[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: Re: routing question - why one way? <- working



On Thu, 01 Sep 2005 23:03:44 +1000
"Rod.. Whitworth" <listen_(_at_)_witworx_(_dot_)_com> wrote:

> On Thu, 1 Sep 2005 08:11:28 -0400, Bill wrote:
> >
> >Date: Thu, 1 Sep 2005 08:09:24 -0400
> >From: Bill <Bill_(_at_)_explosivo_(_dot_)_com>
> >To: "Rod.. Whitworth" <listen_(_at_)_witworx_(_dot_)_com>
> >Subject: Re: routing question - why one way?
> >
> >
> >On Thu, 01 Sep 2005 16:36:13 +1000
> >"Rod.. Whitworth" <listen_(_at_)_witworx_(_dot_)_com> wrote:
> >
> >> On Thu, 1 Sep 2005 01:01:08 -0400, Bill wrote:
> >> 
> >> >OBSD 3.7 - new install
> >> >
> >> >I am building a router.  And I am having a routing problem.  I am not
> >> >doing any packet filtering, NAT or anything... its all strictly private
> >> >address space nets I also most definately have ip forwarding set in
> >> >sysctl
> >> >
> >> >Right now I have the router installed with two active interfaces...
> >> >
> >> >Segment A (192.168.0.4) interface on the router 
> >> >Segment B (10.3.0.1) interface on the router
> >> >
> >> >Now I have a machine on each segment also:
> >> >
> >> >192.168.0.2 (Segment A)
> >> >10.3.50.1 (Segment B)
> >> >
> >> >Segment B has the default gateway set to 192.168.0.2
> >> >(192.168.0.2 then passes out to the internet )
> >> >
> >> >From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic).  I
> >> >can ping any of the other interface cards on the router (there are a
> >> >few) including the 192.168.0.4 interface on the router.  But I cannot
> >> >ping the 192.168.0.2 machine.
> >> >
> >> >* WAIT * I know what you are going to say... but I DO have the ip
> >> >forwarding set
> >> >
> >> ># sysctl -a | grep forward 
> >> >net.inet.ip.forwarding=1
> >> >
> >> >I checked many times since.
> >> >
> >> >Now, if I go to the 192.168.0.2 machine, I added a route so it knows
> >> >where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no
> >> >problem.  I can also ping all the other nic's on the router.  So the
> >> >router is forwarding packets.  
> >> >
> >> >So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping
> >> >responses from 10.3.50.1 should be able to be returned from the
> >> >192.168.0.2 box back no problem.
> >> >
> >> >I am not sure where the pings are being lost... if the machine on
> >> >segment A knows how to reach segment B and can ping it... doesn't that
> >> >mean the segment B machine essentially can get pings back if it sends
> >> >them to Segment A?  Segment A is its default route.
> >> >
> >> >Confused...
> >> >
> >> >Any help would be greatly appreciated
> >> >
> >> >All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux
> >
> >---
> >> >
> >> >Bill Chmura
> >> >Director of Internet Technology
> >> >Explosivo ITG
> >> >Wolcott, CT
> >> >
> >> >p: 860.621.8693
> >> >e: bill_(_at_)_Explosivo_(_dot_)_com
> >> >w. http://www.explosivo.com
> >> >
> >> >
> >> I'm sure that you know what you mean but what you have stated about the
> >> networks and host is ambiguous.
> >> 
> >> Let's see if I guess correctly in phrasing it a little differently. If
> >> not you have a better chance to correct the impression.
> >> 
> >> There are 2 private networks:
> >> 192.168.0.0/24
> >> 10.3.0.0/8   <- maybe you use a /24 but /8 is the "natural" for a 10.
> >> network
> >> 
> >> You have 3 hosts:
> >> A router with 2 NICs, 192.168.0.4 and 10.3.0.1
> >> One with a NIC = 192.168.0.2 (connected to the router on its
> >> 192.168.0.4 NIC) It also has another NIC that connects to the internet
> >> (somehow)
> >> One with a NIC = 10.3.50.1 (connected to the router NIC 10.3.0.1)
> >> 
> >> So far so good?
> >> 
> >> Well really you have 2 routers there. The one you called a router plus
> >> the 192.168.0.2 host.
> >> The latter will need to have forwarding on as well as the one you
> >> called Router in your post.
> >> 
> >> Your first router will need to have its default gateway set to
> >> 192.168.0.2 for traffic from the 10. network to get to the 'net.
> >> 
> >> Looking at nststat -rnf inet on your Openbsd boxes might be
> >> enlightening and should be posted as a part of your question.
> >>  The Linux box only needs netstat -rn as it defaults to the inet
> >> family.
> >> 
> >> Forget the term segments. It is confusing where you have no
> >> segmentation.
> >> Make sure ALL machines on your 10. network have a netmask of 255.0.0.0
> >> for "purity" because you need at least 255.255.192.0 (math done in head
> >> at end of day - please check!) to get that third octet (50) covered.
> >> 
> >> Let's see where that gets you.....
> >> From the land "down under": Australia.
> >> Do we look <umop apisdn> from up over?
> >> 
> >> Do NOT CC me - I am subscribed to the list.
> >> Replies to the sender address will fail except from the list-server.
> >> 
> >
> >Hi Rod,
> >
> >Your rephrasing of my layout is accurate.  Routing on the 192.168.0.2
> >box is fine (the rest of the network on the 192.168.0.0/24 segment can
> >get through there fine.
> >
> >Here is the netstat for the inner router...  As you can see I have the
> >default set (I think) to use the 192.168.0.2
> >
> >Internet:
> >Destination        Gateway            Flags     Refs     Use    Mtu
> >Interface default            192.168.0.2        UGS         9
> >1516      -   em0 10.2/16            link#2             UC
> >0        0      -   em1 10.3/16            link#3
> >UC          0        0      -   em2 10.4/16
> >link#4             UC          1        0      -   em3 10.4.50.1          link#4             UHLc        2       30      -   em3
> >10.5/16            link#5             UC          0        0      -
> >em4 10.6/16            link#7             UC          0        0
> >-   em6 10.7/16            link#8             UC          0
> >0      -   em7 127/8              127.0.0.1          UGRS
> >0        0  33224   lo0 127.0.0.1          127.0.0.1
> >UH          2     3574  33224   lo0 192.168.0/24
> >link#1             UC          2        0      -   em0 192.168.0.2        0:60:97:5b:72:45   UHLc        1      388      -   em0
> >192.168.0.198      0:b:cd:7:8f:45     UHLc        1     1934      -
> >em0 224/4              127.0.0.1          URS         0        0
> >33224   lo0
> >
> >
> >Its got to be something simple as I can ping from the 192.168.0.2 box
> >through the inner router to the box on the 10.3.0.0/16 segment, but
> >cannot ping the reverse of that (from 10.3.0.0/16 to 192.168.0.2)
> >
> >Thanks for any insight and patience as I try to express this problem
> >-- 
> >
> >Bill Chmura
> >Director of Internet Technology
> >Explosivo ITG
> >Wolcott, CT
> >
> >p: 860.621.8693
> >e: bill_(_at_)_Explosivo_(_dot_)_com
> >w. http://www.explosivo.com
> >
> >
> 
> Aaaarrrrgh!
> 
> You are trying to turn us into mad inquisitors!
> Why, oh why is getting the real guts such a task?
> 
> Finally (I fervently hope!) we have a network plan that represents
> reality.
> It is way too complex for someone who cannot work this out alone (due
> to lots of interfaces that may be misconfigured).
> How about removing all those NICs not involved in the original question
> and making sure that both interfaces on the remaining 10.?/16 
> concerned have the same netmask, /16, and that both are addressed
> within that network.
> STOP calling them segments! They are networks. YOU subnetted them out
> of  a class A to form your own /16 networks. Call them subnets if you
> like - they ain't segments! OK?
> 
> Now do we know what the netmask is for the 10.3.50.1 box? (Or is it now
> 10.4. ? Stand still for a moment - you will have us as confused as you
> are soon.)
> 
> One small step at a time, please. Tell us EXACTLY what is involved.
> Call your hosts (routers or whatever) by some simple name and stick
> with it. Alpha, beta, or Red, Orange or whatever and then tell us what
> the NIC IPs are on that host (with netmask) and which host/NIC pairs
> are joined by a cable.
> 
> With your complexity I hope you are just using a simple crossover cable
> where a switch isn't needed or you'll have even more problems most
> likely when the poor darling (simple unmanaged switch)tries to sort out
> all the traffic.
> 
> I'm off to bed now after 16 hours at the grinder. If you do your stuff
> and respond as I'd like you will probably either (a) find out that you
> have it working or (b) your message will be clear enough that you'll
> get an answer straight off.
> 
> Good luck! and I'll see that traffic tomorrow morning, so be good, eh?
> 
> From the land "down under": Australia.
> Do we look <umop apisdn> from up over?
> 
> Do NOT CC me - I am subscribed to the list.
> Replies to the sender address will fail except from the list-server.
> 

Hi Rod,

I apologize for the terminology problem and the confusion...  I am
(obviously) having trouble finding a good way to communicate this
issue...

The good news is that it started working.  The bad news is I am not
sure why.   I made a change to the outer firewall in PF that defined
the new temporary 10.0.0.0 network as internal.

This is going to drive me batty.  Stark raving mad.  

PS. I am using crossovers :)

Thank you to anyone that waded through my inept descriptions... I have
restarted everything and it still works...  I've learned a few things
about how to phrase network questions and some good advice from Rod on
how to better label things.

Rod, as far connecting to it, right now I am using crossovers, but when
I move it over - most of the connections from the box will connect into
Cisco Catalyst 3600 switches (they were there and have fiber connectors
on them so we need them till next budget season). 

Thanks to all again