Re: aliasing/routing trouble
Thanks for the suggestions so far. Here are some answers to suggestions, and more info in general.
The system works fine with both nics, masquerading and portforwarding from one nic (eth1) to the other (eth0). The only thing that doesn't work is trying to get an aliased address on eth0, so I can create some logical networks. Modifying lilo.conf to pass i/o and irq parameters to the kernel I believe is unecessary, as the modules (3c59x for both) are being loaded and both nics work fine.
I've substitued the ip address eth1 for a fake one, which is why it looks like:
123.456.789.32. This is actually a public ip. Below, I've replaced it with xxx.xxx... to avoid confusion. Sorry about that.
Here's the physical layout:
internet --- Firewall ------ Switches --- laptop10.0.0.20/192.168.1.5
eth1 eth0/eth0:1 \------- 192.168.1.6
I will try the iproute package. I have not been able to find an Ip-route howto on linuxdoc.org, nor in the howto debian package. I did find one on the internet in general, however this was no help. The author was talking about several aliases on the same network ie:
eth0 = 172.0.0.1
eth0:1 = 172.0.0.2
eth0:2 = 172.0.0.3
If I try this, aliases on the same network, it works fine on this system. The only other documenation I could find was 'alias.txt' in the documentation that comes with the kernel. It has some route commands to add, however they don't give much help. At the bottom I've included their transcript.
While I may have to configure forwarding for the new alias, I'm working underneath this level. I can't ping through the alias. If the system can't talk through the alias, forwarding won't work anyway. Once I can ping from this system to all three networks, then comes proper forwarding and ipchains rules.
Ifconfig before aliasing (works as it should, forward/masq/portfw):
# ifconfig eth0:1 down
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:01:02:72:FB:E4
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27740 errors:0 dropped:0 overruns:1 frame:0
TX packets:11408 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:9 Base address:0xf800
eth1 Link encap:Ethernet HWaddr 00:50:04:13:33:89
inet addr:xxx.xxx.xxx.33 Bcast:xxx.xxx.xxx.35 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10165 errors:5 dropped:0 overruns:0 frame:9
TX packets:9494 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0xf880
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:936 errors:0 dropped:0 overruns:0 frame:0
TX packets:936 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.32 0.0.0.0 255.255.255.252 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 xxx.xxx.xxx.34 0.0.0.0 UG 0 0 0 eth1
# route add -host 192.168.1.1 dev eth0:1
# route add -net 192.168.1.0 dev eth0:1 #says to do this in alias.txt
SIOCADDRT: Invalid argument
# route add 192.168.1.0 dev eth0:1
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
xxx.xxx.xxx.32 0.0.0.0 255.255.255.252 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 xxx.xxx.xxx.34 0.0.0.0 UG 0 0 0 eth1
# ping 192.168.1.6
PING 192.168.1.6 (192.168.1.6): 56 data bytes
ping: sendto: Operation not permitted
ping: wrote 192.168.1.6 64 chars, ret=-1
ping: sendto: Operation not permitted
ping: wrote 192.168.1.6 64 chars, ret=-1
--- 192.168.1.6 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
#
Notice that after explicitly saying route on dev eth0:1, the routing table shows only eth0. I don't think it matters at this level.
Thanks again.
Cory
On Tue, Jan 23, 2001 at 10:04:49AM -0600, Vince Mulhollon wrote:
>
> Kernel found the cards, see the ifconfig, thats not the problem.
>
> I must say the ifconfig for eth1 is very... interesting.
>
> Take a closer look at the routing.
>
> I think 192.168.1.0 needs to route out eth0:1 not eth0
>
> Would be interesting to see the actual /sbin/route command you execute to
> route 192.168.1.0
>
> Try a config without ip aliasing, which in the (distant) past was a pretty
> nasty hack, or even plug in yet another ethernet card for the 192 network.
> IP alias can be an excellent way to shoot oneself in their foot in hard to
> debug ways.
>
>
>
>
> "Shawn
> Kelley" To: coryp@petersen-arne.com, debian-firewall@lists.debian.org,
> <spinnkidd@ho eug-lug@efn.org
> tmail.com> cc: (bcc: Vince Mulhollon/Brookfield/Norlight)
> Fax to:
> 01/23/2001 Subject: Re: aliasing/routing trouble
> 09:48 AM
>
>
>
>
>
>
> Greetings Cory,
>
>
> Did you append lilo.conf to recognize the 2 NIC's??
>
>
> #you will need to add a line similar to this to /etc/lilo.conf & then run
> 'lilo'
>
>
> append="ether=IRQ, I/O,eth0 ether=IRQ,I/O,eth1"
>
>
> Regards,
>
>
> Shawn Kelley
>
>
> >From: Cory Petkovsek
>
>
> >To: debian-firewall@lists.debian.org, euglug
> >Subject: aliasing/routing trouble
> >Date: Mon, 22 Jan 2001 16:57:53 -0800
> >
> >Hello all,
> >
> >I'm having trouble getting ip aliasing to work. I have tried a few
> different kernels, 2.2.18-1 and 2.2.17pre6-1.
> >
> >On my firewall, I have two nics, eth0 - private lan, eth1 - internet. I
> want to setup two private networks on eth0. Once it's setup the way I think
> it should be, I can ping the outside world, I can ping my privat lan #1,
> but I cannot ping lan #2. Ping reports 'operation not permitted'.
> >
> >On my laptop (running 2.4) this works just fine. I add in the alias, don't
> even mess with the routing table, and can ping either lan.
> >
> >The two private lans are on the same physical network.
> >
> >Anyone have any suggestions or help for me?
> >
> >Thanks!
> >Cory
> >
> >
> >Starting with a configured masquerading eth0/eth1 system, I type the
> following:
> >
> ># ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
> ># ifconfig
> >
> >eth0 Link encap:Ethernet HWaddr 00:01:02:72:FB:E4
> > inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:4770 errors:0 dropped:0 overruns:1 frame:0
> > TX packets:1899 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > Interrupt:9 Base address:0xf800
> >
> >eth0:1 Link encap:Ethernet HWaddr 00:01:02:72:FB:E4
> > inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > Interrupt:9 Base address:0xf800
> >
> >eth1 Link encap:Ethernet HWaddr 00:50:04:13:33:89
> > inet addr:xxx.xxx.xxx.33 Bcast:xxx.xxx.xxx.35 Mask:255.255.255.252
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:211 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:230 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:100
> > Interrupt:10 Base address:0xf880
> >
> >lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > UP LOOPBACK RUNNING MTU:3924 Metric:1
> > RX packets:56 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> >
> ># route -n
> >Kernel IP routing table
> >Destination Gateway Genmask Flags Metric Ref Use Iface
> >xxx.xxx.xxx.32 0.0.0.0 255.255.255.252 U 0 0 0 eth1
> >10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> >192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> >0.0.0.0 xxx.xxx.xxx.34 0.0.0.0 UG 0 0 0 eth1
> >
> ># ping google.com -c 1
> >PING google.com (64.208.32.100): 56 data bytes
> >64 bytes from 64.208.32.100: icmp_seq=0 ttl=50 time=39.2 ms
> >
> ># ping 10.0.0.5 -c 1
> >PING 10.0.0.5 (10.0.0.5): 56 data bytes
> >64 bytes from 10.0.0.5: icmp_seq=0 ttl=128 time=0.9 ms
> >
> ># ping 192.168.1.6
> >PING 192.168.1.6 (192.168.1.6): 56 data bytes
> >ping: sendto: Operation not permitted
> >ping: wrote 192.168.1.6 64 chars, ret=-1
> >ping: sendto: Operation not permitted
> >ping: wrote 192.168.1.6 64 chars, ret=-1
> >ping: sendto: Operation not permitted
> >ping: wrote 192.168.1.6 64 chars, ret=-1
> >
> >--- 192.168.1.6 ping statistics ---
> >3 packets transmitted, 0 packets received, 100% packet loss
> >#
> >
> >------- On my laptop:
> ># ifconfig
> >eth0 Link encap:Ethernet HWaddr 00:D0:59:18:02:C2
> > inet addr:10.0.0.20 Bcast:10.255.255.255 Mask:255.255.255.0
> > UP BROADCAST RUNNING MTU:1500 Metric:1
> > RX packets:1944522 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:1874197 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:91 txqueuelen:100
> > Interrupt:5
> >
> >eth0:1 Link encap:Ethernet HWaddr 00:D0:59:18:02:C2
> > inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0
> > UP BROADCAST RUNNING MTU:1500 Metric:1
> > Interrupt:5
> >
> >lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > UP LOOPBACK RUNNING MTU:16192 Metric:1
> > RX packets:6266 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:6266 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> >
> ># ping 192.168.1.6
> >PING 192.168.1.6 (192.168.1.6): 56 data bytes
> >64 bytes from 192.168.1.6: icmp_seq=0 ttl=255 time=1.7 ms
> >64 bytes from 192.168.1.6: icmp_seq=1 ttl=255 time=0.1 ms
> >64 bytes from 192.168.1.6: icmp_seq=2 ttl=255 time=0.1 ms
> >
> >--- 192.168.1.6 ping statistics ---
> >3 packets transmitted, 3 packets received, 0% packet loss
> >round-trip min/avg/max = 0.1/0.6/1.7 ms
> >
> ># ping 192.168.1.1
> >PING 192.168.1.1 (192.168.1.1): 56 data bytes
> >
> >--- 192.168.1.1 ping statistics ---
> >5 packets transmitted, 0 packets received, 100% packet loss
> >
> ># ping 10.0.0.1
> >PING 10.0.0.1 (10.0.0.1): 56 data bytes
> >64 bytes from 10.0.0.1: icmp_seq=0 ttl=255 time=0.4 ms
> >64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.3 ms
> >64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=0.3 ms
> >64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=0.3 ms
> >
> >--- 10.0.0.1 ping statistics ---
> >4 packets transmitted, 4 packets received, 0% packet loss
> >round-trip min/avg/max = 0.3/0.3/0.4 ms
> >
> >
> >
> >--
> >To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> >with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
>
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
> -- To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org with a
> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
>
>
>
>
Reply to: