Routing between VLANs

I apologize if this is a bit over-explained, I’m very familiar with Cisco environments but new to Linux.

I’m attempting to set up a test bed network that currently contains three subnets and three future subnets trunked through a Cisco 2950 up to a SLES server. I have connectivity to my three active vlans, IE I can ping the vlan adapter address from clients. I’ve used YaST to enable IP Forwarding and ip route shows:

192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.254
10.99.0.0/16 dev vlan3 proto kernel scope link src 10.99.1.2
10.198.0.0/16 dev vlan14 proto kernel scope link src 10.198.1.2
10.16.0.0/16 dev vlan12 proto kernel scope link src 10.16.1.2
10.98.0.0/16 dev vlan4 proto kernel scope link src 10.98.1.2
10.199.0.0/16 dev vlan13 proto kernel scope link src 10.199.1.2
10.6.0.0/16 dev vlan2 proto kernel scope link src 10.6.1.2
169.254.0.0/16 dev eth1 scope link
127.0.0.0/8 dev lo scope link

These are all internal networks.
.99, .98, and .6 are online
.199, .198, and .16 are for a future network (The NIC is connected to a trunk port Cisco 2950 with the VLANs set up)
192.168.0.0 is just an address on the physical NIC, it’s not used

All these VLANS ride eth1. Whenever I try to ping across networks with a client I can ping one of the vlan interfaces (IE I can ping 10.99.1.2 from the 10.98.0.0/16 network) but pinging any clients on another subnet return “destination protocol unreachable” I would appreciate any help I can get to resolve this. (I’ve seen the “how to turn linux into a router” articles and I can’t grock an answer from them)

Hello,

I see this is your first post here, thus: Welcome.

As you have tried to post some computer text here (a router table), you will have noticed that on your terminal it was far more readable, To get the same effect here, please use the (a bit hidden function) of wrapping in CODE tags: http://forums.opensuse.org/english/information-new-users/advanced-how-faq-read-only/451526-posting-code-tags-guide.html

For the ip route command it’s kinda still the way that looks:

192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.254 
10.99.0.0/16 dev vlan3  proto kernel  scope link  src 10.99.1.2 
10.198.0.0/16 dev vlan14  proto kernel  scope link  src 10.198.1.2 
10.16.0.0/16 dev vlan12  proto kernel  scope link  src 10.16.1.2 
10.98.0.0/16 dev vlan4  proto kernel  scope link  src 10.98.1.2 
10.199.0.0/16 dev vlan13  proto kernel  scope link  src 10.199.1.2 
10.6.0.0/16 dev vlan2  proto kernel  scope link  src 10.6.1.2 
169.254.0.0/16 dev eth1  scope link 
127.0.0.0/8 dev lo  scope link 

Still working with my server to try and understand why I can’t ping through it.

Sorry, the

/sbin/route -n

does make neat columns. Never mind. We allways like to see computer copied/pasted text between CODE tags. Prferable complete with the command one gives and the prompt before it. It tells a lot without the poster having to tell much.

I only tried to welcome you and introduce you to an important, but not easy to find habit here.

Hope that someone with real knowledsge about your problems shows up soon. But be aware that we are around the globe and some need sleep now and then :wink:

When I get back to the lab tomorrow I’ll paste the results from that command. I’ve started toying with quagga, the zebra daemon seems to give a cisco-like interface… but I still can’t shake the feeling that everything should be working at this point and it’s driving me bonkers. Protocol unreachable should only apply to a layer above network… could VLAN tagging interfere with SLES forwarding ICMP traffic? I can do a tcpdump tomorrow if that would help…

Which ip is the interface of the router that routes traffic between networks ? or do You want your linux machine to be the router ?

Best regards,
Greg

First, here’s the route -n:

rssCETserver1:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.99.0.0       0.0.0.0         255.255.0.0     U     0      0        0 vlan3
10.198.0.0      0.0.0.0         255.255.0.0     U     0      0        0 vlan14
10.16.0.0       0.0.0.0         255.255.0.0     U     0      0        0 vlan12
10.98.0.0       0.0.0.0         255.255.0.0     U     0      0        0 vlan4
10.199.0.0      0.0.0.0         255.255.0.0     U     0      0        0 vlan13
10.6.0.0        0.0.0.0         255.255.0.0     U     0      0        0 vlan2
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

I have two Cisco 2950s set up using VLANs and trunking to my server, I got my hands on an old 2612 but it’s got a token ring IOS on it (REALLY old 2612) so I’m attempting to use the SLES server to act as the router on a stick instead. All VLANs are coming in eth1 but I need the traffic between the 10.99, .98, and .6 networks to get routed. I could set up a purpose server as I’ve seen suggested, but I’m out of lab space and I don’t know if I can get another machine. For the test bed it would be a lot easier if I could just get this server to act as a router.

Here’s a TCPdump from the servers perspective, you can see the protocol unreachable responses to the ping request:

rssCETserver1:~ # tcpdump -i eth1 vlan 4 -v
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
10:30:45.007378 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 163) 10.98.1.50.31200 > 225.6.29.63.31200: UDP, length 135
10:30:45.536385 01:00:0c:cc:cc:cd (oui Unknown) > 00:0f:8f:98:e2:8b (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50
10:30:46.190401 IP (tos 0x0, ttl 1, id 9973, offset 0, flags [none], proto UDP (17), length 161) 10.98.1.70.31200 > 225.6.29.63.31200: UDP, length 133
10:30:46.990166 IP (tos 0x0, ttl 128, id 37207, offset 0, flags [none], proto ICMP (1), length 60) 10.98.1.30 > 10.99.1.1: ICMP echo request, id 512, seq 38912, length 40
10:30:46.990259 IP (tos 0xc0, ttl 64, id 366, offset 0, flags [none], proto ICMP (1), length 88) rssCETserver1.cet.ibm.com > 10.98.1.30: ICMP 10.99.1.1 protocol 1 unreachable, length 68
        IP (tos 0x0, ttl 127, id 37207, offset 0, flags [none], proto ICMP (1), length 60) 10.98.1.30 > 10.99.1.1: ICMP echo request, id 512, seq 38912, length 40
10:30:47.540577 01:00:0c:cc:cc:cd (oui Unknown) > 00:0f:8f:98:e2:8b (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50
10:30:47.907704 IP (tos 0x0, ttl 1, id 10893, offset 0, flags [none], proto UDP (17), length 167) 10.98.1.31.31200 > 225.6.29.63.31200: UDP, length 139
10:30:47.979833 IP (tos 0x0, ttl 128, id 37208, offset 0, flags [none], proto ICMP (1), length 60) 10.98.1.30 > 10.99.1.1: ICMP echo request, id 512, seq 39168, length 40
10:30:47.979901 IP (tos 0xc0, ttl 64, id 367, offset 0, flags [none], proto ICMP (1), length 88) rssCETserver1.cet.ibm.com > 10.98.1.30: ICMP 10.99.1.1 protocol 1 unreachable, length 68
        IP (tos 0x0, ttl 127, id 37208, offset 0, flags [none], proto ICMP (1), length 60) 10.98.1.30 > 10.99.1.1: ICMP echo request, id 512, seq 39168, length 40
10:30:48.377415 IP (tos 0x0, ttl 2, id 35385, offset 0, flags [none], proto UDP (17), length 165) 10.98.1.40.31200 > 225.6.29.63.31200: UDP, length 137
10:30:48.839440 IP (tos 0x0, ttl 1, id 37211, offset 0, flags [none], proto UDP (17), length 163) 10.98.1.30.31200 > 225.6.29.63.31200: UDP, length 135
10:30:48.979935 IP (tos 0x0, ttl 128, id 37212, offset 0, flags [none], proto ICMP (1), length 60) 10.98.1.30 > 10.99.1.1: ICMP echo request, id 512, seq 39424, length 40
10:30:48.979989 IP (tos 0xc0, ttl 64, id 368, offset 0, flags [none], proto ICMP (1), length 88) rssCETserver1.cet.ibm.com > 10.98.1.30: ICMP 10.99.1.1 protocol 1 unreachable, length 68
        IP (tos 0x0, ttl 127, id 37212, offset 0, flags [none], proto ICMP (1), length 60) 10.98.1.30 > 10.99.1.1: ICMP echo request, id 512, seq 39424, length 40
10:30:49.544794 01:00:0c:cc:cc:cd (oui Unknown) > 00:0f:8f:98:e2:8b (oui Unknown) SNAP Unnumbered, ui, Flags [Command], length 50
10:30:49.980059 IP (tos 0x0, ttl 128, id 37213, offset 0, flags [none], proto ICMP (1), length 60) 10.98.1.30 > 10.99.1.1: ICMP echo request, id 512, seq 39680, length 40
10:30:49.980119 IP (tos 0xc0, ttl 64, id 369, offset 0, flags [none], proto ICMP (1), length 88) rssCETserver1.cet.ibm.com > 10.98.1.30: ICMP 10.99.1.1 protocol 1 unreachable, length 68
        IP (tos 0x0, ttl 127, id 37213, offset 0, flags [none], proto ICMP (1), length 60) 10.98.1.30 > 10.99.1.1: ICMP echo request, id 512, seq 39680, length 40
10:30:50.007350 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 163) 10.98.1.50.31200 > 225.6.29.63.31200: UDP, length 135
^C
17 packets captured
17 packets received by filter
0 packets dropped by kernel
rssCETserver1:~ #

See if You’ve got routing enabled.

Use YaST->system->/etc/sysconfig editor
search for ip_forward.
SUSE Paste

Alternatively use this :
How to enable IP Forwarding in Linux | MDLog:/sysadmin

Best regards,
Greg

I got called out of town, will try this on Monday. I didn’t notice a flat out sysconfig editor in YaST! Thanks in advance, I’ll let you know what happens when I get back!

From YaST I show IP Routing enabled, this is what I get from the alternative method with some pings showing the connections are up:

rssCETserver1:/ # sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
rssCETserver1:/ # cat /proc/sys/net/ipv4/ip_forward
1
rssCETserver1:/ # ping 10.99.1.1
PING 10.99.1.1 (10.99.1.1) 56(84) bytes of data.
64 bytes from 10.99.1.1: icmp_seq=1 ttl=128 time=0.365 ms
^C
--- 10.99.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.365/0.365/0.365/0.000 ms
rssCETserver1:/ # ping 10.98.1.1
PING 10.98.1.1 (10.98.1.1) 56(84) bytes of data.
64 bytes from 10.98.1.1: icmp_seq=1 ttl=128 time=0.262 ms
^C
--- 10.98.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.262/0.262/0.262/0.000 ms
rssCETserver1:/ #

And trying to ping through as a gateway:

C:\Users\IBM_ADMIN>ping 10.98.1.1

Pinging 10.98.1.1 with 32 bytes of data:
Reply from 10.99.1.2: Destination protocol unreachable.
Reply from 10.99.1.2: Destination protocol unreachable.
Reply from 10.99.1.2: Destination protocol unreachable.
Reply from 10.99.1.2: Destination protocol unreachable.

Ping statistics for 10.98.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

And what about FW_ROUTE sysctl value ?
Do You have logging of dropped packets enabled on the firewall ? If not turn it on with YaST and check the logs for problems.

Best regards,
Greg

FW_ROUTE shows enabled, but the firewall log shows my dropped packets:

Mar 15 17:09:16 rssCETserver1 kernel: [116723.867319] SFW2-FWDint-DROP-DEFLT IN=vlan4 OUT=vlan3 SRC=10.98.1.30 DST=10.99.1.1 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=21707 PROTO=UDP SPT=123 DPT=123 LEN=56

So… this is a firewall issue?

I think the problem was FW_FORWARD in the sysconfig utility, I had to state what is allowed by going to:
Network -> Firewall -> SuSEfirewall2 -> FW_FORWARD

and setting “10.99.0.0/16,10.98.0.0/16 10.98.0.0/16,10.99.0.0/16”

I’ll need to put in the .6 network as well, but it’s funny that none of the articles I’ve found to date mention explicitly permitting the networks to be routed.

Yep looks like a firewall issue to me :slight_smile: Personally I find SuSEfirewall2 a bit awkward and not really well documented. Also look at the /etc/sysconfig/SuSEfirewall2

# Which are the interfaces that point to the internet/untrusted
# networks?
#
# Enter all untrusted network devices here
#
# Format: space separated list of interface or configuration names
#
# The special keyword "any" means that packets arriving on interfaces not
# explicitly configured as int, ext or dmz will be considered external. Note:
# this setting only works for packets destined for the local machine. If you
# want forwarding or masquerading you still have to add the external interfaces
# individually. "any" can be mixed with other interface names.
#
# Examples: "ippp0 ippp1", "any dsl0"
#
# Note: alias interfaces (like eth0:1) are ignored
#
FW_DEV_EXT="any eth0 wlan0"

## Type:        string
#
# 3.)
# Which are the interfaces that point to the internal network?
#
# Enter all trusted network interfaces here. If you are not
# connected to a trusted network (e.g. you have just a dialup) leave
# this empty.
#
# Format: space separated list of interface or configuration names
#
# Examples: "tr0", "eth0 eth1"
#
FW_DEV_INT=""

An easier way around the issue would be to put all the interfaces in the FW_DEV_INT zone. I think You can also do that with YaST. Anyway now You know what You need to do.

Best regards,
Greg

Another very useful command for debugging such problems is :

iptables -n -v -L

Have fun experimenting.

Best regards,
Greg

Funny enough, the vlans were already in the FW_DEV_INT entries so they should have been working >:| still getting some strange results, have to troubleshoot more.

I’m following this hoping to also find an answer to what looks like the same issue on OpenSUSE 12.2 x64 and 12.3 x64. I would like Internal LAN’s 192.168.90.0/24 and 192.168.1.0/24 routed so machines on both sides can “see”, ping, ssh, http, etc each other. I spent this week reading and trying the HowTO from Linux Advanced Routing & Traffic Control HOWTO with no success. It’s time to ask for HELP. Here is a picture of my setup:


                    Internet     Internet
                       |            |
              +--------+--------+   |
              |                 |   |
              |    Wireless     |   |
              |     Router      |   |
              |                 |   |
              +--------+--------+   |
          (gw 10.0.0.1)|            |
                       |            |
     Another network   |            |
    don't worry about  |            |
        for now        |            | Internet
                       |            | 50.132.114.176/23
               (wlan0) |   +========+========+
           10.0.0.3/24 |   |  Server/Router  |
                       +---+     **pluto**]     |
                           |  OpenSUSE 12.2  |
                           |                 |
                           +==+===========+==+
              192.168.90.3/24 |           | 192.168.1.3/24
                              |           |
 - - - --+--------------------+           +-----------+--------------------+-- - - -
         |                                            |                    |
 +-------+---------+                         +--------+--------+  +--------+---------+
 |  Machine A      |                         |  Machine B      |  |  Machine C       |
 |  **neptune**]      |                         |    **lab**]        |  |    **oem**]         |
 | 192.168.90.7/24 |                         | 192.168.1.5/24  |  | 192.168.1.254/24 |
 | gw 192.168.90.3 |                         | gw 192.168.1.3  |  | gw 192.168.1.3   |
 +-----------------+                         +-----------------+  +------------------+

**Tests
**The Server pluto can see and talk to any IP device through any of the interfaces. All server services work with all devices on all networks; ssh, samba,.http, ping, etc. What doesn’t work, is I can’t make the server route traffic between subnets. This is somewhat baffling to me since all subnets can access the internet through the Linux server.!?!


pluto:~ # ping -c 1 192.168.90.7
PING 192.168.90.7 (192.168.90.7) 56(84) bytes of data.
64 bytes from 192.168.90.7: icmp_seq=1 ttl=64 time=0.203 ms

pluto:~ # ping -c 1 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=1.48 ms

neptune[craig:users] /local/craig% ping -c 1 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
From 192.168.90.3 icmp_seq=1 Destination Protocol Unreachable

neptune[craig:users] /local/craig% ping -c 1 ns1.microsoft.com
PING ns1.microsoft.com (67.215.65.132) 56(84) bytes of data.
64 bytes from hit-nxdomain.opendns.com (67.215.65.132): icmp_seq=1 ttl=56 time=37.6 ms


[lab] (MS Windows machine)
C:\Documents and Settings\craig>ping 192.168.1.5
Pinging 192.168.90.7 with 32 bytes of data:
Reply from 192.168.1.3: Destination protocol unreachable.

C:\Documents and Settings\craig>ping -n 1 ns1.microsoft.com
Pinging ns1.microsoft.com [67.215.65.132] with 32 bytes of data:
Reply from 67.215.65.132: bytes=32 time=36ms TTL=56

Pluto (Server/Router) Config


pluto:~ # ip rule
0:      from all lookup local 
32764:  from 192.168.1.0/24 to 192.168.90.0/24 lookup 90 
32765:  from 192.168.90.0/24 to 192.168.1.0/24 lookup 1 
32766:  from all lookup main 
32767:  from all lookup default 

pluto:~ # ip route
default via 50.132.114.1 dev eth0 
10.0.0.0/24 dev wlan0  scope link 
50.132.114.0/23 dev eth0  proto kernel  scope link  src 50.132.114.176 
127.0.0.0/8 dev lo  scope link 
169.254.0.0/16 dev eth0  scope link 
192.168.1.0/24 dev eth2  scope link 
192.168.90.0/24 dev eth1  proto kernel  scope link  src 192.168.90.3 

pluto:~ # ip route show table 1
default via 192.168.1.3 dev eth2 

pluto:~ # ip route show table 90
default via 192.168.90.3 dev eth1 

pluto:~ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0d:88:24:2c:0b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global eth2
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 54:04:a6:0b:bf:ba brd ff:ff:ff:ff:ff:ff
    inet 50.132.114.176/23 brd 255.255.255.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 68:05:ca:01:38:b6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.90.3/24 brd 192.168.90.255 scope global eth1
5: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether f8:d1:11:14:3f:bb brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.3/24 brd 10.0.0.255 scope global wlan0

pluto:~ # sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

/etc/sysconfig/SuSEfirewall
Since the issue was raised in this thread, here is my sysconfig which shows FW_ROUTE=“yes”:


pluto:/etc/sysconfig # grep -v "#" SuSEfirewall2


FW_DEV_EXT="eth0"


FW_DEV_INT="eth1 eth2 wlan0"


FW_DEV_DMZ=""


FW_ROUTE="yes"


FW_MASQUERADE="yes"


FW_MASQ_DEV=""


FW_MASQ_NETS=""


FW_NOMASQ_NETS=""


FW_PROTECT_FROM_INT="no"


FW_SERVICES_EXT_TCP=" 13 15005:20000 2222 23 25 2525 25565 3074 3128 3130 3389 3478 4444 5060:5099 51894 6881 8881 993"


FW_SERVICES_EXT_UDP="10000:20000 25565 2727 3074 3128 3130 3313 3389 3478 434 4444 4569 5036 5060:5099 51894 6881 88 8881 993"


FW_SERVICES_EXT_IP=""


FW_SERVICES_EXT_RPC=""


FW_CONFIGURATIONS_EXT="apache2 apache2-ssl bind cyrus-imapd postfix sshd"


FW_SERVICES_DMZ_TCP=""


FW_SERVICES_DMZ_UDP=""


FW_SERVICES_DMZ_IP=""


FW_SERVICES_DMZ_RPC=""


FW_CONFIGURATIONS_DMZ="sshd"


FW_SERVICES_INT_TCP=""


FW_SERVICES_INT_UDP=""


FW_SERVICES_INT_IP=""


FW_SERVICES_INT_RPC=""


FW_CONFIGURATIONS_INT="dhcp-server sshd"


FW_SERVICES_DROP_EXT=""


FW_SERVICES_DROP_DMZ=""


FW_SERVICES_DROP_INT=""


FW_SERVICES_REJECT_EXT=""


FW_SERVICES_REJECT_DMZ=""


FW_SERVICES_REJECT_INT=""


FW_SERVICES_ACCEPT_EXT=""


FW_SERVICES_ACCEPT_DMZ=""


FW_SERVICES_ACCEPT_INT=""


FW_SERVICES_ACCEPT_RELATED_EXT=""


FW_SERVICES_ACCEPT_RELATED_DMZ=""


FW_SERVICES_ACCEPT_RELATED_INT=""


FW_TRUSTED_NETS=""


FW_FORWARD=""


FW_FORWARD_REJECT=""


FW_FORWARD_DROP=""


FW_FORWARD_MASQ="0/0,192.168.90.175,tcp,23
0/0,192.168.90.16,tcp,3074
0/0,192.168.90.16,udp,3074
0/0,192.168.90.16,udp,88
0/0,192.168.90.91,tcp,51413
0/0,192.168.90.93,tcp,47537"


FW_REDIRECT=""


FW_LOG_DROP_CRIT="yes"


FW_LOG_DROP_ALL="no"


FW_LOG_ACCEPT_CRIT="yes"


FW_LOG_ACCEPT_ALL="no"


FW_LOG_LIMIT=""


FW_LOG=""


FW_KERNEL_SECURITY=""


FW_STOP_KEEP_ROUTING_STATE=""


FW_ALLOW_PING_FW=""


FW_ALLOW_PING_DMZ=""


FW_ALLOW_PING_EXT=""


FW_ALLOW_FW_SOURCEQUENCH=""


FW_ALLOW_FW_BROADCAST_EXT="no"


FW_ALLOW_FW_BROADCAST_INT="no"


FW_ALLOW_FW_BROADCAST_DMZ="no"


FW_IGNORE_FW_BROADCAST_EXT="yes"


FW_IGNORE_FW_BROADCAST_INT="no"


FW_IGNORE_FW_BROADCAST_DMZ="no"


FW_ALLOW_CLASS_ROUTING=""


FW_CUSTOMRULES=""


FW_REJECT=""


FW_REJECT_INT=""


FW_HTB_TUNE_DEV=""


FW_IPv6=""


FW_IPv6_REJECT_OUTGOING=""


FW_IPSEC_TRUST="no"


FW_ZONES=""


FW_ZONE_DEFAULT=''


FW_USE_IPTABLES_BATCH=""


FW_LOAD_MODULES="nf_conntrack_netbios_ns"


FW_FORWARD_ALWAYS_INOUT_DEV=""


FW_FORWARD_ALLOW_BRIDGING=""


FW_WRITE_STATUS=""


FW_RUNTIME_OVERRIDE=""


FW_LO_NOTRACK=""


FW_BOOT_FULL_INIT=""

How do I add subnet routing to this OpenSUSE 12.2 x64 and OpenSUSE 12.3 x64 setup?

I should add, I’ve recently (within the last couple days) run “zypper up” and rebooted the system. I saw elsewhere that 12.2 released routing code with issues which were later fixed with updates. I’m fairly confident my server is running reasonably up to date 12.2 code.

Apparently IPTABLES by default exists on all interfaces (even ones declared as “Internal”) and by default DROP traffic. I’m sure there is wisdom here I don’t yet understand, and it’s frustrating that this “minor” point isn’t described at least as a “Note” in the documentation along with the ip route command (I’ll try to change this after further verification). To get around this iptables feature I issued these commands (as root) to allow traffic in both directions:

# **iptables -I FORWARD 1 -s 192.168.90.0/24 -i eth1 -d 192.168.1.0/24 -j ACCEPT
# iptables -I FORWARD 1 -s 192.168.1.0/24 -i eth2 -d 192.168.90.0/24 -j ACCEPT**

The results:

neptune[craig:users] /local/craig% **ping -c 3 192.168.1.5**
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5: icmp_seq=1 ttl=127 time=0.458 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=127 time=0.270 ms
64 bytes from 192.168.1.5: icmp_seq=3 ttl=127 time=0.275 ms

--- 192.168.1.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.270/0.334/0.458/0.088 ms

neptune[craig:users] /local/craig% /usr/sbin/**traceroute 192.168.1.5**
traceroute to 192.168.1.5 (192.168.1.5), 30 hops max, 40 byte packets using UDP
 1  pluto.mydomain.com (192.168.90.3)  0.170 ms   0.087 ms   0.097 ms
 2  192.168.1.5 (192.168.1.5)  0.301 ms   0.169 ms   0.184 ms

C:\Documents and Settings\craig>**ping -n 2 neptune**

Pinging neptune.mydomain.com [192.168.90.7] with 32 bytes of data:

Reply from 192.168.90.7: bytes=32 time<1ms TTL=63
Reply from 192.168.90.7: bytes=32 time<1ms TTL=63

Ping statistics for 192.168.90.7:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\craig>**tracert neptune**

Tracing route to neptune.mydomain.com [192.168.90.7]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.1.3
  2    <1 ms    <1 ms    <1 ms  neptune.mydomain.com [192.168.90.7]

Trace complete.

There is probably more cleanup to do after this. For instance I notice 192.168.90.1 is accessible from the 192.168.90.0/24 network but isn’t accessible from the 192.168.1.0/24 network. Same (reverse) is true for 192.168.1.254 is accessible from the 192.168.1.0/24 network but isn’t accessible from the 192.168.90.0/24 network.

Other IP’s not so close to the 0 and 255 boundaries like my SIPURA boxes with IP’s 192.168.90.15, 192.168.90.13, 192.168.90.17 will ping and are configurable with a browser from either network. My WD-TV Live shows up in both networks, and I don’t know why (maybe uPNP)?

I suspect there is more, like do I want Broadcast (255) traffic routed between subnets for easier browsing at the expense of higher traffic and lower security. For now, the server is able to issue DHCP and service DNS requests for both subnets and with the right IP, ssh, http, Samba shares, Remote Desktop and other traffic is routed as desired between the two networks.

This is only step 1 for me as I’m now off to look at traffic shaping to see if I can maintain peace and harmony at the dinner table over Torrent traffic caused QoS issues and how that set of applications thoroughly trash out my VoIP g711u (Asterisk) phone traffic.:stuck_out_tongue: