Re: [opensuse-networking] Re: Return packet issues ....
On Dienstag 06 Mai 2008, LDB wrote: All: I am having a routing issue on a server with 2 interfaces that are SUPPOSEDLY on 2 different networks: one being the DMZ the other being the internal network So the internal interface (eth0) is also the interface with the default route(eth0). Now, the other gateways are configured within the /etc/sysconfig/network/ifcfg-eth-*, respectively. On my DMZ interface (eth1), I cannot route back through my firewall to get HTTPS traffic returned to the requestor (as indicated below) until I change the default route to the DMZ interface (eth1). Apparently the interface does not know how to route back through the the eth1 interface to return the HTTPS traffic. But when I am in traversing the network internally via SSH or HTTP everything seemingly routes fine with both eth0 and/or eth1 - in other words I do not have return traffic problems. The problem above is resolved once I make the DMZ interface (eth1) the default route, but that causes other problems that I am not prepared, or more embarrassed to discuss. And somewhere there is the real problem hidden, you network setup looks like to have a design flaw :) How can my be resolved without making the DMZ interface my default route? From the informations you give, i guess setup a simple source policy routing will do the trick. ip rule add from <dmz-ip> lookup 10000 ip route add default via <default-gw> dev <dmz-iface> table 10000 ip route flush cache This makes sure, that packets with source ip <dmz-ip> routed one the <dmz-iface> to <default-gw> regards, Paul -- To unsubscribe, e-mail: opensuse-networking+unsubscribe@xxxxxxxxxxxx For additional commands, e-mail: opensuse-networking+help@xxxxxxxxxxxx I apologize but I am having email problems, but my results from the above are as follows: agos:~ # ip rule add from 192.168.100.0/24 lookup 0 agos:~ # ip route add default via 192.168.100.254 dev eth1 table 0 RTNETLINK answers: File exists agos:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 * 255.255.255.0 U 0 0 0 eth1 192.168.187.0 * 255.255.240.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default DFR 0.0.0.0 UG 0 0 0 eth0 And yes ... the NETWORK is messed up, but this is what I have inherited for now and I have to live with for this year ONLY. :) -- To unsubscribe, e-mail: opensuse-networking+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-networking+help@opensuse.org
On Freitag 09 Mai 2008, LDB wrote:
I apologize but I am having email problems, but my results from the above are as follows:
agos:~ # ip rule add from 192.168.100.0/24 lookup 0
you can't use lookup table 0 it's reserved (IMHO for ALL). The ip rule command will automaticaly use the next (until now not used) table by default. So ip rule list 32765: from 192.168.100.0/24 lookup 1 32766: from all lookup main 32767: from all lookup default will show, it has used lookup table 1 you can also give a name, if a number is nothing that you like :) #remove the old rule ip rule del from 192.168.100.0/24 lookup 1 # create a name associated to a number echo 200 DMZ >> /etc/iproute2/rt_tables ip rule add from 192.168.100.0/24 lookup DMZ
agos:~ # ip route add default via 192.168.100.254 dev eth1 table 0 RTNETLINK answers: File exists
Yes, table 0 is a alias for ALL and you have already a default route there. When you have used the name as described above you can now do a ip route add default via 192.168.100.254 dev eth1 table DMZ ip route flush cache You can check what routing tables you have with: ip route list # this per default will show table "main" ip route list table main ip route list table DMZ ip route list table all If you like to learn more about this, have a look at http://lartc.org/howto/ regards, Paul -- To unsubscribe, e-mail: opensuse-networking+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-networking+help@opensuse.org
Paul Zirnik wrote:
On Freitag 09 Mai 2008, LDB wrote:
I apologize but I am having email problems, but my results from the above are as follows:
agos:~ # ip rule add from 192.168.100.0/24 lookup 0
you can't use lookup table 0 it's reserved (IMHO for ALL). The ip rule command will automaticaly use the next (until now not used) table by default. So
ip rule list 32765: from 192.168.100.0/24 lookup 1 32766: from all lookup main 32767: from all lookup default
will show, it has used lookup table 1
you can also give a name, if a number is nothing that you like :)
#remove the old rule ip rule del from 192.168.100.0/24 lookup 1 # create a name associated to a number echo 200 DMZ >> /etc/iproute2/rt_tables ip rule add from 192.168.100.0/24 lookup DMZ
agos:~ # ip route add default via 192.168.100.254 dev eth1 table 0 RTNETLINK answers: File exists
Yes, table 0 is a alias for ALL and you have already a default route there. When you have used the name as described above you can now do a
ip route add default via 192.168.100.254 dev eth1 table DMZ ip route flush cache
You can check what routing tables you have with: ip route list # this per default will show table "main" ip route list table main ip route list table DMZ ip route list table all
If you like to learn more about this, have a look at http://lartc.org/howto/
regards, Paul
Paul: Thank you for your help ... It still does not work properly. The "route" command hangs and traffic to and from the server is "slow" after the source routing additions. E.g., SSHing to the server takes about 1 to 2 minutes now, HTTP takes even longer. I am pretty sure it is not the commands. It is our network. :) I inherited something that needs to be resolved in a serious way. Here are the results ... agos:~ # ip rule list 0: from all lookup local 32765: from 192.168.100.0/24 lookup DMZ 32766: from all lookup main 32767: from all lookup default agos:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:BB:2A:22:23 inet addr:192.168.191.51 Bcast:192.168.191.255 Mask:255.255.240.0 inet6 addr: fe80::219:bbff:fe2b:2340/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8113407 errors:0 dropped:0 overruns:0 frame:0 TX packets:3701187 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:995847190 (949.7 Mb) TX bytes:5025583161 (4792.7 Mb) Interrupt:185 Memory:f8000000-f8012100 eth1 Link encap:Ethernet HWaddr 00:19:BB:2A:24:20 inet addr:192.168.100.67 Bcast:192.168.100.255 Mask:255.255.255.0 inet6 addr: fe80::219:bbff:fe2b:2350/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1662500 errors:0 dropped:0 overruns:0 frame:0 TX packets:479760 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1302574476 (1242.2 Mb) TX bytes:214835241 (204.8 Mb) Interrupt:114 Memory:fa000000-fa012100 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:28242 errors:0 dropped:0 overruns:0 frame:0 TX packets:28242 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:146324676 (139.5 Mb) TX bytes:146324676 (139.5 Mb) agos:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 * 255.255.255.0 U 0 0 0 eth1 192.168.x.0 * 255.255.240.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default myr.in.poop. 0.0.0.0 UG 0 0 0 eth0 agos:~ # ip route add default via 192.168.100.254 dev eth1 table DMZ agos:~ # ip route flush cache agos:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface agos:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.x.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.x.y 0.0.0.0 UG 0 0 0 eth0 agos:~ # ip route list table DMZ default via 192.168.100.254 dev eth1 LDB -- To unsubscribe, e-mail: opensuse-networking+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-networking+help@opensuse.org
LDB wrote:
Paul Zirnik wrote:
On Freitag 09 Mai 2008, LDB wrote:
I apologize but I am having email problems, but my results from the above are as follows:
agos:~ # ip rule add from 192.168.100.0/24 lookup 0
you can't use lookup table 0 it's reserved (IMHO for ALL). The ip rule command will automaticaly use the next (until now not used) table by default. So ip rule list 32765: from 192.168.100.0/24 lookup 1 32766: from all lookup main 32767: from all lookup default
will show, it has used lookup table 1
you can also give a name, if a number is nothing that you like :)
#remove the old rule ip rule del from 192.168.100.0/24 lookup 1 # create a name associated to a number echo 200 DMZ >> /etc/iproute2/rt_tables ip rule add from 192.168.100.0/24 lookup DMZ
agos:~ # ip route add default via 192.168.100.254 dev eth1 table 0 RTNETLINK answers: File exists
Yes, table 0 is a alias for ALL and you have already a default route there. When you have used the name as described above you can now do a
ip route add default via 192.168.100.254 dev eth1 table DMZ ip route flush cache
You can check what routing tables you have with: ip route list # this per default will show table "main" ip route list table main ip route list table DMZ ip route list table all
If you like to learn more about this, have a look at http://lartc.org/howto/
regards, Paul
Paul:
Thank you for your help ...
It still does not work properly. The "route" command hangs and traffic to and from the server is "slow" after the source routing additions. E.g., SSHing to the server takes about 1 to 2 minutes now, HTTP takes even longer.
I am pretty sure it is not the commands. It is our network. :)
I inherited something that needs to be resolved in a serious way.
Here are the results ...
agos:~ # ip rule list 0: from all lookup local 32765: from 192.168.100.0/24 lookup DMZ 32766: from all lookup main 32767: from all lookup default
agos:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:BB:2A:22:23 inet addr:192.168.191.51 Bcast:192.168.191.255 Mask:255.255.240.0 inet6 addr: fe80::219:bbff:fe2b:2340/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8113407 errors:0 dropped:0 overruns:0 frame:0 TX packets:3701187 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:995847190 (949.7 Mb) TX bytes:5025583161 (4792.7 Mb) Interrupt:185 Memory:f8000000-f8012100
eth1 Link encap:Ethernet HWaddr 00:19:BB:2A:24:20 inet addr:192.168.100.67 Bcast:192.168.100.255 Mask:255.255.255.0 inet6 addr: fe80::219:bbff:fe2b:2350/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1662500 errors:0 dropped:0 overruns:0 frame:0 TX packets:479760 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1302574476 (1242.2 Mb) TX bytes:214835241 (204.8 Mb) Interrupt:114 Memory:fa000000-fa012100
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:28242 errors:0 dropped:0 overruns:0 frame:0 TX packets:28242 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:146324676 (139.5 Mb) TX bytes:146324676 (139.5 Mb)
agos:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 * 255.255.255.0 U 0 0 0 eth1 192.168.x.0 * 255.255.240.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default myr.in.poop. 0.0.0.0 UG 0 0 0 eth0
agos:~ # ip route add default via 192.168.100.254 dev eth1 table DMZ
agos:~ # ip route flush cache
agos:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
agos:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.x.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.x.y 0.0.0.0 UG 0 0 0 eth0
agos:~ # ip route list table DMZ default via 192.168.100.254 dev eth1
LDB
And after further investigation, apparently in SSHing to DMZ servers, it is having trouble with DNS lookups: ldb@agos:~> ssh wherewe ssh: wherewe: Temporary failure in name resolution but ... ldb@agos:~> host wherewe wherewe.dmzserver.org has address 192.168.100.89 comes back just fine ... -- To unsubscribe, e-mail: opensuse-networking+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-networking+help@opensuse.org
On Sonntag 11 Mai 2008, LDB wrote:
And after further investigation, apparently in SSHing to DMZ servers, it is having trouble with DNS lookups:
ldb@agos:~> ssh wherewe ssh: wherewe: Temporary failure in name resolution
but ...
ldb@agos:~> host wherewe wherewe.dmzserver.org has address 192.168.100.89
comes back just fine ...
On with network is your DNS-Server located ? cat /etc/resolv.conf cat /etc/nsswitch.conf maybe it does not allow querys from 192.168.100.x ? try dig -i <eth0-ip> wherewe.dmzserver.org @<dns-server> dig -i <eth1-ip> wherewe.dmzserver.org @<dns-server> any differences ? regards, Paul -- To unsubscribe, e-mail: opensuse-networking+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-networking+help@opensuse.org
participants (2)
-
LDB
-
Paul Zirnik