Network routing on multi-homed system

To: debian-user@lists.debian.org
Subject: Network routing on multi-homed system
From: Isaac Freeman <isaac@us.ibm.com>
Date: Fri, 1 Aug 2014 15:20:05 -0400
Message-id: <[🔎] OFE0577237.6DA6F248-ON87257D27.0066D083-85257D27.006A35E2@us.ibm.com>

I'm not subscribed to the list, so please make sure my actual e-mail address is on copy if you reply.

This is a slightly complicated network routing issue so please bear with me while I try to organize all the relevant info.

So, I'm setting up a secondary DNS server to act as a slave of my existing primary. The primary has two NICs each on different subnets which are VLAN'd and firewalled from each other. One is our external/DMZ, the other is our internal network. My problem is that I keep getting time-outs trying to transfer the external zones across the external NICs. Looking at packet traces what I see happening is that the request packet comes out of the DMZ NIC on ns1 (the slave (don't ask)) with the DMZ IP as the source and the DMZ IP of ns2 (master) as the destination. I see the packet come in on ns2, which generates a response packet coming from the DMZ IP on the DMZ NIC with ns1's DMZ IP as the destination, *BUT* the destination MAC is that of the DMZ gateway, not the DMZ NIC on ns1. For some reason ns2 wants to route the return packet to the gateway instead of directly to ns1 even though it's on the same subnet.

Now, with a prose outline of the problem out of the way, here it is in detail (I've redacted/substituted the 172.1.1 prefix for our actual public IP range in all relevant snippets, etc.)

Internal network: 10.1.10.0/24
ns1 Internal IP (MAC): 10.1.10.105 (00:50:56:8b:70:de)
ns2 Internal IP (MAC): 10.1.10.5 (00:50:56:85:26:6e)
Internal gateway IP (MAC): 10.1.10.254 (00:10:db:ff:10:01)

DMZ network: 172.1.1.32/27
ns1 DMZ IP (MAC): 172.1.1.40 (00:50:56:8b:64:4c)
ns2 DMZ IP (MAC): 172.1.1.41 (00:50:56:85:0b:72)
DMZ gateway IP (MAC): 172.1.1.62 (00:10:db:ff:10:02)

The basic network flow looks like this from ns1's perspective (forgive me if the formatting gets messed up, I'm unfortunately writing this in Lotus Notes...):

UDP DNS query: ns2 172.1.1.40 (00:50:56:8b:64:4c) -> ns1 172.1.1.41 (00:50:56:85:0b:72)
ARP query: ns2 00:50:56:8b:64:4c -> ns1 00:50:56:85:0b:72
ARP reply: ns2 00:50:56:8b:64:4c <- ns1 00:50:56:85:0b:72
TCP DNS query: ns2 172.1.1.40 (00:50:56:8b:64:4c) -> ns1 172.1.1.41 (00:50:56:85:0b:72)

Etc, etc... Odd that I get ARP replies from ns2 but not TCP or UDP replies. However, from the perspective of ns2 I see:
UDP DNS query: ns2 172.1.1.40 (00:50:56:8b:64:4c) -> ns1 172.1.1.41 (00:50:56:85:0b:72)
UDP DNS reply: ns2 172.1.1.40 (00:10:db:ff:10:02) <- ns1 172.1.1.41 (00:50:56:85:0b:72)
ARP query: ns2 00:50:56:8b:64:4c -> ns1 00:50:56:85:0b:72
ARP reply: ns2 00:50:56:8b:64:4c <- ns1 00:50:56:85:0b:72
TCP DNS query: ns2 172.1.1.40 (00:50:56:8b:64:4c) -> ns1 172.1.1.41 (00:50:56:85:0b:72)
TCP DNS reply: ns2 172.1.1.40 (00:10:db:ff:10:02) <- ns1 172.1.1.41 (00:50:56:85:0b:72)

Here is what I have in the /etc/network/interfaces for each host:

ns1:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 10.1.10.105
netmask 255.255.255.0
gateway 10.1.10.254

# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 10.1.10.105

# routing
post-up ip route add 10.1.10.254/32 dev eth0 src 10.1.10.105 table internal
post-up ip route add default via 10.1.10.254 table internal
post-up ip rule add from 10.1.10.105 table internal
post-down ip rule del from 10.1.10.105 table internal

allow-hotplug eth1
iface eth1 inet static
address 172.1.1.40
netmask 255.255.255.224

# routing
post-up ip route add 172.1.1.62/32 dev eth1 src 172.1.1.40 table external
post-up ip route add default via 172.1.1.62 table external
post-up ip rule add from 172.1.1.40 table external
post-down ip rule del from 172.1.1.40 table external

ns2:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 10.1.10.5
netmask 255.255.255.0
gateway 10.1.10.254

# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 10.1.10.5

# routing
post-up ip route add 10.1.10.254/32 dev eth0 src 10.1.10.5 table internal
post-up ip route add default via 10.1.10.254 table internal
post-up ip rule add from 10.1.10.5 table internal
post-down ip rule del from 10.1.10.5 table internal

allow-hotplug eth1
iface eth1 inet static
address 172.1.1.41
netmask 255.255.255.224

# routing
post-up ip route add 172.1.1.62/32 dev eth1 src 172.1.1.41 table external
post-up ip route add default via 172.1.1.62 table external
post-up ip rule add from 172.1.1.41 table external
post-down ip rule del from 172.1.1.41 table external

--
Isaac Freeman - Systems Administrator
IBM SmartCloud Managed Backup
isaac@us.ibm.com
919-254-0245

Reply to:

Follow-Ups:
- Re: Network routing on multi-homed system
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: /dev/random
Next by Date: Re: Problem with Debian 7.5 i386 lxde LIVE ISO and Brasero
Previous by thread: Re: systemd waisted 5 hours of my work time today
Next by thread: Re: Network routing on multi-homed system
Index(es):
- Date
- Thread