routing - newbie-question

Hi folks,

This is certainly a beginners problem - and I cannot solve it:
the System is a linux 2.4.18, magro1.magro 200.0.0.140
I have permission to login to server SERV1 ip 200.1.1.1
There is a subnet behind SERV1 87.0.0.0
I want to access SUBSERV 87.0.0.40

isp-gateway and both servers have an entry in /etc/hosts
eth0 is the local device, eth1 the external.

on my machine i have the following routing:
Destination Gateway Genmask Flags Met Ref Use Iface
isp-gateway * 255.255.255.255 UH 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
default isp-gateway 0.0.0.0 UG 0 0 0 eth1

now I add the desired routes:
route add -host SERV1 eth1
route add -net 87.0.0.0 netmask 255.255.255.0 gw SERV1

resulting in
Destination Gateway Genmask Flags Met Ref Use Iface
SERV1 * 255.255.255.255 UH 0 0 0 eth1
isp-gateway * 255.255.255.255 UH 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
87.0.0.0 SERV1 255.255.255.0 UG 0 0 0 eth1
default isp-gateway 0.0.0.0 UG 0 0 0 eth1

this makes SERV1 unavailable:
traceroute SERV1
traceroute to SERV1 (200.1.1.1), 30 hops max, 40 byte packets
1 magro1.magro (200.0.0.140) 1699 ms !H 2999 ms


What am I doing wrong?

Thanks for reading and hints
Wolf

Hi,

i'm not really fimilar with all those routing issues, but maybe i can help.

> I have permission to login to server SERV1 ip 200.1.1.1
> There is a subnet behind SERV1 87.0.0.0
> I want to access SUBSERV 87.0.0.40

Two basic things:

1. There are IP address ranges, which might be used within private networks.
E.g. 192.168.0.0/16. This is used for machines within a LAN.
When these machines communicate with the internet, these IPs are never seen
there because they have to use a gateway to do so.

This gateway has a normal IP-address, which makes it unique in the whole
internet (e.g. this IP is only used by this host, while the private IPs
like 192.168.10.9 may be used in any LAN all over the world)

2. To get access to a machine with a normal/public IP-address, you only need
the use the routing capability of your ISP.

This is done by using his default gate way.

If you want to access a machine on a private network,
you have to connect to the gateway of this network
and from this machine you can reach the local one.

You can only access services on the private machine in a direct
manner, if the network's gateway forwards your service request
(e.g. FTP on port 21) to that host.
From your side of things, you would use the public IP of the gateway
instead of the local IP of the destination host.


Well doesn't look like a private subnet behind SERV1.
You should be able to access 87.0.0.40 directly.
Try pinging the host with your normal route config.
If this fails, you may nerver succeed anyway;-)

If you connect to aome other PC when using 87.0.0.40 than the one
you expected, the machine you are trying to reach is really in a
private LAN (behind the gateway SERV1) and you can only access
it directly from SERV1 but not from your site.

Well i'm really confused about the IP 87.0.0.40, because this IP
doesn't belong to a range usable in private networks.
If it's a public machine instead, it should simply be reachable
via your default route (ISP-Gateway).

In this case you don't need to add anything to your route config.

> on my machine i have the following routing:
> Destination Gateway Genmask Flags Met Ref Use Iface
> isp-gateway * 255.255.255.255 UH 0 0 0 eth1
> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
> default isp-gateway 0.0.0.0 UG 0 0 0 eth1

This is all you need. See comments below.....

> route add -host SERV1 eth1

This is not neccessary or may even cause problems.
As SERV1 has a public IP, any request to this host
is routed to your ISP's gateway. It has the route capability
to do this by itself.

You would need this, if SERV1 is someway directly connected to your eth1
interface and if it's not reachable by your own network config (e.g. it
is on another subnet).

> route add -net 87.0.0.0 netmask 255.255.255.0 gw SERV1

Well, see comment above. Most likely you cannot use SERV1
as a gateway to 87.0.0.40.
In fact, SERV1 provides internet access to all local hosts
connected to its LAN. And not vice versa.
But if these hosts (like 87.0.0.40) are public machines as well
as SERV1 you can reach them driectly through your ISP-Gateway.

I hope i didn't confuse you to much.

Basically i think you don't need any other route entry.
If you don't get things to work as you want this way, it might
be impossible or at least far more difficult than adding some
route lines.

HTH

Ralf

On Thu, 15 Apr 2004 19:04:15 +0200, Wolf Grossi <ng-(E-Mail Removed)> wrote:
> Hi folks,
>
> This is certainly a beginners problem - and I cannot solve it:
> the System is a linux 2.4.18, magro1.magro 200.0.0.140
> I have permission to login to server SERV1 ip 200.1.1.1
> There is a subnet behind SERV1 87.0.0.0
> I want to access SUBSERV 87.0.0.40
>
> isp-gateway and both servers have an entry in /etc/hosts
> eth0 is the local device, eth1 the external.
>
> on my machine i have the following routing:
> Destination Gateway Genmask Flags Met Ref Use Iface
> isp-gateway * 255.255.255.255 UH 0 0 0 eth1
> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
> default isp-gateway 0.0.0.0 UG 0 0 0 eth1
>
> now I add the desired routes:
> route add -host SERV1 eth1
> route add -net 87.0.0.0 netmask 255.255.255.0 gw SERV1
>
> resulting in
> Destination Gateway Genmask Flags Met Ref Use Iface
> SERV1 * 255.255.255.255 UH 0 0 0 eth1
> isp-gateway * 255.255.255.255 UH 0 0 0 eth1
> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
> 87.0.0.0 SERV1 255.255.255.0 UG 0 0 0 eth1
> default isp-gateway 0.0.0.0 UG 0 0 0 eth1
>
> this makes SERV1 unavailable:

A gateway has to be a directly connected remote IP (one that shows up in
'/sbin/arp -a' after you have used it). You are telling Linux that SERV1
is locally connected to eth1. If it is not, then that is the reason it
becomes unreachable and pointless to use as a gateway.

If for some reason public IP 87.0.0.40 is not reachable through normal
internet routing and only from SERV1, either admin of SERV1 would have to
forward in the port(s) you need, or you would have to tunnel to SERV1. One
possiblity is ssh using TCP port forwarding (which can be done without
root access to SERV1), or with a VPN (which root would have to configure
on destination).

For example I have used ssh to connect to our company mail server (without
root access) and forward ports to enable me to connect to things on
private LAN (intranet web server, HP3000 computer, JetDirect at our
office, etc.)

--
David Efflandt - All spam ignored http://www.de-srv.com/

Thanks a lot for your explanation!

[snip]
>
> Well doesn't look like a private subnet behind SERV1.
> You should be able to access 87.0.0.40 directly.
> Try pinging the host with your normal route config.
> If this fails, you may nerver succeed anyway;-)
Unfortunately, the subnet behind SERV1 is actually using the public
87.0.0.0 numbers( historical reasons...)

>
> If you connect to aome other PC when using 87.0.0.40 than the one
> you expected, the machine you are trying to reach is really in a
> private LAN (behind the gateway SERV1) and you can only access
> it directly from SERV1 but not from your site.
OK.

>
> Well i'm really confused about the IP 87.0.0.40, because this IP
> doesn't belong to a range usable in private networks.
Well, it's behind SERV1...

> If it's a public machine instead, it should simply be reachable
> via your default route (ISP-Gateway).
>
> In this case you don't need to add anything to your route config.
Yes, if ... :-)

[snip]

>
>
> Well, see comment above. Most likely you cannot use SERV1
> as a gateway to 87.0.0.40.
> In fact, SERV1 provides internet access to all local hosts
> connected to its LAN. And not vice versa.
> But if these hosts (like 87.0.0.40) are public machines as well
> as SERV1 you can reach them driectly through your ISP-Gateway.
>
> I hope i didn't confuse you to much.
Well, no... :-)

As I understand, an access path to SUBSERV1 *cannot* be established by
plain routing.

Thanks for your time
Wolf

Thank you very much for your explanation, it is clear now that I cannot
solve the task with routing.
Wolf

> On Thu, 15 Apr 2004 19:04:15 +0200, Wolf Grossi <ng-(E-Mail Removed)> wrote:
>
>>Hi folks,
>>
>>This is certainly a beginners problem - and I cannot solve it:
>>the System is a linux 2.4.18, magro1.magro 200.0.0.140
>>I have permission to login to server SERV1 ip 200.1.1.1
>>There is a subnet behind SERV1 87.0.0.0
>>I want to access SUBSERV 87.0.0.40
>>
>>isp-gateway and both servers have an entry in /etc/hosts
>>eth0 is the local device, eth1 the external.
>>
>>on my machine i have the following routing:
>>Destination Gateway Genmask Flags Met Ref Use Iface
>>isp-gateway * 255.255.255.255 UH 0 0 0 eth1
>>192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
>>default isp-gateway 0.0.0.0 UG 0 0 0 eth1
>>
>>now I add the desired routes:
>>route add -host SERV1 eth1
>>route add -net 87.0.0.0 netmask 255.255.255.0 gw SERV1
>>
>>resulting in
>>Destination Gateway Genmask Flags Met Ref Use Iface
>>SERV1 * 255.255.255.255 UH 0 0 0 eth1
>>isp-gateway * 255.255.255.255 UH 0 0 0 eth1
>>192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
>>87.0.0.0 SERV1 255.255.255.0 UG 0 0 0 eth1
>>default isp-gateway 0.0.0.0 UG 0 0 0 eth1
>>
>>this makes SERV1 unavailable:
>
>
> A gateway has to be a directly connected remote IP (one that shows up in
> '/sbin/arp -a' after you have used it). You are telling Linux that SERV1
> is locally connected to eth1. If it is not, then that is the reason it
> becomes unreachable and pointless to use as a gateway.
>
> If for some reason public IP 87.0.0.40 is not reachable through normal
> internet routing and only from SERV1, either admin of SERV1 would have to
> forward in the port(s) you need, or you would have to tunnel to SERV1. One
> possiblity is ssh using TCP port forwarding (which can be done without
> root access to SERV1), or with a VPN (which root would have to configure
> on destination).
>
> For example I have used ssh to connect to our company mail server (without
> root access) and forward ports to enable me to connect to things on
> private LAN (intranet web server, HP3000 computer, JetDirect at our
> office, etc.)
>