simple routing on dual homed Fedora 6

I have a dual homed Fedora 6 box that is behind our firewall on the
LAN. I am just trying to use it to segment 2 broadcast domains, 1st
domain is 172.16.1.0 255.255.255.0 2nd domain is 10.1.10.0
255.255.255.0. eth0 has a 172 address and eth1 has a 10 address. In
/etc/sysconfig/network I have GATEWAY=172.x.x.x (which is the gateway
to the internet for our LAN) and GATEWATDEV=eth0. in
/etc/sysconfig/network-scripts/ifcfg-eth0 and ifcfg-eth1 I have listed
IP, mask, etc. for 127.x.x.x and 10.x.x.x respectively.

I can ping out to the internet jsut fine. But any devices behind the
eth1 (10.1.10.0 network) fail. When I try to do a ping -I eth1 "to the
ip of eth0" it fails with "network unreachable". Same if I ping from
eth0 to eth1.
What am I missing here? I would not think I would need anything else in
the route table.

On 10 Nov 2006 13:10:27 -0800, tilopa
<(E-Mail Removed)> wrote:
> I have a dual homed Fedora 6 box that is behind our firewall on the
> LAN. I am just trying to use it to segment 2 broadcast domains, 1st
> domain is 172.16.1.0 255.255.255.0 2nd domain is 10.1.10.0
> 255.255.255.0. eth0 has a 172 address and eth1 has a 10 address. In
> /etc/sysconfig/network I have GATEWAY=172.x.x.x (which is the gateway
> to the internet for our LAN) and GATEWATDEV=eth0. in
> /etc/sysconfig/network-scripts/ifcfg-eth0 and ifcfg-eth1 I have listed
> IP, mask, etc. for 127.x.x.x and 10.x.x.x respectively.
>
> I can ping out to the internet jsut fine. But any devices behind the
> eth1 (10.1.10.0 network) fail. When I try to do a ping -I eth1 "to the
> ip of eth0" it fails with "network unreachable". Same if I ping from
> eth0 to eth1.
> What am I missing here? I would not think I would need anything else in
> the route table.
>
echo 1 >/proc/sys/net/ipv4/ip_forward


--
"Pay no attention to the man behind the curtain."
-- Karl, as he stepped behind the computer to reboot it, during a FAT

On 10 Nov 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, tilopa wrote:

>I can ping out to the internet jsut fine. But any devices behind the
>eth1 (10.1.10.0 network) fail. When I try to do a ping -I eth1 "to the
>ip of eth0" it fails with "network unreachable". Same if I ping from
>eth0 to eth1.
>What am I missing here? I would not think I would need anything else in
>the route table.

Couple of things to look at:

1. Does the routing table on the dual home box look right?
2. Cat /proc/sys/net/ipv4/ip_forward Is it a '1' (controlled by a
variable "FORWARD_IPV4" in /etc/sysconfig/network)
3. Do the other systems know to use the dual home box as a router?

This sounds more like '2' is the problem, but people often forget that
all systems have to know how to send packets to all others, because they
really can't follow the bread-crumbs back to the system that is calling.

Old guy

> Couple of things to look at:
>
> 1. Does the routing table on the dual home box look right?
> 2. Cat /proc/sys/net/ipv4/ip_forward Is it a '1' (controlled by a
> variable "FORWARD_IPV4" in /etc/sysconfig/network)
> 3. Do the other systems know to use the dual home box as a router?
>
> This sounds more like '2' is the problem, but people often forget that
> all systems have to know how to send packets to all others, because they
> really can't follow the bread-crumbs back to the system that is calling.
>
> Old guy

Thanks for the reply to both of you.

When I cat /proc/sys/net/ipv4/ip_forward I get a 1.
In /etc/sysconfig/network I have:
FORWARD_IPV4=yes

The routing tables look fine. I uninstalled the iptables rpm, but I am
wondering if there is anything leftover from it that is blocking
traffic.

tilopa <(E-Mail Removed)> wrote:
> I have a dual homed Fedora 6 box that is behind our firewall on the
> LAN. I am just trying to use it to segment 2 broadcast domains, 1st
> domain is 172.16.1.0 255.255.255.0 2nd domain is 10.1.10.0
> 255.255.255.0. eth0 has a 172 address and eth1 has a 10 address. In
> /etc/sysconfig/network I have GATEWAY=172.x.x.x (which is the gateway
> to the internet for our LAN) and GATEWATDEV=eth0. in
> /etc/sysconfig/network-scripts/ifcfg-eth0 and ifcfg-eth1 I have listed
> IP, mask, etc. for 127.x.x.x and 10.x.x.x respectively.

> I can ping out to the internet jsut fine. But any devices behind the
> eth1 (10.1.10.0 network) fail. When I try to do a ping -I eth1 "to the
> ip of eth0" it fails with "network unreachable". Same if I ping from
> eth0 to eth1.
> What am I missing here? I would not think I would need anything else in
> the route table.

It sounds like a ping to the IP address of one interface is generated
from within the Fedora box but with the source address of the other
interface. If so then, since the interfaces are on different subnets,
the ARPs will fail. Check for "who-has" with tcpdump.

--
Clifford Kite
/* Better is the enemy of good enough. */

> It sounds like a ping to the IP address of one interface is generated
> from within the Fedora box but with the source address of the other
> interface. If so then, since the interfaces are on different subnets,
> the ARPs will fail. Check for "who-has" with tcpdump.
>
> --
> Clifford Kite
> /* Better is the enemy of good enough. */

Clifford,
I did a tcpdump and looked at the who-has. Not exactly sure what I am
looking for, it shows arp requests and "tell", but it is a little
confusing because it will arp request for example ip 172.16.1.18 and
and the tell will come from 172.16.1.68 which is not a gateway or
anything just another port on the switch. So... can you tell me what I
should be looking for here.
Thanks.

Just to be more clear about the whole scenario I'd like to break it
down with a little more detail.

I have a Fedora 6 box with 2 ethernet cards.
Eth0 = 172.16.1.1
Eth1 = 10.1.10.1

Connected to Eth0 I have a switch that has another computer with IP of
172.16.1.14 (actually I have several computers on that switch, but this
is the 1 I'm testing with). Also on that same switch I have connected
the inside interface of a Pix firewall with IP of 172.16.1.2.
(I know the Pix will be looked at as the suspicious peice in all this
but I have configured it wide open, and I can ping through it to the
internet).
Connected to Eth1 I have a switch with 2 systems connected with IP's of
10.1.10.12 and 14.

My routing table is such that my default gw is the pix 172.16.1.2
everything else in the routing table is by default.

When I try and ping from the 10.1.10.12 box to the either Eth0 or Eth1
interfaces it works. When I try and ping to the 172.16.1.14 box it
fails.
When I ping from the 172.16.1.14 box to either Eth0 or Eth1 interfaces
it works. When I ping to the 10.1.10.12 box it fails.
On the Fedora box itself I am succesful in pinging out to the internet
and to either the 10.1.10.12 or 172.16.1.14 boxes.
HELP!!!

tilopa <(E-Mail Removed)> wrote:

> Just to be more clear about the whole scenario I'd like to break it
> down with a little more detail.

> I have a Fedora 6 box with 2 ethernet cards.
> Eth0 = 172.16.1.1
> Eth1 = 10.1.10.1

> Connected to Eth0 I have a switch that has another computer with IP of
> 172.16.1.14 (actually I have several computers on that switch, but this
> is the 1 I'm testing with). Also on that same switch I have connected
> the inside interface of a Pix firewall with IP of 172.16.1.2.
> (I know the Pix will be looked at as the suspicious peice in all this
> but I have configured it wide open, and I can ping through it to the
> internet).
> Connected to Eth1 I have a switch with 2 systems connected with IP's of
> 10.1.10.12 and 14.

> My routing table is such that my default gw is the pix 172.16.1.2
> everything else in the routing table is by default.

Okay, this is my take on your setup from the above description:

SW0-Box0(Eth0:172.16.1.2, FW) <-> Cloud
||__Box1(Eth0:172.16.1.1, 10.1.10.1:Eth1)-SW1-Box3(Eth0:10.1.10.12)
|___Box2(Eth0:172.16.1.14) |__Box4(Eth0:10.1.10.14)

> When I try and ping from the 10.1.10.12 box to the either Eth0 or Eth1
> interfaces it works. When I try and ping to the 172.16.1.14 box it
> fails.

Try adding these network gateway routes on Box1:

route add -net 172.16.1.0/24 gw 172.16.1.1
route add -net 10.1.10.0/24 gw 10.1.10.1

(The networks are based on your first post)

You also may or may not need to configure proxy-arp with

arp -Ds 172.16.1.1 eth0 pub
arp -Ds 10.1.10.1 eth1 pub

on Box1. Man arp, man 7 arp - search the pages for proxy.

Experimenting without a setup similar to yours was inconclusive.
Hence, no guarantee this will work.

> When I ping from the 172.16.1.14 box to either Eth0 or Eth1 interfaces
> it works. When I ping to the 10.1.10.12 box it fails.
> On the Fedora box itself I am succesful in pinging out to the internet
> and to either the 10.1.10.12 or 172.16.1.14 boxes.
> HELP!!!

HTH
--
Clifford Kite
/* In my book, the first poster to resort to personal abuse in a Usenet
debate loses by default. - Rod Smith */