Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Routing mystery/misunderstanding

Hybrid View

  1. #1
    Join Date
    Sep 2021
    Posts
    11

    Default Routing mystery/misunderstanding

    The mystery:
    Two physically separate network interfaces, lan1 (192.168.1.1, given by DHCP/4G router ) and lan2 (192.168.nn.nnn static).
    Network set up by Yast, using Wicked Service, no IPv4 (or IPv6) routing enabled, so no traffic between subnets 192.168.1.x and 192.168.nn.x should be possible, right?
    Yet, a Windows 7 host which has only one (enabled) interface, connected to lan2 with a static IP 192.168.nn.17 connects to internet via 192.168.nn.153 (Leap 15.3) which is defined as the default gateway in the Win7 network setup. So what happens here seems to be that the 192.168.nn.153 creates a route to internet on a different subnet for 192.168.nn.17 (which is definitely what I do not want).

    How come the Win7 can connect to internet router on an other subnet than its' own? Have I misunderstood something here?

  2. #2
    Join Date
    Sep 2012
    Posts
    6,933

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    192.168.nn.nnn static
    Obfuscating private addresses just makes it harder for anyone to answer and so less likely someone will bother at all.
    no IPv4 (or IPv6) routing enabled
    How do you know it? Show full commands and their output you used to verify it.
    How come the Win7 can connect to internet router on an other subnet than its' own?
    Show full log of
    Code:
    ip a
    ip r
    cat /proc/sys/net/ipv4/ip_forward
    grep . /proc/sys/net/ipv4/conf/*/forwarding
    on Linux and
    Code:
    ipconfig /all
    on Windows.

  3. #3
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    Obfuscating? = not revealing or something similar, I guess (english in not my native language).
    I couldn't see they were relevant here, I understood they can be anything.

    "no IPv4 (or IPv6) routing enabled"
    Actually, I don't really know, I just set them that way using Yast and thought that was enough. I don't know the commands to verify it.

    But:
    Code:
    staticlx153:~ # ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
    2: eth0_LAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 00:e0:76:5a:d9:f1 brd ff:ff:ff:ff:ff:ff
        altname enp3s0
        inet 192.168.38.153/24 brd 192.168.38.255 scope global eth0_LAN
           valid_lft forever preferred_lft forever
    3: eth1_WW: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 8c:89:a5:e3:9d:be brd ff:ff:ff:ff:ff:ff
        altname enp4s0
        inet 192.168.1.3/24 brd 192.168.1.255 scope global eth1_WW
           valid_lft forever preferred_lft forever
    and:
    Code:
    staticlx153:~ # ip r
    default via 192.168.1.1 dev eth1_WW proto dhcp 
    192.168.1.0/24 dev eth1_WW proto kernel scope link src 192.168.1.3 
    192.168.38.0/24 dev eth0_LAN proto kernel scope link src 192.168.38.153
    more:
    Code:
    staticlx153:~ # cat /proc/sys/net/ipv4/ip_forward
    1
    Is that really all I should get? Trying to guess what that means - does that mean that forwarding is enabled despite not setting it enabled with Yast?

    anyway, still more:
    Code:
    staticlx153:~ # grep . /proc/sys/net/ipv4/conf/*/forwarding
    /proc/sys/net/ipv4/conf/all/forwarding:1
    /proc/sys/net/ipv4/conf/default/forwarding:1
    /proc/sys/net/ipv4/conf/eth0_LAN/forwarding:1
    /proc/sys/net/ipv4/conf/eth1_WW/forwarding:0
    /proc/sys/net/ipv4/conf/lo/forwarding:1
    
    
    More guessing: looks like eth0_LAN (the "local" subnet .38.x) has forwarding enabled but eth1_WW (the "internet" subnet .1.x by DHCP) has not(?)
    Using Yast (Network settings > Routing), I don't see a way to set different settings per interface. Is manual editing a config file (which file would that be is unclear to me at this time) necessary here?

    In the Win7:
    Code:
    C:\Users\a>ipconfig /all
    
    
    Windows IP Configuration
    
    
       Host Name . . . . . . . . . . . . : WORK
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
    
    
    Ethernet adapter LAN:
    
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
       Physical Address. . . . . . . . . : D0-50-99-48-B8-27
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.38.17(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.38.153
       DNS Servers . . . . . . . . . . . : 192.168.38.153
       Primary WINS Server . . . . . . . : 192.168.38.153
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    
    Tunnel adapter isatap.{D8B3D442-7AB6-4B55-B0C7-747B91CC57C5}:
    
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    
    Tunnel adapter Local Area Connection* 9:
    
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    The usefulness of the above is uncertain, at the time (fresh after Win7 startup) the machine seems to have connected to the internal network, not routed to internet subnet.
    When, how or why it happened earlier is a mystery.
    Before writing here I did some desperate fiddling (don't exactly remember what) but didn't find any obvious settings to change.

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,434

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    Obfuscating? = not revealing or something similar, I guess (english in not my native language).
    I couldn't see they were relevant here, I understood they can be anything.
    https://en.wikipedia.org/wiki/Obfuscation_(software)

    At least you did not specify if nn=1 or not. No, not posting reality will not help anybody to better, and without more effort, understand what you try to explain.
    Henk van Velden

  5. #5
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    True, I didn't. The significance of 1 or not didn't occur to me. But otherwise, they make no difference (except for 0 and 255), right?

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,434

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    True, I didn't. The significance of 1 or not didn't occur to me. But otherwise, they make no difference (except for 0 and 255), right?
    I only want to show you that leaving out information while YOU think it is irrelevant may nevertheless be relevant to your potential helpers. One of the reasons to ask for help is that others may detect things you did not see (simply because it is very human to be blind to obvious details when trying to debug something). So do not hide details, but as long as they are not real passwords, etc. show them!

    What you did will at the best give you a friendly remark not to do that (as did @avidjaar). At the worst people will simply stop reading your post at that point and go for another, more rewarding thread (or just for a beer).
    Henk van Velden

  7. #7
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    Yes, I get your point.

  8. #8
    Join Date
    Sep 2012
    Posts
    6,933

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    Code:
    2: eth0_LAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 00:e0:76:5a:d9:f1 brd ff:ff:ff:ff:ff:ff
        altname enp3s0
        inet 192.168.38.153/24 brd 192.168.38.255 scope global eth0_LAN
           valid_lft forever preferred_lft forever
    3: eth1_WW: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 8c:89:a5:e3:9d:be brd ff:ff:ff:ff:ff:ff
        altname enp4s0
        inet 192.168.1.3/24 brd 192.168.1.255 scope global eth1_WW
           valid_lft forever preferred_lft forever
    So you have two interfaces in two different networks.
    Code:
    staticlx153:~ # cat /proc/sys/net/ipv4/ip_forward
    1
    Is that really all I should get?
    Yes
    does that mean that forwarding is enabled despite not setting it enabled with Yast?
    Correct. All that YaST does is dropping file in /etc/sysctl.d. If YaST says "routing not enabled" it just means corresponding sysctl file is not present; but any program can change sysctl later and anyone can drop another file in /etc/syctl.d that overrides YaST settings.
    Code:
    /proc/sys/net/ipv4/conf/eth0_LAN/forwarding:1
    /proc/sys/net/ipv4/conf/eth1_WW/forwarding:0
    
    So packets coming from your LAN where your Windows server is located will be forwarded.

    Do you use firewalld? Is it active?

  9. #9
    Join Date
    Sep 2021
    Posts
    11

    Default Re: Routing mystery/misunderstanding

    dcurtisfra:
    Thanks for pointing information sources, had a look at those. I need to have a closer look...

    arvidjaar:
    Yes, two, thinking: that way I will have no problems keeping them separate.

    About /etc/sysctl.d:
    The directory contains a file "70-yast.conf", with content:
    Code:
    net.ipv4.ip_forward = 0
    net.ipv6.conf.all.forwarding = 0
    net.ipv6.conf.all.disable_ipv6 = 1
    -which looks to me like what I wanted to get (no forwarding, no IPv6)
    But that's it, nothing else, no 50-*.conf files as I've seen before.
    Is it that the directory /etc/sysctl.d/ is not used anymore but Yast is not aware of that and happily writes there thinking someone will read them?

    The Security and Hardening Guide dcurtisfra mentiones says in "25.2 Masquerading basics":
    "However, the router must be configured before it can forward such packets. For security reasons, this is not enabled in a default installation. To enable it, add the line net.ipv4.ip_forward = 1 in the file /etc/sysctl.conf. Alternatively do this via YaST, for example by calling yast routing ip-forwarding on."
    I think I tried to do the opposite of this using Yast, failing.
    The file /etc/sysctl.conf reads:
    Code:
    ####
    #
    # /etc/sysctl.conf is meant for local sysctl settings
    #
    # sysctl reads settings from the following locations:
    #   /boot/sysctl.conf-<kernelversion>
    #   /lib/sysctl.d/*.conf
    #   /usr/lib/sysctl.d/*.conf
    #   /usr/local/lib/sysctl.d/*.conf
    #   /etc/sysctl.d/*.conf
    #   /run/sysctl.d/*.conf
    #   /etc/sysctl.conf
    #
    # To disable or override a distribution provided file just place a
    # file with the same name in /etc/sysctl.d/
    #
    # See sysctl.conf(5), sysctl.d(5) and sysctl(8) for more information
    #
    ####
    -i.e. empty from the system's point of view. But as it mentions "/etc/sysctl.d/*.conf", one might think that the file "70-yast.conf" would be read(?).
    Should I add a line net.ipv4.ip_forward = 0 in the file /etc/sysctl.conf?


    About firewalld
    Yast2 - services manager says:
    Code:
    * firewalld.service - firewalld - dynamic firewall daemon
         Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
         Active: active (running) since Fri 2021-09-17 04:38:40 EEST; 5h 51min ago
           Docs: man:firewalld(1)
       Main PID: 1154 (firewalld)
          Tasks: 2 (limit: 4915)
         CGroup: /system.slice/firewalld.service
                 `-1154 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
    From the above I guess it is active (if Yast is to be trusted).
    So far, I have configured firewall with Yast. The Security and Hardening Guide, in 25.4 firewalld mentions firewall-config. I installed it and had a glimpse, need to dig it further to get some idea of it.

  10. #10
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,434

    Default Re: Routing mystery/misunderstanding

    Quote Originally Posted by JM View Post
    Yast2 - services manager says:
    Code:
    * firewalld.service - firewalld - dynamic firewall daemon
         Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
         Active: active (running) since Fri 2021-09-17 04:38:40 EEST; 5h 51min ago
           Docs: man:firewalld(1)
       Main PID: 1154 (firewalld)
          Tasks: 2 (limit: 4915)
         CGroup: /system.slice/firewalld.service
                 `-1154 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
    From the above I guess it is active (if Yast is to be trusted).
    Well, YaST only copied the output of
    Code:
    systemctl status firewalld.service
    Thus is is innocent whatever you see
    Henk van Velden

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •