netmasks and subnets

Right now, I have a machine with two interface cards, and one network
its serving.

I'd like to have the two nics span different portions of the network.

One nic would span 10.10.1.3-9
The other would span 10.10.1.100-254

Using debian, how would I set this up?

In /etc/network/interfaces i've tried eth1 with a static ip, 10.10.1.1,
netmask 255.255.255.0, and eth2 with 10.10.1.2, with netmask
255.255.255.247, hoping the more restrictive netmask would get matched
first. I notice this would still include 10.10.1.1, so would I need to
pick different static ips for my nics? It would seem that I would...

Using this config, I can't get everything routable... default routes pop
up, and using netstat -r, i see two routes (over each of the two
interfaces) for 10.10.1.0, using the same netmask.

So I guess what I'm checking is:
Can I have a 4 IP subnet using 10.10.1.1-2 as my two nics' ips?
If so, how? Seems unlikely if i want 10.10.1.3-8 as a subnet and
don't want to define multiple routes for it, since anything i pick
except 255.255.255.254 will include 10.10.1.1, right?

If I change the IPs of my nics, can I get something like this to work on
the same subnet?

Theoretically, I understand how to do this from a
networking perspective, but when assigning the netmasks in
/etc/network/interfaces, they didn't correspond to the netstat -r
netmasks... so I need to figure out why that is.

Thanks.

--
Luke StClair
(E-Mail Removed)
PGP key: http://www.students.uiuc.edu/~clairst

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Luke" <(E-Mail Removed)> wrote in message
news:d8jie1-(E-Mail Removed)...
> Right now, I have a machine with two interface cards, and one
> network its serving.
>
> I'd like to have the two nics span different portions of the
> network.
>
> One nic would span 10.10.1.3-9
> The other would span 10.10.1.100-254

you need to give these interfaces the proper netmask.

eth1 network address should be:
10.10.1.0 netmask 255.255.255.240 (this will give you usable
addresses from .1 to .14 - .0 is the network address and .15 is the
subnet broadcast address, or directed broadcast address, so don't use
them). you can give eth1 a static IP of anything within the usable
address range with the .240 netmask (/28 in CIDR speak).

eth2 network address should be:
10.10.1.128.0 netmask 255.255.255.128 (this will give you usable
address from .129 to .254 - .128 is the network address and .255 is
the directed broadcast address for the subnet so don't use them). you
can give eth2 a static IP of anything within the usable address range
and attach the .128 netmask (/25 in CIDR speak).
\
NOTE: you can not have a range from .100 to .254 if you plan on
sharing the bottom part of your class c network. the only way you can
have .100 to .254 available to you is if you use a mask of
255.255.255.0 (/24). by doing this though, you include all address in
10.10.1.0. usable address for a /24 network would be .1 to .254. so,
either take my recommendation and use VLSM (look it up), or use 2
different class c (/24) subnets: e.g. 10.10.1.0 and 10.10.2.0.

hope that helps
Oliver O'Boyle

> Luke StClair
> (E-Mail Removed)
> PGP key: http://www.students.uiuc.edu/~clairst

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQBayh7coUT0UavXJEQKVbwCgvare2P7uXDpZoEkeATFdCa Qi758AoOKe
Njml5EwL6gakSdmTzNp21+0S
=4M2b
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> eth2 network address should be:
> 10.10.1.128.0 <----- SHOULD READ 10.10.1.128 --- SORRY!

netmask 255.255.255.128 (this will give you usable
> address from .129 to .254 - .128 is the network address and .255 is
> the directed broadcast address for the subnet so don't use them).
> you can give eth2 a static IP of anything within the usable address
> range and attach the .128 netmask (/25 in CIDR speak).
> \
> NOTE: you can not have a range from .100 to .254 if you plan on
> sharing the bottom part of your class c network. the only way you
> can have .100 to .254 available to you is if you use a mask of
> 255.255.255.0 (/24). by doing this though, you include all address
> in 10.10.1.0. usable address for a /24 network would be .1 to .254.
> so, either take my recommendation and use VLSM (look it up), or use
> 2
> different class c (/24) subnets: e.g. 10.10.1.0 and 10.10.2.0.
>
> hope that helps
> Oliver O'Boyle
>
> > Luke StClair
> > (E-Mail Removed)
> > PGP key: http://www.students.uiuc.edu/~clairst
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
>
> iQA/AwUBQBayh7coUT0UavXJEQKVbwCgvare2P7uXDpZoEkeATFdCa Qi758AoOKe
> Njml5EwL6gakSdmTzNp21+0S
> =4M2b
> -----END PGP SIGNATURE-----
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQBa0iLcoUT0UavXJEQLCdwCfaVt5uwTH8VJHFt9QV4ma2x EWv9IAnjes
VSXn2nfE3/AlUYWGpt7D880B
=KWcr
-----END PGP SIGNATURE-----

On 2004-01-27, Oliver O'Boyle <(E-Mail Removed)> wrote:
> eth1 network address should be:
> 10.10.1.0 netmask 255.255.255.240 (this will give you usable
> addresses from .1 to .14 - .0 is the network address and .15 is the
> subnet broadcast address, or directed broadcast address, so don't use
> them). you can give eth1 a static IP of anything within the usable
> address range with the .240 netmask (/28 in CIDR speak).
>
> eth2 network address should be:
> 10.10.1.128.0 netmask 255.255.255.128 (this will give you usable
> address from .129 to .254 - .128 is the network address and .255 is
> the directed broadcast address for the subnet so don't use them). you
> can give eth2 a static IP of anything within the usable address range
> and attach the .128 netmask (/25 in CIDR speak).
> \
> NOTE: you can not have a range from .100 to .254 if you plan on
> sharing the bottom part of your class c network. the only way you can
> have .100 to .254 available to you is if you use a mask of
> 255.255.255.0 (/24). by doing this though, you include all address in
> 10.10.1.0. usable address for a /24 network would be .1 to .254. so,
> either take my recommendation and use VLSM (look it up), or use 2
> different class c (/24) subnets: e.g. 10.10.1.0 and 10.10.2.0.
>

That was very helpful... I had assumed that that was the case.

Now, however, I'm trying to figure something out. I've set up one
network to use 192.168.1.1-6, another to use 65-126

But I can't even ping between the two networks. (I can ping outside my
network, and from my router to any machine, but not from one network to
the other).

On my router:
the networks is:

iface eth1 inet static
address 192.168.1.65
netmask 255.255.255.192

iface eth2 inet static
address 192.168.1.1
netmask 255.255.255.248

netstat -r yields:
Destination Gateway Genmask Flags MSS Window irtt
Iface
external_ip * 255.255.255.255 UH 0 0 0
ppp0
192.168.1.0 * 255.255.255.248 U 0 0 0
eth2
192.168.1.64 * 255.255.255.192 U 0 0 0
eth1
default ext_ip UG 0 0 0
ppp0


On my machine with ip 192.168.1.3:
192.168.1.0 * 255.255.255.248 U 0 0 0
eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0
eth0

with eth0 defined at address 192.168.1.3, netmask 255.255.255.248

So it looks to me like I have things set up correctly. Obviously,
something is still wrong though.

Do I need default gateways for eth1 and eth2? Doesn't seem like i
should... there is a default in the routing table, and the situation
that doesn't work is already defined by the routing table...

Any ideas? Need any more info?

--
Luke StClair
(E-Mail Removed)
PGP key: http://www.students.uiuc.edu/~clairst

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> That was very helpful... I had assumed that that was the case.
>
> Now, however, I'm trying to figure something out. I've set up one
> network to use 192.168.1.1-6, another to use 65-126

regardless of the actual addresses you plan on using, you should get
into the habbit of desribing your desired range by stating ALL usable
asable addresses in the range, or, by using a format similar to
192.168.1.0/29, or 192.168.1.64/26 respectively. otherwise it just
gets confusing. In other words, make sure you understand the ranges
defined by each mask.

>
> But I can't even ping between the two networks. (I can ping outside
> my network, and from my router to any machine, but not from one
> network to the other).
>

if i understand what you are saying correctly, you mean:

a) you are currently logged on to the router and pinging each subnet
that is locally connected to the router (i assume you are using a
linux box as a router).
b) if you log on to a machine in subnet 192.168.1.0/29, you can't
ping a machine in subnet 192.168.1.64/26, or vice versa.

c) if this is the case, I'm not exactly sure what you mean when you
say that you can ping "outside your network". are you connected to
another network (like the internet), or is this a closed network? I
assume you are talking about the internet.


> On my router:
> the networks is:
>
> iface eth1 inet static
> address 192.168.1.65
> netmask 255.255.255.192
>

ok, this looks fine. for the record, the network number here is
192.168.1.64/26

> iface eth2 inet static
> address 192.168.1.1
> netmask 255.255.255.248
>

this also looks ok. the network number here is 192.168.1.0/29.

the rest below is a little confusing. maybe i'm just really drunk,
which is entirely possible at this time of the night, but i'm missing
something. can you draw me a simple ASCII drawing of what your
network looks like. make sure you identify each computer, each
interface on the router, and their appropriate addresses and masks.

thanks...



> netstat -r yields:
> Destination Gateway Genmask Flags MSS Window
> irtt Iface
> external_ip * 255.255.255.255 UH 0 0
> 0 ppp0
> 192.168.1.0 * 255.255.255.248 U 0 0
> 0 eth2
> 192.168.1.64 * 255.255.255.192 U 0 0
> 0 eth1
> default ext_ip UG 0 0 0
> ppp0
>
>

however, just from what i can discern, it looks like you are not
trying to connect your machine .1.3 over ethernet. instead, it look
slike you are trying to dial in over a modem or something. can you
clarify?

> On my machine with ip 192.168.1.3:
> 192.168.1.0 * 255.255.255.248 U 0 0
> 0 eth0
> default 192.168.1.1 0.0.0.0 UG 0 0
> 0 eth0
>
> with eth0 defined at address 192.168.1.3, netmask 255.255.255.248
>
> So it looks to me like I have things set up correctly. Obviously,
> something is still wrong though.
>
> Do I need default gateways for eth1 and eth2? Doesn't seem like i
> should... there is a default in the routing table, and the
> situation that doesn't work is already defined by the routing
> table...
>
> Any ideas? Need any more info?
>

rather than going crazy over this (or trying to drink more alcohol at
this time), make sure that your ETHERNET network looks like this:

client(192.168.1.3/29)----->(192.168.1.1/29)router(192.168.1.65/26)<--
- ---(192.168.1.66?/26)client

if you are using ppp (as a dial in for example) it should still look
the same for the most part.

make sure that you router has routing enabled...

good luck. i'm going awa for a few days so i may not be able to
reply.

Oliver

> --
> Luke StClair
> (E-Mail Removed)
> PGP key: http://www.students.uiuc.edu/~clairst

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQBd1L7coUT0UavXJEQKWvwCffNhaqU6uUkP8c7ERdAFGwk XXdVMAn0iU
a6ZYKaRjQ5Qw/uDmGJxvUqjb
=j/Vj
-----END PGP SIGNATURE-----

On 2004-01-28, Oliver O'Boyle <(E-Mail Removed)> wrote:
>> Now, however, I'm trying to figure something out. I've set up one
>> network to use 192.168.1.1-6, another to use 65-126
>
> regardless of the actual addresses you plan on using, you should get
> into the habbit of desribing your desired range by stating ALL usable
> asable addresses in the range, or, by using a format similar to


Uh, isn't that range all the usable addresses? 1-6 and 65-126?
I do understand CIDR notation, i just want to put things in the most
error-prone form, to make sure I'm not missing something that you would
catch.

>>
>> But I can't even ping between the two networks. (I can ping outside
>> my network, and from my router to any machine, but not from one
>> network to the other).
>>
>
> a) you are currently logged on to the router and pinging each subnet
> that is locally connected to the router (i assume you are using a
> linux box as a router).
> b) if you log on to a machine in subnet 192.168.1.0/29, you can't
> ping a machine in subnet 192.168.1.64/26, or vice versa.

Yes

>
> c) if this is the case, I'm not exactly sure what you mean when you
> say that you can ping "outside your network". are you connected to
> another network (like the internet), or is this a closed network? I
> assume you are talking about the internet.

Sure. The internet.

>
>
>> On my router:
>> the networks is:
>>
>> iface eth1 inet static
>> address 192.168.1.65
>> netmask 255.255.255.192
>>

>> iface eth2 inet static
>> address 192.168.1.1
>> netmask 255.255.255.248
>>
>
>
> the rest below is a little confusing. maybe i'm just really drunk,
> which is entirely possible at this time of the night, but i'm missing
> something. can you draw me a simple ASCII drawing of what your
> network looks like. make sure you identify each computer, each
> interface on the router, and their appropriate addresses and masks.
>

Your representation below is correct.

>> netstat -r yields:
> slike you are trying to dial in over a modem or something. can you
> clarify?

No, pppoe.

> rather than going crazy over this (or trying to drink more alcohol at
> this time), make sure that your ETHERNET network looks like this:

It does.

>
> client(192.168.1.3/29)----->(192.168.1.1/29)router(192.168.1.65/26)<--
> - ---(192.168.1.66?/26)client
>
> make sure that you router has routing enabled...

It does. All the computers on each subnet can get to the internet just
fine, and you saw the routing tables for the router in the previous
post. Is there more to having routing enabled here?

>
> good luck. i'm going awa for a few days so i may not be able to
> reply.

Thanks...

--
Luke StClair
(E-Mail Removed)
PGP key: http://www.students.uiuc.edu/~clairst

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Uh, isn't that range all the usable addresses? 1-6 and 65-126?
> I do understand CIDR notation, i just want to put things in the
> most error-prone form, to make sure I'm not missing something that
> you would catch.

yes, sorry, i had a brain lapse

> > c) if this is the case, I'm not exactly sure what you mean when
> > you say that you can ping "outside your network". are you
> > connected to another network (like the internet), or is this a
> > closed network? I assume you are talking about the internet.
>
> Sure. The internet.

> Your representation below is correct.
>

> > like you are trying to dial in over a modem or something. can you
> > clarify?
>
> No, pppoe.
>

client(192.168.1.3/29)----->(192.168.1.1/29)router(192.168.1.65/26)<--
- ---(192.168.1.66?/26)client

|

|PPPoE

(216.199.222.111)made up

ISP

(0.0.0.0) Internet

so the whole network loks like this then? with the link to the ISP
PPPoE (probably xDSL?)

What ethernet interface is the PPPoE using?

> > make sure that you router has routing enabled...
>
> It does. All the computers on each subnet can get to the internet
> just fine, and you saw the routing tables for the router in the
> previous post. Is there more to having routing enabled here?
>

shouldn't be. check the file /etc/sysconfig/network and make sure the
line 'FORWARD_IPV4=yes' is there just to make extra sure.

The forwarding of packets does not always happen as expected if your
machine is running as a firewall. firewalls are not routers. the
filter ip packets and redirect them through the filter code, they
don't route packets. therefore they don't usually require that
routing is enabled. Is your linux box configured as a firewall? If
so, certainly check the network file above and also, make sure that
your two inside networks aren't filtered somehow.

Oliver

> >
> > good luck. i'm going awa for a few days so i may not be able to
> > reply.
>
> Thanks...
>
> --
> Luke StClair
> (E-Mail Removed)
> PGP key: http://www.students.uiuc.edu/~clairst

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQBgvQrcoUT0UavXJEQJ2PQCfSUuIzhk3SY5OOERDUoz2E5 +AaxoAoKQn
WO13lG0jNR7ec/xMpI9/EOYi
=+HRF
-----END PGP SIGNATURE-----

On 2004-01-28, Oliver O'Boyle <(E-Mail Removed)> wrote:
>> No, pppoe.
>>
>
> client(192.168.1.3/29)----->(192.168.1.1/29)router(192.168.1.65/26)<--
> - ---(192.168.1.66?/26)client
>
> |
>
> |PPPoE
>
> (216.199.222.111)made up
>
> ISP
>
> (0.0.0.0) Internet
>
> so the whole network loks like this then? with the link to the ISP
> PPPoE (probably xDSL?)

Yep.

>
> What ethernet interface is the PPPoE using?
>

ppp0, as shown in the netstat -r from before
Just pretend its an ethernet device.

> shouldn't be. check the file /etc/sysconfig/network and make sure the
> line 'FORWARD_IPV4=yes' is there just to make extra sure.

/proc/sys/net/ipv4/ip_forward is 1

>
> The forwarding of packets does not always happen as expected if your
> machine is running as a firewall. firewalls are not routers. the
> filter ip packets and redirect them through the filter code, they
> don't route packets. therefore they don't usually require that
> routing is enabled. Is your linux box configured as a firewall? If
> so, certainly check the network file above and also, make sure that
> your two inside networks aren't filtered somehow.

Filtering is not the problem. I've double-checked iptables rules.

--
Luke StClair
(E-Mail Removed)
PGP key: http://www.students.uiuc.edu/~clairst

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> ppp0, as shown in the netstat -r from before
> Just pretend its an ethernet device.

ppp is a lyer 2 protocol, and PPPoE is the same protocol over
ethernet in a point-to-point config, in your case, to your ISP. i'm
just curious to know which ethernet interface you are using to do
this. it just gives me a better picture of your network. i don't like
pretending anything because that's where we make mistakes.

>
> > shouldn't be. check the file /etc/sysconfig/network and make sure
> > the line 'FORWARD_IPV4=yes' is there just to make extra sure.
>
> /proc/sys/net/ipv4/ip_forward is 1
>

this is not the same thing. /proc/sys/net/ipv4/ip_forward is 1
applies to your firewall forwarding which, as i explained in the
previous email, is not routing. do you have a files called
/etc/sysconfig/network ? If so, is there a line in it called
'FORWARD_IPV4=yes'?


> >
> > The forwarding of packets does not always happen as expected if
> > your machine is running as a firewall. firewalls are not routers.
> > the filter ip packets and redirect them through the filter code,
> > they don't route packets. therefore they don't usually require
> > that routing is enabled. Is your linux box configured as a
> > firewall? If so, certainly check the network file above and also,
> > make sure that your two inside networks aren't filtered somehow.
>
> Filtering is not the problem. I've double-checked iptables rules.
>

ok. read the rest of it.

"The forwarding of packets does not always happen as expected if your
machine is running as a firewall. firewalls are not routers. the
filter ip packets and redirect them through the filter code, they
don't route packets. therefore they don't usually require that
routing is enabled."



> --
> Luke StClair
> (E-Mail Removed)
> PGP key: http://www.students.uiuc.edu/~clairst

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQBhKObcoUT0UavXJEQL69ACfYmeKclZQHLWS3Pjc66Ukeh uYly8An0Hz
0wWLcqDHbGmCw5w0fcXYorIE
=lzAH
-----END PGP SIGNATURE-----

On 2004-01-28, Oliver O'Boyle <(E-Mail Removed)> wrote:
>>
>> /proc/sys/net/ipv4/ip_forward is 1
>>
>
> this is not the same thing. /proc/sys/net/ipv4/ip_forward is 1
> applies to your firewall forwarding which, as i explained in the
> previous email, is not routing. do you have a files called
> /etc/sysconfig/network ? If so, is there a line in it called
> 'FORWARD_IPV4=yes'?

Whoo hoo! Fix!

So why is this not the same thing? I'll be googling it, but just out of
curiousity...


--
Luke StClair
(E-Mail Removed)
PGP key: http://www.students.uiuc.edu/~clairst