Hello Philipp,
i'm sorry but i think your wrong.
You'r right about the network-calsses but yout can of course
route a network with a /12 Network to a /19 Notwork.. and so an
I Route 5 /19 Networks with 3 /16 Networks in every direction over one Router.
As long as they ar not in one Subnet....
For routing-roules ist is possibile to route 192.168.0.0/16 to 10.62.56.0/24
All hosts hav to use a defaultroute to "the Networkcard" of ther Router.
If the Router has 192.168.0.1 on eth1 and 10.62.56.1 on eth2 then the default route
an the 10.* Net ist 10.62.56.1 and on 192.168.* it ist 192.168.0.1...
If you have ip-forwarding enabled, it will work.
But have al look at the other Routingrouls on the Router and on the Workstations.
CU
Robert
-----Ursprüngliche Nachricht-----
Von: Philipp Rusch [mailto:philipp.rusch@rusch-edv.de]
Gesendet: Dienstag, 6. April 2004 22:28
An: suse-security(a)suse.com
Betreff: Re: [suse-security] Multiple Internal Networks not Routing
Jason,
Ok, we are one step further !
To clarify: (this has been defined like that,
there is no obvious technical reason for that,
ok there are some reasons, but that would lead us too far)
there are classes of IP-networks:
A-class : mask /8
B-class : mask /16
C-class : mask /24
which some special adresses reserved for "private use",
which means, these are "unrouteable" adresses in terms of
internet routes, that's the reason for NAT, for instance.
OK,
10.a.b.c "normally" has to have a /8 mask (type A class)
you can divide this huge network of 16*16*16 hosts in smaller
nets using a /16 or a /24 mask for instance.
172.16.m.n "normally" has to have a /16 mask (type B class)
but the same concept of breaking it down into parts applies
as above, you are free to do so.
192.168.x.y "normally" has to have a /24 mask (type C class)
which implies that you choose the "x" and then this part of
the network address is fix for your setup.
The advantage of having a 10.a.b.c/8 network instead of a
192.168.x.y/24 is that you can have more hosts belonging to
the *same" network without the need to route.
In your case, if you are still free to choose your network
adresses and don't have more than 254 hosts, I would strongly
recommend that you go for something like 192.168.1.x/24 on eth1
and 192.168.2.y/24 on eth2 or if you have more hosts, go for
172.16.1.x/16 on eth1 if there is the majority of your hosts
and take 192.168.2.x/24 for eth2.
Next question: what are the routing entries of your Windows PCs?
They have to know about the other net as well !
Post a route print example output of both networks back here.
Regards, Philipp
Jason Dobbs schrieb:
> Ok here is the tracert data:
>
> From a windows PC (192.168.65.228) to a windows PC (10.62.56.8)
> -----------------------------------------------------------------
> 1 <1 ms <1 ms <1 ms 192.168.66.252
> 2 * * * Request timed out.
> 3 * * * Request timed out.
> 4 * * * Request timed out.
> 5 * * * Request timed out.
>
>
>
> /var/log/messages
> -----------------------------------------------------------------
> Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN=
> OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00
> PREC=0xC0 TTL=64 ID=1245 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228
> DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1530 PROTO=ICMP
> TYPE=8 CODE=0 ID=512 SEQ=24065 ]
> Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN=
> OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00
> PREC=0xC0 TTL=64 ID=1246 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228
> DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1531 PROTO=ICMP
> TYPE=8 CODE=0 ID=512 SEQ=24321 ]
> Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN=
> OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00
> PREC=0xC0 TTL=64 ID=1247 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228
> DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1532 PROTO=ICMP
> TYPE=8 CODE=0 ID=512 SEQ=24577 ]
> Apr 6 04:22:48 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=1 ID=1534 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24833
> Apr 6 04:22:52 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=1 ID=1577 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25089
> Apr 6 04:22:56 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=1 ID=1579 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25345
> Apr 6 04:23:01 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=2 ID=1581 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25601
> Apr 6 04:23:05 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=2 ID=1589 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25857
> Apr 6 04:23:10 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=2 ID=1591 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26113
> Apr 6 04:23:14 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=3 ID=1593 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26369
> Apr 6 04:23:19 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=3 ID=1597 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26625
> Apr 6 04:23:23 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=3 ID=1599 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26881
> Apr 6 04:23:28 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=4 ID=1601 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27137
> Apr 6 04:23:32 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=4 ID=1605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27393
> Apr 6 04:23:37 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=4 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27649
> Apr 6 04:23:41 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1
> OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00
> TTL=5 ID=1609 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27905
>
>
> 192.168.66.252 is the gateway for the 192.168.0.0/16 network.
> 10.62.56.252 is the gateway for the 10.62.56.0/24 network.
>
> as far as your note on /16 and /24 ... maybe I have them backwards! I
> though 192.168.0.0 was /16 and 10.62.56.0 was /24!!!!!! <-- Please
> clearify this!
>
> Thank You,
> Jason Dobbs . IT Manager
> Westin Casuarina Casino Las Vegas
>
>
>
> Philipp Rusch wrote:
>
>> Hello Jason,
>> OK, I see ...
>> what about my note about /16 and /24 masks ?
>> do you *have* to do it like that ?
>>
>> When you leave both FW_MASQ_NETS="" (empty)
>> and FW_FORWARD="" (empty)
>> and do a traceroute from a host on eth1 to a host on eth2
>> or vice versa, what do you see in the firewall logs in
>> /var/logs/messages ?
>>
>> Lets get this to work, Philipp
>>
>> Jason Dobbs schrieb:
>>
>>> Kernel IP routing table
>>> Destination Gateway Genmask Flags Metric Ref
>>> Use Iface
>>> <public ip> 0.0.0.0 255.255.255.128 U 0
>>> 0 0 eth0
>>> 10.62.56.0 0.0.0.0 255.255.255.0 U 0
>>> 0 0 eth2
>>> 192.168.0.0 0.0.0.0 255.255.0.0 U 0
>>> 0 0 eth1
>>> 0.0.0.0 <public gw> 0.0.0.0 UG 0 0
>>> 0 eth0
>>>
>>> ip forwarding is turned on in yast!
>>>
>>> Thank You,
>>> Jason Dobbs . IT Manager
>>> Westin Casuarina Casino Las Vegas
>>> p. 702.836.5939 f. 270.913.7462
>>> mailto: jdobbs(a)casuarinacasino.com
>>>
>>>
>>>
>>> Philipp Rusch wrote:
>>>
>>>> Hi Jason what is your routing table looking like ?
>>>> post route -nv back here
>>>> are you routing at all ? (set ip_forward=yes in YAST)
>>>>
>>>> other comments inline ...
>>>>
>>>> Jason Dobbs schrieb:
>>>>
>>>>> --SNIP ---
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail
>>>>> server ip>/32 10.62.56.0/24,<mail server ip>/32"
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ----------------------------------^ this
>>>> ----------------------------------and this ^ is redundant,
>>>> 192.168.65.224/27 is completely contained
>>>> in 192.168.0.0./16 network, which means all 192.168."something"
>>>> nets ...
>>>> you know that normally 192.168.x.y net is a /24-type network and a
>>>> 10.x.y.z has a /16 type mask ??
>>>>
>>>> --SNIP--
>>>>
>>>>> FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535
>>>>> 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \
>>>>> 192.168.0.0/16,10.62.56.0/24,udp,1:65535
>>>>> 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \
>>>>> 192.168.0.0/16,10.62.56.0/24,icmp
>>>>> 10.62.56.0/24,192.168.0.0/16,icmp"
>>>>> FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800
>>>>> 0/0,192.168.65.227,tcp,5900 \
>>>>> 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632"
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> what are you trying to do here ?
>>>> If routing just doesn't work then forwarding doesn't help that much
>>>> ...
>>>>
>>>> I think something different is causing your troubles than missing
>>>> entries here,
>>>> seems you did to much of a work, it is normally quite simple, what
>>>> you try to do :-)
>>>>
>>>> Regards from Germany, Philipp
>>>>
>>>>
>>>
>>>
>>
>>
>
>
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help(a)suse.com
Security-related bug reports go to security(a)suse.de, not here