Forwarding between interfaces?

G'day all.

Hoping someone has a quick fix or direction at least for me on this.

Have a Windows box behind my slackware router/firewall/etc. Router has
two interfaces. /25 private class on each, IP forwarding enabled. I
can reach hosts on either network/interface from the linux box. Not
from the Windows box.

When I ping from Windows to a host on the other subnet, times out, but
I see replies getting back to that interface from the other host. So
something seems broken in the middle.

Interfaces:

eth0 Link encap:Ethernet HWaddr 00:0D:88:4D:5E:B5
inet addr:192.168.100.131 Bcast:192.168.100.255
Mask:255.255.255.128

eth1 Link encap:Ethernet HWaddr 00:50:BA:6D:60:ED
inet addr:192.168.100.1 Bcast:192.168.100.127
Mask:255.255.255.128

So, listening on eth0 as I ping 192.168.100.132, say, I see the
request, and the reply hit eth0. Listening at the same time to eth1,
I see the request go out, and that's it.

Routing table (formatted some to fit):

Destination Gateway Genmask Flags Metric Ref
Use Iface
205.200.28.30 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.100.0 0.0.0.0 255.255.255.128 U 0 0 0 eth1
192.168.100.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 <public> 0.0.0.0 UG 0 0 0 ppp0

Not including iptables output - I messed with it, turned it off and no
change. I don't think it's affecting anything.

Looked at kernel options - there are some for IP advanced routing that
I wonder about, but... unsure what specifically would affect it, and
don't want to re-compilke and change kernels needlessly.

Any ideas? (apologies if I violated anything - first post to this NG,
read through the current stuff first to check if this was answered.)

On Thu, 14 Oct 2004, lamerfreak <(E-Mail Removed)> wrote:
> G'day all.
>
> Hoping someone has a quick fix or direction at least for me on this.
>
> Have a Windows box behind my slackware router/firewall/etc. Router has
> two interfaces. /25 private class on each, IP forwarding enabled. I
> can reach hosts on either network/interface from the linux box. Not
> from the Windows box.
>
> When I ping from Windows to a host on the other subnet, times out, but
> I see replies getting back to that interface from the other host. So
> something seems broken in the middle.
>
> Interfaces:
>
> eth0 Link encap:Ethernet HWaddr 00:0D:88:4D:5E:B5
> inet addr:192.168.100.131 Bcast:192.168.100.255
> Mask:255.255.255.128
>
> eth1 Link encap:Ethernet HWaddr 00:50:BA:6D:60:ED
> inet addr:192.168.100.1 Bcast:192.168.100.127
> Mask:255.255.255.128
>
> So, listening on eth0 as I ping 192.168.100.132, say, I see the
> request, and the reply hit eth0. Listening at the same time to eth1,
> I see the request go out, and that's it.
>
> Routing table (formatted some to fit):
>
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 205.200.28.30 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> 192.168.100.0 0.0.0.0 255.255.255.128 U 0 0 0 eth1
> 192.168.100.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 <public> 0.0.0.0 UG 0 0 0 ppp0
>
> Not including iptables output - I messed with it, turned it off and no
> change. I don't think it's affecting anything.
>
> Looked at kernel options - there are some for IP advanced routing that
> I wonder about, but... unsure what specifically would affect it, and
> don't want to re-compilke and change kernels needlessly.

I used to do something similar when on dialup with 2 nics and 3 PCs. Do
the other PCs have or understand the 255.255.255.128 netmask. If not
using hub/switches on eth0/eth1, do they have crossover cables (instead of
patch cables)?

My first thought was that you may need to insert a forward rule to allow
those interfaces to communicate with each other without masquerade, which
I had to do before SuSEfirewall2 had a simple variable to allow like
interfaces to communicate. But you say it still fails with iptables
disabled.

Assuming you have ip_forward enabled (cat /proc/sys/net/ipv4/ip_forward
should return 1), as an experiment, try enabling proxy_arp on those
interfaces:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

That should allow PCs on either side to communicate somewhat as one
network even if they have or assume 255.255.255.0 netmask (but do NOT
change the Linux router netmasks). However, Win peer2peer file/printer
sharing may not work between the networks without WINS (which samba could
do).

On Sat, 16 Oct 2004 09:21:00 +0000 (UTC), (E-Mail Removed) (David
Efflandt) wrote:

>On Thu, 14 Oct 2004, lamerfreak <(E-Mail Removed)> wrote:
>> G'day all.
>>
>> Hoping someone has a quick fix or direction at least for me on this.
>>
>> Have a Windows box behind my slackware router/firewall/etc. Router has
>> two interfaces. /25 private class on each, IP forwarding enabled. I
>> can reach hosts on either network/interface from the linux box. Not
>> from the Windows box.
>>
>> When I ping from Windows to a host on the other subnet, times out, but
>> I see replies getting back to that interface from the other host. So
>> something seems broken in the middle.
>>
>> Interfaces:
>>
>> eth0 Link encap:Ethernet HWaddr 00:0D:88:4D:5E:B5
>> inet addr:192.168.100.131 Bcast:192.168.100.255
>> Mask:255.255.255.128
>>
>> eth1 Link encap:Ethernet HWaddr 00:50:BA:6D:60:ED
>> inet addr:192.168.100.1 Bcast:192.168.100.127
>> Mask:255.255.255.128
>>
>> So, listening on eth0 as I ping 192.168.100.132, say, I see the
>> request, and the reply hit eth0. Listening at the same time to eth1,
>> I see the request go out, and that's it.
>>
>> Routing table (formatted some to fit):
>>
>> Destination Gateway Genmask Flags Metric Ref
>> Use Iface
>> 205.200.28.30 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
>> 192.168.100.0 0.0.0.0 255.255.255.128 U 0 0 0 eth1
>> 192.168.100.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
>> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
>> 0.0.0.0 <public> 0.0.0.0 UG 0 0 0 ppp0
>>
>> Not including iptables output - I messed with it, turned it off and no
>> change. I don't think it's affecting anything.
>>
>> Looked at kernel options - there are some for IP advanced routing that
>> I wonder about, but... unsure what specifically would affect it, and
>> don't want to re-compilke and change kernels needlessly.
>
>I used to do something similar when on dialup with 2 nics and 3 PCs. Do
>the other PCs have or understand the 255.255.255.128 netmask. If not
>using hub/switches on eth0/eth1, do they have crossover cables (instead of
>patch cables)?
>
>My first thought was that you may need to insert a forward rule to allow
>those interfaces to communicate with each other without masquerade, which
>I had to do before SuSEfirewall2 had a simple variable to allow like
>interfaces to communicate. But you say it still fails with iptables
>disabled.
>
>Assuming you have ip_forward enabled (cat /proc/sys/net/ipv4/ip_forward
>should return 1), as an experiment, try enabling proxy_arp on those
>interfaces:
>
>echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
>
>That should allow PCs on either side to communicate somewhat as one
>network even if they have or assume 255.255.255.0 netmask (but do NOT
>change the Linux router netmasks). However, Win peer2peer file/printer
>sharing may not work between the networks without WINS (which samba could
>do).

Thanks for the reply, but it seems like I figured it out in a flash of
the blindingly obvious at about 1AM last night.

Looking over output from tcpdump while pinging from the linux router,
I notice... well, of course it's getting replies, it's coming *from*
the same subnet as the other PCs. My Windows box isn't, as it's not
NAT'd, therefore it's sending an ICMP echo request from its IP, on
another subnet...

Problem being, the switch/router that handles the rest doesn't have a
rule about where to send packets from the other /25 subnet.

Add rule for first /25 > eth0 of the linux box, in the switch, and it
works.

Sorry for wasting time...

Though I will have to look at proxy_arp for something else, I think.
Make it a little more cohesive.