advanced routing

hi all,

i have a machine with two network cards each one with diferent gateways that routes with several lans.

eth0 goes perfectly from my machine to any lan through its gateway and vice versa from any lan to my machine.

my problem is with eth1. i configure the gateway with “route” command and then, i can do a ping,traceroute from my machine to any lan but if i do a ping from lan to my machine ping fails.

when i turn off eth0, eth1 is fine.

i configure it with ifup command and firewall is disabled but could be some conflict to use ifup/network manager?

my question: I need something more like a firewall or is it simply a problem of the routing table?

sorry for my english, i hope you understand

Welcome to these forums sunevil.

At least you should provide some technical information like which version of openSUSE, output of

ifconfig -a

and

route-n

and maybe more that you think is important to give people at the other side of the globe an idea about what you are doing.

And, while you are new here, and the feature is rather hidden, I ask you to popst computer text between CODE tags per: Posting in Code Tags - A Guide

Thank you,

i use suse 11.

my actual configuration is that. (now only with eth0)

eth0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00

          inet addr:10.50.80.35  Bcast:10.50.80.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:147989 errors:0 dropped:388 overruns:0 frame:0

          TX packets:149448 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:14531319 (13.8 Mb)  TX bytes:20875180 (19.9 Mb)

          Interrupt:90 Memory:c8000000-c8012100

 

eth1      Link encap:Ethernet  HWaddr 11:11:11:11:11:11

          inet addr:10.50.81.35  Bcast:10.50.81.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:14425 errors:0 dropped:4031 overruns:0 frame:0

          TX packets:7193 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:2091635 (1.9 Mb)  TX bytes:2235864 (2.1 Mb)

          Interrupt:177 Memory:ce000000-ce012100

 

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:25858602 errors:0 dropped:0 overruns:0 frame:0

          TX packets:25858602 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:4222451069 (4026.8 Mb)  TX bytes:4222451069 (4026.8 Mb)

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.50.80.0      *               255.255.255.0   U     0      0        0 eth0

10.50.81.0      *               255.255.255.0   U     0      0        0 eth1

loopback        *               255.0.0.0          U     0      0        0 lo

default         10.50.80.1	0.0.0.0          UG    0      0       0 eth0

i think if i run

route add -net 79.51.20.0 netmask 255.255.255.0 gw 10.50.81.1 dev eth1

i should be able to ping from/to my machine to/from subnet 79.xx.xx.xx

i use suse 11.

That is a bit vague. To begin with we are here on the openSUSE forums. Supported versons are at this moment in time openSUSE 11.3 and openSUSE 11.4
When you forgot what you installed, please the output of

cat /etc/SuSE-release

Also your computer output looks strange. As an example I give below the output of netstat on my system:

henk@boven:~> netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.0.0.0        *               255.255.255.0   U         0 0          0 eth0
link-local      *               255.255.0.0     U         0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
default         adsl.henm.xs4al 0.0.0.0         UG        0 0          0 eth0
henk@boven:~>

Your output seems not to be the result of a copy/past, thus giving the impression that you meddled with it. As you see I not only give the output of the command, but also the command itself and even the prompt. Thus everybody can clearly see what I did and where I was (working directory) and if I was root or not. Can all be additional info and all with one sweep of the mouse without the need to explain much.

Then, your output shows that all packets with destination 10.50.81/24 should go through eth1. Do you have any connnection problems with systems in that LAN?

Then you suggest:

route add -net 79.51.20.0 netmask 255.255.255.0 gw 10.50.81.1 dev eth1

I do not know why. You never said anything about a 79.51.20/24 network that is connected through router 10.50.81.1. When you forgot to mention this in your first post and your problem is in the connection with that LAN, then you original problem description is missing a most essential part IMHO.

When you want connection to 75.51.20/24 through 10.50.81.1, then you must of course configure that. When you used YaST to configure your network, then use YaST again to add that route. Doing this manualy, as you suggest, is not very usefull, because you have to repeat that manualy after every boot.

I hope I do understand your problem correct. If not, please try to explain it more precise. Preferable not with “stories”, but with computer commands and their output (e.g. saying “when I do traceroute” is NOT usefull, showing it IS).

sorry, my output are not the result of a copy/paste because i have output on “.txt” and then i write the post to copy/paste here, so i try to start the post another once.

my scenario is this:

i have one machine suse (version 10.2, sorry another once) with two eth that separate two LANs. i need multiple LANs can be connected to the machine through eth0 or eth1

if i connect to suse on ip 10.50.80.35 (eth0), i need to always return the connection for eth0 and if i connect to 10.50.81.35 (eth1), i need to always return the connection for eth1.

suse’s current setup is:

SUSE:~ #ifconfig
eth0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:10.50.80.35  Bcast:10.50.80.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:147989 errors:0 dropped:388 overruns:0 frame:0
          TX packets:149448 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14531319 (13.8 Mb)  TX bytes:20875180 (19.9 Mb)
          Interrupt:90 Memory:c8000000-c8012100
eth1      Link encap:Ethernet  HWaddr 11:11:11:11:11:11
          inet addr:10.50.81.35  Bcast:10.50.81.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14425 errors:0 dropped:4031 overruns:0 frame:0
          TX packets:7193 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2091635 (1.9 Mb)  TX bytes:2235864 (2.1 Mb)
          Interrupt:177 Memory:ce000000-ce012100
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:25858602 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25858602 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4222451069 (4026.8 Mb)  TX bytes:4222451069 (4026.8 Mb)


SUSE:~ # route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.50.80.0      *               255.255.255.0   U     0      0        0 eth0

10.50.81.0      *               255.255.255.0   U     0      0        0 eth1

69.51.20.0      10.50.81.1      255.255.255.0   UG    0      0        0 eth1

link-local      *               255.255.0.0     U     0      0        0 eth0

loopback        *               255.0.0.0       U     0      0        0 lo

default         10.50.80.1      0.0.0.0         UG    0      0        0 eth0

with this configuration “i think” that i can connect to 10.50.80.35 because there is a route (69.51.20.0 10.50.81.1 255.255.255.0 UG 0 0 0 eth1) that allows it but i have not a route that allows me to connect to 10.50.81.35 so i cant connect.

[69.51.20.100]# ping 10.50.80.35
PING 10.50.80.35 (10.50.80.35) 56(84) bytes of data.
^C
--- 10.50.80.35 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 7999ms

[69.51.20.100]# ping 10.50.81.35
PING 10.50.81.35 (10.50.81.35) 56(84) bytes of data.
64 bytes from 10.50.81.35: icmp_req=1 ttl=60 time=7.97 ms
64 bytes from 10.50.81.35: icmp_req=2 ttl=60 time=0.984 ms
64 bytes from 10.50.81.35: icmp_req=3 ttl=60 time=0.635 ms
64 bytes from 10.50.81.35: icmp_req=4 ttl=60 time=1.48 ms
64 bytes from 10.50.81.35: icmp_req=5 ttl=60 time=0.719 ms
64 bytes from 10.50.81.35: icmp_req=6 ttl=60 time=1.49 ms
64 bytes from 10.50.81.35: icmp_req=7 ttl=60 time=3.17 ms
^C
--- 10.50.81.35 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6006ms
rtt min/avg/max/mdev = 0.635/2.351/7.978/2.430 ms
[root@pcms123 xamonsym]#

I think a solution is create a new route (route add -net 69.51.20.0 netmask 255.255.255.0 gw 10.50.80.1 dev eth0) to connect it but,if tomorrow i have more subnets i think there will be another solution to do that i need. maybe a firewall?

I hope I explained correctly now

Skimming your original post,

You need

• routing table route so Hosts “in the LAN” know that your Host’s IP address is on the other side of a non-default gateway.
• If you ping by name instead of IP address, then you’ll also need some kind of Name Resolution, eg DNS, Hosts, special broadcasts config

Note that if you configure multiple pathways between networks you should also configure a different cost for each pathway/route so to ensure packets are routed consistently.

HTH,
Tony

We are concerned here with the configuration of the system that has two NICs with two addresses ending in 35. I will call this sys35, because it is to difficult to use terms like “the one system” and “the other system”
Now you have he configuration of sys35: the IP config of the two NICs and the routing.

Then you start to talk about connecting TO sys35 from some other system you did not mention before and of which we know nothing except it’s IP address 69.51.20.100. But it seems that it is able to connect to sys35 on the route you defined for going the other way. Thus I guess the routing in 69.51.20.100 also says that sys35 is reachable through the same router that is known as 10.50.81.1 from sys35’s side. That is as expected. BTW did you try to ping from sys35 to
69.51.20.100?

Now it seems that you are worried by the fact that 69.51.20.100 can not reach sys35 on 10.50.80.35. That is quite possible. The idea I have until now from your lay-out is that 10.50.81/24 and 69.51.20/24 are connected (through the router that has amongst other addresses 10.50.81.1) and nothing about a connection between 10.50.80/24 and 69.51.20/24.
When there is also a possibility to go from 69.51.20/24 to 10.50.80/24, that must be configured in the routing table of 69.51.20.100 (of which we know nothing). But I guess you will have problems with the return packets.

How about making some sort of drawing of your network layout so we can understand how these LANs are connected to each other?

Thanks again for trying to help me and … understand me

Then you start to talk about connecting TO sys35 from some other system you did not mention before and of which we know nothing except it’s IP address

ok, this is only an example to try to explain my problem, these ips are only machine (xp,windows7,linux…) with a normal configuration/setup.

BTW did you try to ping from sys35 to 69.51.20.100?

first and sorry, i dont know what “BTW” means. ping (ping -I eth0 and ping -I eth1 ) and traceroute (traceroute 69.51.20.100 goes through eth1 and traceroute to 10.50.80.xx goes through eth0) are possible from sys35 to 69.51.20.100.
i have not an output now but this i have tried it

Now it seems that you are worried by the fact that 69.51.20.100 can not reach sys35 on 10.50.80.35.

i know if i add a new route, i can connect to 10.50.80.35 but my question is…
if in the future there are more subnets i dont want to add manually new routes, so " i think" i can do it “automaticly”, maybe with a firewall that all traffic with origin on “X (69.51.20.100 or 79.51.20.11 if exist in the future)” and destination 10.50.80.35 (through eth0) always return packets for eth0 and all traffic with origin on “X (69.51.20.100 or 79.51.20.11 if exist in the future)” and destination 10.50.81.35 (through eth1) always return packets for eth1.

My idea is that everything that goes through an interface is returned by the same, because if I want to disconnect one of them.

How about making some sort of drawing of your network layout so we can understand how these LANs are connected to each other?

it´s a bit dificult but there are several LAN (each one with their routers that has no settings that could interfere with the connection, or so I hope ) and sys35 is on one diferent LAN.
example:

69.51.20.100: traceroute 10.50.81.35
traceroute to 10.50.81.35 (10.50.81.35), 30 hops max, 60 byte packets
 1  69.51.20.2 (69.51.20.2)  3.103 ms  3.346 ms  3.485 ms
 2  172.16.38.90 (172.16.38.90)  3.036 ms  3.261 ms  3.346 ms
 3  172.17.1.54 (172.17.1.54)  2.457 ms  2.719 ms  3.024 ms
 4  172.17.1.33 (172.17.1.33)  2.489 ms  2.780 ms  3.073 ms
 5  10.50.81.35 (10.50.81.35)  15.394 ms  13.110 ms  13.047 ms

Sys35 has two diferent services on each interface and it´s because i want/need that everything that goes through an interface is returned by the same.

Well, BTW means “By the way”. An English expression when you want to change the subject a little bit. Not realy important.

What I read is that you are a bit confused by how networking functions. And I am a bit confused about you way of thinking. Talking face to face is a bit of a problem here, but I will try.

Firewalls have nothing to do with this in my opinion.

Packets from A to B follow the routes that are set op from A through a NIC, to a router, to a router, … to a router, to a NIC, to B. That means that all those systems and routers should have a route which explains which one is the following to send the packets to.

Packets from B to A should follow the same way, but in the other direction and thus arrive at A on the same interface as the other packcets left. But again, all those, system B and the in between routers should have correct routes set up that tell where packets for that NIC of A should go to. That is not something you can configure in A. That must be configured in B (and all the in between routers).

When there is a new LAN added to the whole picture in the future, the network manager should adapt configurations. That can be easy, e.g. when that LAN can be reached through the default gateway of many systems, those systems are OK. But else you have to add a new route statement. Again even then it can be easy. If you have allready a LAN 10.20.30/24 and you a new LAN 10.20.40/24 is added having the same router from your own LAN, you could route the comeplete 10.20/16 to it (of course only when there are no other 10.20/16 networks in another direction). But as it is very diificult to predict the future, even if you are the network manager yourself, that is all a bit difficult to do in advance.

if i understand you, in my current scenario

69.51.20.100: traceroute 10.50.81.35
traceroute to 10.50.81.35 (10.50.81.35), 30 hops max, 60 byte packets
 1  69.51.20.2 (69.51.20.2)  3.103 ms  3.346 ms  3.485 ms
 2  172.16.38.90 (172.16.38.90)  3.036 ms  3.261 ms  3.346 ms
 3  172.17.1.54 (172.17.1.54)  2.457 ms  2.719 ms  3.024 ms
 4  172.17.1.33 (172.17.1.33)  2.489 ms  2.780 ms  3.073 ms
 5  10.50.81.35 (10.50.81.35)  15.394 ms  13.110 ms  13.047 ms

i can connect from A to sys35 because i have defined a route on sys35 and the routers between A and sys35 are configured correctly:

but

69.51.20.100: traceroute 10.50.80.35
traceroute to 10.50.80.35 (10.50.80.35), 30 hops max, 60 byte packets
 1  69.51.20.2 (69.51.20.2)  2.999 ms  3.244 ms  3.428 ms
 2  172.16.38.90 (172.16.38.90)  2.923 ms  3.067 ms  3.278 ms
 3  172.17.1.54 (172.17.1.54)  1.353 ms  1.632 ms  1.821 ms
 4  172.17.1.33 (172.17.1.33)  1.187 ms  1.491 ms  3.280 ms
 5  * * *
 6  * * *
 
30  * * *

or i add a new route on sys35 or 172.17.1.33 is misconfigured and thus fail to connect to sys35

or i add a new route on sys35 or 172.17.1.33 is misconfigured and thus fail to connect to sys35

sorry… i want to say add a route on A or 172.17.1.33 is misconfigured and thus fail to connect to sys35

i can connect from A to sys35 because i have defined a route on sys35 and the routers between A and sys35 are configured correctly:

NO. You can connect from A to sys35 because you have defined a route on **A **and the routers between A and sys35 are configured correctly:

When I want to travel from Amsterdam to Voorburg, I start looking for signposts to The Hague in Amsterdam and when I reach The Hague, I search for sign posts to Voorburg. This works from start to **destination. **Sign posts in Voorburg to Amsterdam have no influence on my trip. Thus when you ping/traceroute from 69.51.20.100 to sys35 (10.50.81.35) your routing in 69.51.20.100 should be OK. It has nothing to do with the routing in sys35.

I do not know how to explain this again and again in a different way. It is so logical.

sorry, in this case I have explained wrong. I understand you well and the idea i had of the configuration on my machine is wrong. I think that the potential problem is in the settings of the routers between A and B who are those that show the way to go and back.

thanks for all the attention and forgive my way of explaining.

Thank you man.

You are welcome. Wishing you succes in finding the cause of your problem.

Don’t want to beat a dead horse,
But this statement caught my eye. I’m not sure if you’re suggesting two NICs with the same IP address or or two NICs with different NetworkIDs but with the same HostID.

If the latter, that’s possible, ie xxx.yyy.zzz.35 is different than aaa.bbb.ccc.35 as long as “xxx.yyy.zzz” is different than “aaa.bbb.ccc”
But if the former, then you’re assigning the same IP address to two different NICs which IMO isn’t possible unless you’re doing something special like clustering… Even if you assign the same IP address to multiple NICs and to human beings the two NICs might be similarly addressed, machines will know the difference because machines ID at the packet level and lower by MAC address, not IP address.

For that reason, <unless you’re doing something special like clustering> you can’t assign multiple NICs the same IP address… ever AFAIK.

If that is already understood, no response is needed…

Tony