Re: AW: AW: [suse-security] Multiple Internal Networks not Routing
Robert, Yeah the GW is correct for both networks and I can ping both GWs. I can even ping the far side of the box (i.e. - On 192.168.65.228 I can ping it's Gw of 192.168.66.252 and the 10.62.56.x GW of 10.62.56.252. I however can't ping any other 10.62.56.x address. The same goes for any traffic from the 10.62.56.x network to the 192.168.x.x network. 192.168.65.228 Route Print Dump ------------------------------------------------------ Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.66.252 192.168.65.228 20 10.62.56.0 255.255.255.0 192.168.66.252 192.168.65.228 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.65.228 192.168.65.228 20 192.168.65.228 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.65.255 255.255.255.255 192.168.65.228 192.168.65.228 20 224.0.0.0 240.0.0.0 192.168.65.228 192.168.65.228 20 255.255.255.255 255.255.255.255 192.168.65.228 192.168.65.228 1 Default Gateway: 192.168.66.252 =========================================================================== Persistent Routes: None ***NOTE*** ---- I added the 10.62.56.0 route hoping to produce results. This however did not work either and has been removed. Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas Rasp, Robert wrote:
Jason,
Routing on the Router is looking good, i think... Is the Default-Gateway set correct on the workstations ? Can you Ping this IP ???
Can i have the routingtable from your router and the IP's of the Networkcards. Can i have a Routing-Table from one client on each Network (Windows --> route print)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 22:37 An: suse-security@suse.com Betreff: Re: AW: [suse-security] Multiple Internal Networks not Routing
Robert,
ETH1 Dump ------------------------------------------ tcpdump: listening on eth1 05:33:19.653787 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707194 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207866 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708547 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
ETH2 Dump ------------------------------------------- tcpdump -pni eth2 icmp tcpdump: listening on eth2 05:33:19.654447 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707232 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207911 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708586 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
192.168.65.228 trying to ping 10.62.56.8 --------------------------------------------------- Pinging 10.62.56.8 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 10.62.56.8: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
IP-Forwarding ---------------------------------------- cat /proc/sys/net/ipv4/ip_forward <enter> 1
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
i had this problem by my self... i hate routing sometimes ;-) Is IP-Forwaring enabled (cat /proc/sys/net/ipv4/ip_forward) Try this: Open two Shell's and start "tcpdump -pni eth1 icmp" on one Shell and "tcpdump -pni eth2 icmp" on the other. Try the Ping again and watch the results...
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 21:49 An: Rasp, Robert Betreff: Re: *****list-suse***** AW: [suse-security] Multiple Internal Networks not Routing
Robert,
I took the firewall script down and tried a ping from 192.168.65.228 to 10.62.56.8 and got the same results, request timed out.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
if i had this problem, i try it without firewall first.... Then you can be sure your routing is ok. It may be better to stay offline while the firewallscript isn't runnung :-)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 17:18 An: suse-security@suse.com Betreff: [suse-security] Multiple Internal Networks not Routing
Hi,
Hoping someone can point out my mistake here! I have SuSE 9.0 running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and eth2=10.62.56.0/24). Everything with the internet is working great. The problem is routing traffic between eth1 and eth2. I've set both networks as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between these 2 networks.
Any ideas?
------------------------------------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http https ssh" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" # Jason Dobbs FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" -----------------------------------------------------------------------------------
Jason, Roberts suggestion to stop the firewall and see if routing at all is working correctly is the way to go. I sometimes have think over it at customers sites , when setting up complex IP networks: You always have to remember that IP is not "oneway traffic" : the packets MUST know the way back, so setting up a route on one site is okay, the *other site* has to know the way back as well , then !!! May be it's only a routing problem you have. HTH, Philipp Jason Dobbs schrieb:
Robert,
Yeah the GW is correct for both networks and I can ping both GWs. I can even ping the far side of the box (i.e. - On 192.168.65.228 I can ping it's Gw of 192.168.66.252 and the 10.62.56.x GW of 10.62.56.252. I however can't ping any other 10.62.56.x address. The same goes for any traffic from the 10.62.56.x network to the 192.168.x.x network.
192.168.65.228 Route Print Dump ------------------------------------------------------ Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.66.252 192.168.65.228 20 10.62.56.0 255.255.255.0 192.168.66.252 192.168.65.228 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.65.228 192.168.65.228 20 192.168.65.228 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.65.255 255.255.255.255 192.168.65.228 192.168.65.228 20 224.0.0.0 240.0.0.0 192.168.65.228 192.168.65.228 20 255.255.255.255 255.255.255.255 192.168.65.228 192.168.65.228 1 Default Gateway: 192.168.66.252 ===========================================================================
Persistent Routes: None
***NOTE*** ---- I added the 10.62.56.0 route hoping to produce results. This however did not work either and has been removed.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Jason,
Routing on the Router is looking good, i think... Is the Default-Gateway set correct on the workstations ? Can you Ping this IP ???
Can i have the routingtable from your router and the IP's of the Networkcards. Can i have a Routing-Table from one client on each Network (Windows --> route print)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 22:37 An: suse-security@suse.com Betreff: Re: AW: [suse-security] Multiple Internal Networks not Routing
Robert,
ETH1 Dump ------------------------------------------ tcpdump: listening on eth1 05:33:19.653787 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707194 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207866 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708547 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
ETH2 Dump ------------------------------------------- tcpdump -pni eth2 icmp tcpdump: listening on eth2 05:33:19.654447 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707232 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207911 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708586 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
192.168.65.228 trying to ping 10.62.56.8 --------------------------------------------------- Pinging 10.62.56.8 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 10.62.56.8: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
IP-Forwarding ---------------------------------------- cat /proc/sys/net/ipv4/ip_forward <enter> 1
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
i had this problem by my self... i hate routing sometimes ;-) Is IP-Forwaring enabled (cat /proc/sys/net/ipv4/ip_forward) Try this: Open two Shell's and start "tcpdump -pni eth1 icmp" on one Shell and "tcpdump -pni eth2 icmp" on the other. Try the Ping again and watch the results...
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 21:49 An: Rasp, Robert Betreff: Re: *****list-suse***** AW: [suse-security] Multiple Internal Networks not Routing
Robert,
I took the firewall script down and tried a ping from 192.168.65.228 to 10.62.56.8 and got the same results, request timed out.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
if i had this problem, i try it without firewall first.... Then you can be sure your routing is ok. It may be better to stay offline while the firewallscript isn't runnung :-)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 17:18 An: suse-security@suse.com Betreff: [suse-security] Multiple Internal Networks not Routing
Hi,
Hoping someone can point out my mistake here! I have SuSE 9.0 running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and eth2=10.62.56.0/24). Everything with the internet is working great. The problem is routing traffic between eth1 and eth2. I've set both networks as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between these 2 networks.
Any ideas?
------------------------------------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http https ssh" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" # Jason Dobbs FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" -----------------------------------------------------------------------------------
PLS: Don't post to the list AND cc: me, thats two messages reaching me. OK. back to work: Knowing one gateway should be enough for every client in your setup. The gateway knows the other nets, so it does the routing for all correctly. What has happened to your setup "that worked before", then ? Something in your routing must be broken. Philipp Philipp Rusch schrieb:
Jason, Roberts suggestion to stop the firewall and see if routing at all is working correctly is the way to go. I sometimes have think over it at customers sites , when setting up complex IP networks: You always have to remember that IP is not "oneway traffic" : the packets MUST know the way back, so setting up a route on one site is okay, the *other site* has to know the way back as well , then !!! May be it's only a routing problem you have.
HTH, Philipp
Jason Dobbs schrieb:
Robert,
Yeah the GW is correct for both networks and I can ping both GWs. I can even ping the far side of the box (i.e. - On 192.168.65.228 I can ping it's Gw of 192.168.66.252 and the 10.62.56.x GW of 10.62.56.252. I however can't ping any other 10.62.56.x address. The same goes for any traffic from the 10.62.56.x network to the 192.168.x.x network.
192.168.65.228 Route Print Dump ------------------------------------------------------ Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.66.252 192.168.65.228 20 10.62.56.0 255.255.255.0 192.168.66.252 192.168.65.228 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.65.228 192.168.65.228 20 192.168.65.228 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.65.255 255.255.255.255 192.168.65.228 192.168.65.228 20 224.0.0.0 240.0.0.0 192.168.65.228 192.168.65.228 20 255.255.255.255 255.255.255.255 192.168.65.228 192.168.65.228 1 Default Gateway: 192.168.66.252 ===========================================================================
Persistent Routes: None
***NOTE*** ---- I added the 10.62.56.0 route hoping to produce results. This however did not work either and has been removed.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Jason,
Routing on the Router is looking good, i think... Is the Default-Gateway set correct on the workstations ? Can you Ping this IP ???
Can i have the routingtable from your router and the IP's of the Networkcards. Can i have a Routing-Table from one client on each Network (Windows --> route print)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 22:37 An: suse-security@suse.com Betreff: Re: AW: [suse-security] Multiple Internal Networks not Routing
Robert,
ETH1 Dump ------------------------------------------ tcpdump: listening on eth1 05:33:19.653787 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707194 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207866 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708547 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
ETH2 Dump ------------------------------------------- tcpdump -pni eth2 icmp tcpdump: listening on eth2 05:33:19.654447 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707232 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207911 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708586 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
192.168.65.228 trying to ping 10.62.56.8 --------------------------------------------------- Pinging 10.62.56.8 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 10.62.56.8: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
IP-Forwarding ---------------------------------------- cat /proc/sys/net/ipv4/ip_forward <enter> 1
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
i had this problem by my self... i hate routing sometimes ;-) Is IP-Forwaring enabled (cat /proc/sys/net/ipv4/ip_forward) Try this: Open two Shell's and start "tcpdump -pni eth1 icmp" on one Shell and "tcpdump -pni eth2 icmp" on the other. Try the Ping again and watch the results...
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 21:49 An: Rasp, Robert Betreff: Re: *****list-suse***** AW: [suse-security] Multiple Internal Networks not Routing
Robert,
I took the firewall script down and tried a ping from 192.168.65.228 to 10.62.56.8 and got the same results, request timed out.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
if i had this problem, i try it without firewall first.... Then you can be sure your routing is ok. It may be better to stay offline while the firewallscript isn't runnung :-)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 17:18 An: suse-security@suse.com Betreff: [suse-security] Multiple Internal Networks not Routing
Hi,
Hoping someone can point out my mistake here! I have SuSE 9.0 running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and eth2=10.62.56.0/24). Everything with the internet is working great. The problem is routing traffic between eth1 and eth2. I've set both networks as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between these 2 networks.
Any ideas?
------------------------------------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http https ssh" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" # Jason Dobbs FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" -----------------------------------------------------------------------------------
Philipp, Sorry I think I was replying to Robert and not the list. As far as working before .. Nothing has changed. I'm using the backed up config files which worked fine before the RAID went south. Only thing is a fresh version of SuSE but I didn't do anything differently then I did before. I've even gone back and reloaded just to make sure. I never added extra route statements to SuSE or the windows clients on either network. Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas Philipp Rusch wrote:
PLS: Don't post to the list AND cc: me, thats two messages reaching me.
OK. back to work: Knowing one gateway should be enough for every client in your setup. The gateway knows the other nets, so it does the routing for all correctly. What has happened to your setup "that worked before", then ?
Something in your routing must be broken.
Philipp
Philipp Rusch schrieb:
Jason, Roberts suggestion to stop the firewall and see if routing at all is working correctly is the way to go. I sometimes have think over it at customers sites , when setting up complex IP networks: You always have to remember that IP is not "oneway traffic" : the packets MUST know the way back, so setting up a route on one site is okay, the *other site* has to know the way back as well , then !!! May be it's only a routing problem you have.
HTH, Philipp
Jason Dobbs schrieb:
Robert,
Yeah the GW is correct for both networks and I can ping both GWs. I can even ping the far side of the box (i.e. - On 192.168.65.228 I can ping it's Gw of 192.168.66.252 and the 10.62.56.x GW of 10.62.56.252. I however can't ping any other 10.62.56.x address. The same goes for any traffic from the 10.62.56.x network to the 192.168.x.x network.
192.168.65.228 Route Print Dump ------------------------------------------------------ Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.66.252 192.168.65.228 20 10.62.56.0 255.255.255.0 192.168.66.252 192.168.65.228 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.65.228 192.168.65.228 20 192.168.65.228 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.65.255 255.255.255.255 192.168.65.228 192.168.65.228 20 224.0.0.0 240.0.0.0 192.168.65.228 192.168.65.228 20 255.255.255.255 255.255.255.255 192.168.65.228 192.168.65.228 1 Default Gateway: 192.168.66.252 ===========================================================================
Persistent Routes: None
***NOTE*** ---- I added the 10.62.56.0 route hoping to produce results. This however did not work either and has been removed.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Jason,
Routing on the Router is looking good, i think... Is the Default-Gateway set correct on the workstations ? Can you Ping this IP ???
Can i have the routingtable from your router and the IP's of the Networkcards. Can i have a Routing-Table from one client on each Network (Windows --> route print)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 22:37 An: suse-security@suse.com Betreff: Re: AW: [suse-security] Multiple Internal Networks not Routing
Robert,
ETH1 Dump ------------------------------------------ tcpdump: listening on eth1 05:33:19.653787 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707194 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207866 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708547 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
ETH2 Dump ------------------------------------------- tcpdump -pni eth2 icmp tcpdump: listening on eth2 05:33:19.654447 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707232 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207911 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708586 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
192.168.65.228 trying to ping 10.62.56.8 --------------------------------------------------- Pinging 10.62.56.8 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 10.62.56.8: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
IP-Forwarding ---------------------------------------- cat /proc/sys/net/ipv4/ip_forward <enter> 1
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
i had this problem by my self... i hate routing sometimes ;-) Is IP-Forwaring enabled (cat /proc/sys/net/ipv4/ip_forward) Try this: Open two Shell's and start "tcpdump -pni eth1 icmp" on one Shell and "tcpdump -pni eth2 icmp" on the other. Try the Ping again and watch the results...
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 21:49 An: Rasp, Robert Betreff: Re: *****list-suse***** AW: [suse-security] Multiple Internal Networks not Routing
Robert,
I took the firewall script down and tried a ping from 192.168.65.228 to 10.62.56.8 and got the same results, request timed out.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
if i had this problem, i try it without firewall first.... Then you can be sure your routing is ok. It may be better to stay offline while the firewallscript isn't runnung :-)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 17:18 An: suse-security@suse.com Betreff: [suse-security] Multiple Internal Networks not Routing
Hi,
Hoping someone can point out my mistake here! I have SuSE 9.0 running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and eth2=10.62.56.0/24). Everything with the internet is working great. The problem is routing traffic between eth1 and eth2. I've set both networks as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between these 2 networks.
Any ideas?
------------------------------------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http https ssh" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" # Jason Dobbs FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" -----------------------------------------------------------------------------------
On Wed, 7 Apr 2004, Philipp Rusch wrote:
Jason, Roberts suggestion to stop the firewall and see if routing at all is working correctly is the way to go.
dont "stop" use "test" and watch the logs. -- BINGO: change the basis of competition --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+
participants (3)
-
engelbert.gruber@ssg.co.at
-
Jason Dobbs
-
Philipp Rusch