules ist is possibile to route 192.168.0.0/16 to 10.62.56.0/24 All hosts hav to use a defaultroute to "the Networkcard" of ther Router. If the Router has 192.168.0.1 on eth1 and 10.62.56.1 on eth2 then the default route an the 10.* Net ist 10.62.56.1 and on 192.168.* it ist 192.168.0.1... If you have ip-forwarding enabled, it will work. But have al look at the other Routingrouls on the Router and on the Workstations.
CU Robert
-----Ursprüngliche Nachricht----- Von: Philipp Rusch [mailto:philipp.rusch@rusch-edv.de] Gesendet: Dienstag, 6. April 2004 22:28 An: suse-security@suse.com Betreff: Re: [suse-security] Multiple Internal Networks not Routing
Jason, Ok, we are one step further !
To clarify: (this has been defined like that, there is no obvious technical reason for that, ok there are some reasons, but that would lead us too far)
there are classes of IP-networks:
A-class : mask /8 B-class : mask /16 C-class : mask /24
which some special adresses reserved for "private use", which means, these are "unrouteable" adresses in terms of internet routes, that's the reason for NAT, for instance.
OK,
10.a.b.c "normally" has to have a /8 mask (type A class) you can divide this huge network of 16*16*16 hosts in smaller nets using a /16 or a /24 mask for instance.
172.16.m.n "normally" has to have a /16 mask (type B class) but the same concept of breaking it down into parts applies as above, you are free to do so.
192.168.x.y "normally" has to have a /24 mask (type C class) which implies that you choose the "x" and then this part of the network address is fix for your setup.
The advantage of having a 10.a.b.c/8 network instead of a 192.168.x.y/24 is that you can have more hosts belonging to the *same" network without the need to route.
In your case, if you are still free to choose your network adresses and don't have more than 254 hosts, I would strongly recommend that you go for something like 192.168.1.x/24 on eth1 and 192.168.2.y/24 on eth2 or if you have more hosts, go for 172.16.1.x/16 on eth1 if there is the majority of your hosts and take 192.168.2.x/24 for eth2.
Next question: what are the routing entries of your Windows PCs? They have to know about the other net as well !
Post a route print example output of both networks back here.
Regards, Philipp
Jason Dobbs schrieb:
Ok here is the tracert data:
From a windows PC (192.168.65.228) to a windows PC (10.62.56.8)
1 <1 ms <1 ms <1 ms 192.168.66.252 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.
/var/log/messages
Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1245 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1530 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24065 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1246 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1531 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24321 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1247 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1532 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24577 ] Apr 6 04:22:48 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1534 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24833 Apr 6 04:22:52 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1577 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25089 Apr 6 04:22:56 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1579 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25345 Apr 6 04:23:01 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1581 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25601 Apr 6 04:23:05 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1589 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25857 Apr 6 04:23:10 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1591 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26113 Apr 6 04:23:14 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1593 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26369 Apr 6 04:23:19 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1597 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26625 Apr 6 04:23:23 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1599 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26881 Apr 6 04:23:28 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1601 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27137 Apr 6 04:23:32 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27393 Apr 6 04:23:37 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27649 Apr 6 04:23:41 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=5 ID=1609 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27905
192.168.66.252 is the gateway for the 192.168.0.0/16 network. 10.62.56.252 is the gateway for the 10.62.56.0/24 network.
as far as your note on /16 and /24 ... maybe I have them backwards! I though 192.168.0.0 was /16 and 10.62.56.0 was /24!!!!!! <-- Please clearify this!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Philipp Rusch wrote:
Hello Jason, OK, I see ... what about my note about /16 and /24 masks ? do you *have* to do it like that ?
When you leave both FW_MASQ_NETS="" (empty) and FW_FORWARD="" (empty) and do a traceroute from a host on eth1 to a host on eth2 or vice versa, what do you see in the firewall logs in /var/logs/messages ?
Lets get this to work, Philipp
Jason Dobbs schrieb:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface <public ip> 0.0.0.0 255.255.255.128 U 0 0 0 eth0 10.62.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 <public gw> 0.0.0.0 UG 0 0 0 eth0
ip forwarding is turned on in yast!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas p. 702.836.5939 f. 270.913.7462 mailto: jdobbs@casuarinacasino.com
Philipp Rusch wrote:
Hi Jason what is your routing table looking like ? post route -nv back here are you routing at all ? (set ip_forward=yes in YAST)
other comments inline ...
Jason Dobbs schrieb:
--SNIP ---
FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32"
----------------------------------^ this ----------------------------------and this ^ is redundant, 192.168.65.224/27 is completely contained in 192.168.0.0./16 network, which means all 192.168."something" nets ... you know that normally 192.168.x.y net is a /24-type network and a 10.x.y.z has a /16 type mask ??
--SNIP--
FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632"
what are you trying to do here ? If routing just doesn't work then forwarding doesn't help that much ...
I think something different is causing your troubles than missing entries here, seems you did to much of a work, it is normally quite simple, what you try to do :-)
Regards from Germany, Philipp