Can't Connect to Anyone on My Subnet!

I hope that your file is named 'RESOLV2' (omit the 'E').

Show the output from IFCONFIG and NETSTAT on the "other" computer.
Perhaps, it is receiving your IP-packets, but it is unable to send its responses to your computer??

Yes -- it's RESOLV2 in the ETC directory.

It would be nontrivial to IFCONFIG and NETSTAT the other machine.  It's located miles away and it's a router.  The machine behind the router, however, allows me FTP logins from other locations, so I know it's working...

Try this
1. if inetver output  is > 5.3xxx
route delete 209.221.206.0 209.221.206.142  

route add -net 209.221.206 209.221.206.142 netmask 255.255.255.0

2. else
route delete 209.221.206.0 209.221.206.142  

route add 209.221.206.0 209.221.206.142 0

Manju

Manju,

Ok, here goes...

========================
[D:\]inetver
Inet Version: 4.00e

[D:\]route delete 209.221.206.0 209.221.206.142
Deleting route to network 209.221.206.0 (no netmask specified, default used)

[D:\]route add 209.221.206.0 209.221.206.142 0
Adding network 209.221.206.0, router 209.221.206.142 (no netmask specified, default used)

[D:\]netstat -r

  destination         router          netmask   refcnt   use  flags  snmp intrf
                                                                     metric
        default   209.221.206.1         0.0.0.0    2     1284  UG       0  lan0
  209.221.206.0 209.221.206.142   255.255.255.0    0        0  U        0  lan0
  209.221.206.1 209.221.206.142 255.255.255.255    1        0  UH       0  lan0
209.221.206.136 209.221.206.142 255.255.255.255    0        4  UH       0  lan0

========================

Nope, pings to my subnet still hang in the void.  I also note that it seems to ignore the netmask when adding the route back.

Hi
 Can you try this ?
  route add subnet 209.221.206.0 209.221.206.142 1 netmask 255.255.255.0

Ok...

============================
[D:\]route delete 209.221.206.0 209.221.206.142
Deleting route to network 209.221.206.0 (no netmask specified, default used)

[D:\]route add subnet 209.221.206.0 209.221.206.142 1 netmask 255.255.255.0
Adding network 209.221.206.0, router 209.221.206.142 netmask 255.255.255.0.
===========================

Hhhmm... it took that ok, but the resulting netmask doesn't look the same...

===========================
[D:\]netstat -r

  destination         router          netmask   refcnt   use  flags  snmp intrf
                                                                     metric
        default   209.221.206.1         0.0.0.0    2     4609  UG       0  lan0
  209.221.206.0 209.221.206.142   255.255.255.0    1        0  UG       0  lan0
209.221.206.136 209.221.206.142 255.255.255.255    0        4  UH       0  lan0
209.221.206.142 209.221.206.142 255.255.255.255    1        0  UH       0  lan0
=========================

The result is a dead stack.  I ran ...mptn\bin\setup.cmd to restore "normal" (no connections to my own subnet) operation.

setup.cmd:

route -fh
arp -f
ifconfig lan0 209.221.206.142 netmask 255.255.255.0
REM ifconfig lan1
REM ifconfig lan2
REM ifconfig lan3
REM ifconfig lan4
REM ifconfig lan5
REM ifconfig lan6
REM ifconfig lan7
REM ifconfig sl0  
route add default 209.221.206.1 1
route add net 209.221.206 209.221.206.1 1 netmask 255.255.255.0
ipgate off

Can you try this , if you don't mind ?


Delete the following entry

209.221.206.142 209.221.206.142 255.255.255.255    1        0  UH       0  lan0

Add
route add subnet 209.221.206.0 209.221.206.142 0 netmask 255.255.255.0

No, I don't mind.  

I got an error when I first tried it; it said the route already existed.  Since a flush would not remove the route, I deleted it manually.  After adding it back in with your string, I was back where I started...

Can the computers in that company's network connect "anywhere",
i.e., to 'WWW.EXPERTS-EXCHANGE.COM' or 'WWW.IBM.COM' ?

Otta,

Yes, there is a router/firewall there, but all computers on their local net can surf freely.  I do it all the time.  Also, we are running an FTP server and I've been able to access it from everywhere... except my house.

Mr. Realtime

From your computer, please try
  '\tcpip\bin\tracerte aaa.bbb.ccc.ddd',
where 'aaa.bbb.ccc.ddd' is the IP-address of that FTP-server.

Ooops, I thought I had already posted that.  Here it is:

[D:\]tracerte aic-gw.dsl.qnet.com
 0  * * *
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

[D:\]


It occurs to me that I don't know for sure if anyone else on the subnet can connect.  Maybe it's a router configuration error?

How about showing a 'tracerte' to a site which you *can* access?
---
I get:
---
traceroute to aic-gw.dsl.qnet.com (209.221.206.136), 30 hops max, 38 bytes
 0  * * *
  ...
11  194.ATM9-0-0.GW1.LAX2.ALTER.NET (146.188.248.77)  55 ms  55 ms  55 ms
12  softaware-gw.customer.ALTER.NET (157.130.225.30)  62 ms  47 ms  54 ms
13  h3-0.MDR.softaware.com (206.83.165.221)  55 ms  63 ms  62 ms
14  209.85.129.162 (209.85.129.162)  63 ms  63 ms  62 ms
15  209.85.129.54 (209.85.129.54)  62 ms  55 ms  63 ms
16  aic-gw.dsl.qnet.com (209.221.206.136)  102 ms  86 ms  86 ms

Can you try 'ping' or 'tracerte' to some of the above "intermediate" IP-addresses?

Those addresses would not normally be "intermediate" to me, since I'm trying to get to an address on my own subnet.  Even if it did go "out" first, I would think it might bounce around my ISP and back into my subnet.  Anyway, here are some of the ones from your tracerte:

[D:\]tracerte softaware-gw.customer.ALTER.NET
 0  qnet-gw (209.221.206.1)  31 ms  54 ms  40 ms
 1  qnet-gw (209.221.206.1)  31 ms  32 ms  39 ms
 2  209.85.129.53 (209.85.129.53)  70 ms  39 ms  39 ms
 3  209.85.129.161 (209.85.129.161)  47 ms  39 ms  55 ms
 4  h4-0-0.IPG.softaware.com (206.83.165.222)  39 ms *  39 ms

[D:\]tracerte 146.188.248.77
 0  qnet-gw (209.221.206.1)  63 ms  47 ms  39 ms
 1  qnet-gw (209.221.206.1)  47 ms  39 ms  39 ms
 2  209.85.129.53 (209.85.129.53)  47 ms  39 ms  55 ms
 3  209.85.129.161 (209.85.129.161)  47 ms  93 ms  39 ms
 4  h4-0-0.IPG.softaware.com (206.83.165.222)  47 ms  47 ms  54 ms
 5  Serial1-1-1.GW1.LAX2.ALTER.NET (157.130.225.29)  47 ms *  39 ms

[D:\]tracerte 209.85.129.54
 0  qnet-gw (209.221.206.1)  70 ms *  62 ms

[D:\]tracerte 209.85.129.162
 0  qnet-gw (209.221.206.1)  39 ms  86 ms  55 ms
 1  qnet-gw (209.221.206.1)  39 ms  31 ms  47 ms
 2  209.85.129.53 (209.85.129.53)  55 ms *  47 ms

I guess it's interesting to note that they never actually get to the address being traced.  Hmm...  

[D:\]tracerte www.ibm.net
 0  qnet-gw (209.221.206.1)  32 ms  31 ms  32 ms
 1  qnet-gw (209.221.206.1)  31 ms  39 ms  39 ms
 2  atm9-0-064.CR-1.LsanCA.savvis.net (209.144.96.25)  54 ms  71 ms  54 ms
 3  sl-gw8-ana-11-0-T3.sprintlink.net (144.228.170.17)  94 ms  62 ms  55 ms
 4  sl-bb11-ana-2-3.sprintlink.net (144.232.1.45)  46 ms  47 ms  54 ms
 5  sl-bb4-ana-4-0-0.sprintlink.net (144.232.1.30)  63 ms  63 ms  54 ms
 6  lang1sr1-11-0.ca.us.ibm.net (165.87.157.98)  55 ms  47 ms  46 ms
 7  lang1br2--.ca.us.ibm.net (165.87.32.139)  47 ms  39 ms  47 ms
 8  scha1br2-8-0-5.il.us.ibm.net (165.87.230.190)  101 ms  117 ms  94 ms
 9  165.87.34.229 (165.87.34.229)  101 ms  94 ms  109 ms
10  www.ibm.net (204.146.17.5)  101 ms  102 ms  93 ms

Well, that one did.  Damn, I gasterflabbed.

Have you tried to look at arp and see if you are sending out an arp request when you try to connect to this server?  One thing I am wondering about is your subnet mask.  Most ISPs give out a mask like 255.255.255.248 for 5 IPs on a DSL connection.  I think that this is your problem.  Your router 209.221.206.1 is between you and the computer you are trying to reach.  Even with the IP address looking like thay are on the same network, they are really on a completely different subnet.  Each DSL line is supposed to be set up as a seperate network.  Therefore to reach a computer on a different network, you should not send an arp request for the hardware address of the IP.  Your IP stack should simply hit the router and forget about it.  The reason that you can hit external sites like Yahoo is that you IP stack is not confused and knows that they are on a different subnet and it must hit the router to see them.  If you don't have anything from your ISP about your subnet laying around try 255.255.255.252 and see what happens

lweinmunson,

>Have you tried to look at arp and see if you are
>sending out an arp request when you try to connect
>to this server?  

This excerpt from a trace seems to indicate an afirmative to your question:

-------------------------- #:14 --------------------------
 Delta Time:  1.000sec   Packet Length: 42 bytes (2A hex)
 DIX:   Dest: FF:FF:FF:FF:FF:FF   Source: 00:80:AD:B4:D9:6D
-------------------------- ARP --------------------------
 ARP:  Hardware Type:1     (Ethernet 10Mb)
 ARP:  Protocol Type:0800 (IP Address)
 ARP:  Hardware Len:6
 ARP:  Protocol Len:4
 ARP:  Operation:1  (ARP Request)
 ARP:  Sender HW address: 0080ADB4D96D
 ARP:  Sender PA: 209.221.206.142.
 ARP:  Target HW address: 000000000000
 ARP:  Target PA: 209.221.206.136.
 Finished


>One thing I am wondering about is your subnet mask.  
>Most ISPs give out a mask like 255.255.255.248 for 5
>IPs on a DSL connection.  I think that this is your problem.  

My ISP did give me 255.255.255.0 for a subnet mask, however, I think you are on to something.

>Your router 209.221.206.1 is between you and the
>computer you are trying to reach.  Even with the
>IP address looking like thay are on the same network,
>they are really on a completely different subnet.  Each
>DSL line is supposed to be set up as a seperate network.  
>Therefore to reach a computer on a different network, you
>should not send an arp request for the hardware address
>of the IP.  Your IP stack should simply hit the router and
>forget about it.  The reason that you can hit external
>sites like Yahoo is that you IP stack is not confused and
>knows that they are on a different subnet and it must hit
>the router to see them.  If you don't have anything from
>your ISP about your subnet laying around try 255.255.255.252
>and see what happens

I tried flushing the route table and re-running setup.cmd with a subnet mask of 255.255.255.252, but it still didn't work.

[D:\mptn\bin]ifconfig lan0 209.221.206.142 netmask 255.255.255.252

[D:\mptn\bin]route add default 209.221.206.1 1
Adding network default, router 209.221.206.1 netmask 0.0.0.0.
ERROR: SIOCADDRT: Network is unreachable

[D:\mptn\bin]route add net 209.221.206 209.221.206.1 1 netmask 255.255.255.0
Adding network 209.221.206, router 209.221.206.1 netmask 255.255.255.0.
ERROR: SIOCADDRT: Network is unreachable

This resulted in:

[D:\mptn\bin]netstat -r

  destination         router          netmask   refcnt   use  flags  snmp intrf
                                                                     metric
      127.0.0.1       127.0.0.1 255.255.255.255    0        0  UH       0  lo
209.221.206.140 209.221.206.142 255.255.255.252    0        0  U        0  lan0

Not only am I disconnected from my subnet, but from everything else as well.  Of course, I probably screwed up the routes...  So I tried it this way:

[D:\mptn\bin]ifconfig lan0 209.221.206.142 netmask 255.255.255.0

[D:\mptn\bin]route add default 209.221.206.1 1
Adding network default, router 209.221.206.1 netmask 0.0.0.0.

[D:\mptn\bin]route add net 209.221.206 209.221.206.1 1 netmask 255.255.255.252
Adding network 209.221.206, router 209.221.206.1 netmask 255.255.255.252.

This looks better and results in my being connected to the outside world, but not to my the machine which looks like it's on my subnet.

BTW, after the last round of Q & A,  I squawed this to my ISP, showing that other of their DSL customers have the same problem.  They seem to think their router is the problem.  They opened a problem report with Cisco.  What do you think?

Mr. Realtime

Sounds like they have no clue as to how to set up a subnet to me.  If they are going to give out a mask of 255.255.255.0 then they should not segment off the rest of that network.  I just noticed that your router is .1 so you must use the 255.255.255.0 mask to see that.  What they should have done is set it up so that you have a .252 mask and a router of 141.  This would have reduced the number of available addresses on the network (you waste 3 for each customer, 1 for the router and 2 for the subnetting) but would have let everyone connect to everyone else.  In a case like yours where you are trying to connect to a business on the same net (Does the business have the symetric DSL service so that they can run a small webserver?) it causes more problems than it is worth and depending on the service agreement may open them up for liability (What do you mean my customers can't access this website?)  They can probably do a work around on the router by simply not segmenting the network.  That way you will be able to connect but you loose the security of having a private connection.  I don't think there is anything you can do on your end of this.  They will either fix it so that its one big subnet or they won't and you will never be able to access anyone with a 209.221.206.000 address.  Good luck. :)

lweinmunson,

>Sounds like they have no clue as to how to set up a
>subnet to me.

Well, neither do I, so your insight is helpful.

If they are going to give out a mask of 255.255.255.0
then they should not segment off the rest of that network.  
I just noticed that your router is .1 so you must use the
255.255.255.0 mask to see that.  What they should have
done is set it up so that you have a .252 mask and a
router of 141.  This would have reduced the number of
available addresses on the network (you waste 3 for
each customer, 1 for the router and 2 for the subnetting)
but would have let everyone connect to everyone else.

 
>In a case like yours where you are trying to connect
>to a business on the same net the symetric DSL service
>it causes more problems than it is worth and depending
>on the service agreement may open them up for liability
>(What do you mean my customers can't access this website?)

Which part may be more trouble than it's worth?

>They can probably do a work around on the router by
>simply not segmenting the network.  That way you will
>be able to connect but you loose the security of having
>a private connection.  

Definitely not my preference.

>I don't think there is anything you can do on your end
>of this.  They will either fix it so that its one big
>subnet or they won't and you will never be able to
>access anyone with a 209.221.206.000 address.  

Can't they also segment three ways using a mask of 255.255.255.252 like you suggested?  They would probably have to change everyone's ip address... I guess that's what you meant my "more trouble than it's worth"?

The only problem they would have with the .252 subnetting is that they would then have to alias the router as a different IP for each little subnet.

.252 net is 1 1 1 1 1 1 0 0 binary mask.  Since the last two bits can not both be 0 or 1 you really have two IP addresses available, 01 and 10.  One for the router and one for the computer.  Since they gave you 142 for an IP you would use 141 as a router.  Notice that we just used 4 IP addresses for your one PC.  I think that is the reason why they set it up this way in the first place.  If they do not have enough class C networks then they are probably trying to sneak around it by not subnetting the network.  Now that they have set it up this way they would have to give every customer a new IP range, router and netmask to change.  The easiest thing to do would be probably be to reconfigure the network switch so that it will pass IP traffic without going through the router.  On a 5500 or 7500 series switch that would be easy enough to do since they are designed for this type of use.  I would assume that they probably have something differnt in the telco office though.  I don't really know about how the DSL service comes to them.  If it pops back out on their side as seperate ethernet lines that they plug into a switch then it would be no problem to reconfigure that to let you see other users on the network.  You would receive a slight increase in traffice (probably very slight since most users are going external to a web site) from arp requests.  With the switch set up to filter all NetBIOS, IPX, Apple Talk and whatever else people try to throw out there, you would probably not loose much in the way of security or speed.  

lweinmunson,

I have been in an iterative email loop with my ISP.  Here is the tail end.  Please let me know what you think.  

Oh, submit your reply as an answer and I'll give you the points.

============================================

...these people don't understand that we're not having a "routing" problem, we're having a "bridge" problem.  If we were trying to "route" your traffic what everyone wrote you would be correct.  Since we are not routing, their information is pointless.

Why bridge and not route?  Mostly to save IP address space.  If we were to route each single IP address space customer, then yes, you would have been provided a .252 subnet mask, and every single IP address customers would actually consume 4 IP addresses, one "network address", a router address, your address, and broadcast address.  This is very wasteful, since IP addresses are not only limited, but aren't free.

In theory, setting up the Cisco to bridge is supposed to be less complicated and therefore more reliable.  It's also the way Cisco and GTE recommend for GTE's DSL service, since GTE does not provide their customers with DSL routers, they provide the customers with DSL bridges.

============================================

This question was awarded, but never cleared due to the JSP-500 errors of that time.  It was "stuck" against userID -1 versus the intended expert whom you awarded.  This corrects that and the expert will now receive these points, all verified.
Moondancer
Moderator @ Experts Exchange