barthalamu
asked on
red hat 7.3 router - clients not seeing the internet
I am not sure why computers on my local network cannot see the internet. I have taken a block of 16 IP's (internet IP's) that my ISP has given me and I have submasked it smaller. This is what my network looks like:
Given to me by my ISP: 64.xxx.xxx.146 - 159 usable IP's (netmask 255.255.255.240)
My configuration on my linux router:
eth0:
IP 64.xxx.xxx.146
netmask 255.255.255.240
eth1:
IP 64.xxx.xxx.154
netmask 255.255.255.248
default gateway:
64.xxx.xxx.145
One of my internal clients looks like this:
IP 64.xxx.xxx.155
netmask 64.xxx.xxx.248
default gateway 64.xxx.xxx.154
The linux router can get on the internet just fine. My internal client cannot get on the internet though. It can however ping both IP addresses on the linux router.(so I know that it is ip_forwarding) I am not sure why my router will not route traffic through to the internet for my clients though. Thanks for any help you can give me.
netstat -r :
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
64.xxx.xxx.152 * 255.255.255.248 U 40 0 0 eth1
64.xxx.xxx.144 * 255.255.255.240 U 40 0 0 eth0
127.0.0.0 * 255.0.0.0 U 40 0 0 lo
default 64.xxx.xxx.145 0.0.0.0 UG 40 0 0 eth0
default * 0.0.0.0 U 40 0 0 eth0
P.S. It is not a firewall problem.
Given to me by my ISP: 64.xxx.xxx.146 - 159 usable IP's (netmask 255.255.255.240)
My configuration on my linux router:
eth0:
IP 64.xxx.xxx.146
netmask 255.255.255.240
eth1:
IP 64.xxx.xxx.154
netmask 255.255.255.248
default gateway:
64.xxx.xxx.145
One of my internal clients looks like this:
IP 64.xxx.xxx.155
netmask 64.xxx.xxx.248
default gateway 64.xxx.xxx.154
The linux router can get on the internet just fine. My internal client cannot get on the internet though. It can however ping both IP addresses on the linux router.(so I know that it is ip_forwarding) I am not sure why my router will not route traffic through to the internet for my clients though. Thanks for any help you can give me.
netstat -r :
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
64.xxx.xxx.152 * 255.255.255.248 U 40 0 0 eth1
64.xxx.xxx.144 * 255.255.255.240 U 40 0 0 eth0
127.0.0.0 * 255.0.0.0 U 40 0 0 lo
default 64.xxx.xxx.145 0.0.0.0 UG 40 0 0 eth0
default * 0.0.0.0 U 40 0 0 eth0
P.S. It is not a firewall problem.
ASKER
The reason I am trying to subnet those IP's is because I want all internet traffic to go through my linux router. Is there a better way to do this? I don't want to use NAT because I want to have real IP's so I can get to the computers in my LAN from the internet. I know I can do port mapping with NAT to achieve this, but I would rather not.
I guess what I want is for my linux box to function as a router (and firewall), to my internal network. I want all traffic that goes to and from the internet on my LAN to pass through my linux router and firewall. I want my internal network to have real IP addresses, yet also be protected by a firewall. Again, is there a better way to do this??
Thanks for the help.
I guess what I want is for my linux box to function as a router (and firewall), to my internal network. I want all traffic that goes to and from the internet on my LAN to pass through my linux router and firewall. I want my internal network to have real IP addresses, yet also be protected by a firewall. Again, is there a better way to do this??
Thanks for the help.
You can't do subnetting this way. Period. The problem here is that, for the linux router, the IP 64.xx.xx.xx.156 is in *both* networks.
It both complies the network mask/range of the eth0 interface (which is 64.xxx.xxx.146 - 159) and the range for the eth1 interface (which is 64.xxx.xxx.153-158). What will the kernel do here (he has two routes for the same IP address):
- incoming packets will *not* be forwarded back in (since the IP is in the router's range it will assume that someone else will anser it, not hime)
- outgoing packets (from the router) will be sent to either eth1 or eth0
- forwarded packets (from behind) will be sent from eth1 to the default gateway.
You have a mess in your hands if you want to do subnetting like this.
You have two options:
1.- use the linux machine as a *bridge* instead of a router. It will have no IP address and you can configure all the network behind the router with the network/mask/default gateway given by the ISP. You can read information on how to setup a Bridge looking the documents at the TLDP: http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html. I believe you have to patch the kernel if you are using 2.2 (the bridge code is there in 2.4)
2.- use static NAT in the router with arp proxying. You can have the router do static NAT for the internal machines using the IP address range given by the ISP. Setup a private (RFC1918) network behind the router and have the machines route through the Linux router. Add NAT rules in the router so that each machines gets an IP address in the range.
In both cases you can add security to the network by introducing filtering rules. Static NAT has the advantage that you can specify static NAT for outgoing connections from the internal network and not from incoming (or only for selected ports).
It both complies the network mask/range of the eth0 interface (which is 64.xxx.xxx.146 - 159) and the range for the eth1 interface (which is 64.xxx.xxx.153-158). What will the kernel do here (he has two routes for the same IP address):
- incoming packets will *not* be forwarded back in (since the IP is in the router's range it will assume that someone else will anser it, not hime)
- outgoing packets (from the router) will be sent to either eth1 or eth0
- forwarded packets (from behind) will be sent from eth1 to the default gateway.
You have a mess in your hands if you want to do subnetting like this.
You have two options:
1.- use the linux machine as a *bridge* instead of a router. It will have no IP address and you can configure all the network behind the router with the network/mask/default gateway given by the ISP. You can read information on how to setup a Bridge looking the documents at the TLDP: http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html. I believe you have to patch the kernel if you are using 2.2 (the bridge code is there in 2.4)
2.- use static NAT in the router with arp proxying. You can have the router do static NAT for the internal machines using the IP address range given by the ISP. Setup a private (RFC1918) network behind the router and have the machines route through the Linux router. Add NAT rules in the router so that each machines gets an IP address in the range.
In both cases you can add security to the network by introducing filtering rules. Static NAT has the advantage that you can specify static NAT for outgoing connections from the internal network and not from incoming (or only for selected ports).
javifs is right.
What you want to do is what the bridge+firewall document answers, but you need to patch the kernel in order for the bridge, who doesn't know about ip protocol (is only layer two = no ip's) to be able to look into the packets and see the ip protocol and then be able to apply firewall rules.
this is not very easy. it's because of this you will find a lot of static nat in the internet. it has it's advantages and disadvantages, but for clarity reasons, better use the static nat approach, as we suggest.
What you want to do is what the bridge+firewall document answers, but you need to patch the kernel in order for the bridge, who doesn't know about ip protocol (is only layer two = no ip's) to be able to look into the packets and see the ip protocol and then be able to apply firewall rules.
this is not very easy. it's because of this you will find a lot of static nat in the internet. it has it's advantages and disadvantages, but for clarity reasons, better use the static nat approach, as we suggest.
ASKER
If I were to make the netmask on eth0 more restrictive, say 255.255.255.248, could this setup now work? Now the IP 64.xx.xx.xx.156 is not in both networks. Thanks for the help.
well, you should give it a try.
test it and if this is not what you want, you always have our recommendation which we posted.
test it and if this is not what you want, you always have our recommendation which we posted.
If you want to avoid patching the kernel, there is a third option, which is fairly close to what the original poster was trying to do.
On the firewall's internal interface, add a network route as normal.
On the firewall's external interface, add a host route to the gateway.
On the internal machines, set the default route to point to the firewall.
Eg. Assuming eth0 is the external interface and the firewall has address 64.xxx.xxx.146
ifconfig eth0 64.xxx.xxx.146 netmask 255.255.255.255 up
ifconfig eth1 64.xxx.xxx.146 netmask 255.255.255.240 up
route add -host 64.xxx.xxx.145 dev eth0
route add default gw 64.xxx.xxx.145
Like option (2), this needs proxy arp to be turned on, but no NAT is required.
On the firewall's internal interface, add a network route as normal.
On the firewall's external interface, add a host route to the gateway.
On the internal machines, set the default route to point to the firewall.
Eg. Assuming eth0 is the external interface and the firewall has address 64.xxx.xxx.146
ifconfig eth0 64.xxx.xxx.146 netmask 255.255.255.255 up
ifconfig eth1 64.xxx.xxx.146 netmask 255.255.255.240 up
route add -host 64.xxx.xxx.145 dev eth0
route add default gw 64.xxx.xxx.145
Like option (2), this needs proxy arp to be turned on, but no NAT is required.
> If I were to make the netmask on eth0 more restrictive, say 255.255.255.248, could this setup now work?
there seems to be an additional router (maybe a DSL router) before your linux box, right? then you should narrow the netmask of this network. if there are only these two devices you can take the subnet
64.xxx.xxx.148/30 broadcast 64.xxx.xxx.151
and configure the router interface to 64.xxx.xxx.149 and eth0 to 64.xxx.xxx.150. you can then configure your internal net to 64.xxx.xxx.152/29 broadcast 64.xxx.xxx.159 including eth1 of the linux box. now you'll have to add a route for the internal net to you DSL router:
Destination Gateway Genmask Flags MSS Window irtt Iface
64.xxx.xxx.148 64.xxx.xxx.150 255.255.255.248 UG 40 0 0 eth1
the default gateway of the linux box should be the DSL router and that of your internal clients eth1 of the linux machine.
this should be all, pretty clean network configuration, no NAT or ARP quirks needed.
ISP
|
| 64.xxx.xxx.144/30 (assumed)
|
DSL router
| .149
| 64.xxx.xxx.148/30
| .150
linux router
| .153
| 64.xxx.xxx.152/29
| .154 - .158
LAN
--asem
there seems to be an additional router (maybe a DSL router) before your linux box, right? then you should narrow the netmask of this network. if there are only these two devices you can take the subnet
64.xxx.xxx.148/30 broadcast 64.xxx.xxx.151
and configure the router interface to 64.xxx.xxx.149 and eth0 to 64.xxx.xxx.150. you can then configure your internal net to 64.xxx.xxx.152/29 broadcast 64.xxx.xxx.159 including eth1 of the linux box. now you'll have to add a route for the internal net to you DSL router:
Destination Gateway Genmask Flags MSS Window irtt Iface
64.xxx.xxx.148 64.xxx.xxx.150 255.255.255.248 UG 40 0 0 eth1
the default gateway of the linux box should be the DSL router and that of your internal clients eth1 of the linux machine.
this should be all, pretty clean network configuration, no NAT or ARP quirks needed.
ISP
|
| 64.xxx.xxx.144/30 (assumed)
|
DSL router
| .149
| 64.xxx.xxx.148/30
| .150
linux router
| .153
| 64.xxx.xxx.152/29
| .154 - .158
LAN
--asem
ASKER
Thank you everyone for the help!
pjb1008:
How would I turn proxy ARP on? What does this do? Are there any undesirable effects of doing this? (security, speed, etc.??)
Asem:
I have tried doing this, but I am not sure how to change the routing table in my router. (to tell it that the inside of my network is going to be 64.xxx.xxx.148/30, right?) As soon as I change the netmask of eth0 (external) on the linux box, it does not seem to work. I assume this is because I have not told my hardware router about the change. Please excuse my ignorance, but I don't know how to do that. I am able to telnet into the Efficient Networks 5851 router though. (just don't know what to do) Could you help with the commands, or just tell me what we are trying to accomplish.
If it helps, when I do an 'eth list' command, I get lots of info including:
ETHERNET INFORMATION FOR <ETHERNET/0>
ipaddress/subnet mask: 64.xxx.xxx.145/255.255.255
This IP address is the 'gateway' that the DSL people told me to use. This is not what I am looking for, is it???
Thanks for the help.
pjb1008:
How would I turn proxy ARP on? What does this do? Are there any undesirable effects of doing this? (security, speed, etc.??)
Asem:
I have tried doing this, but I am not sure how to change the routing table in my router. (to tell it that the inside of my network is going to be 64.xxx.xxx.148/30, right?) As soon as I change the netmask of eth0 (external) on the linux box, it does not seem to work. I assume this is because I have not told my hardware router about the change. Please excuse my ignorance, but I don't know how to do that. I am able to telnet into the Efficient Networks 5851 router though. (just don't know what to do) Could you help with the commands, or just tell me what we are trying to accomplish.
If it helps, when I do an 'eth list' command, I get lots of info including:
ETHERNET INFORMATION FOR <ETHERNET/0>
ipaddress/subnet mask: 64.xxx.xxx.145/255.255.255
This IP address is the 'gateway' that the DSL people told me to use. This is not what I am looking for, is it???
Thanks for the help.
according to the documentation you can add routes on your router's command line with:
eth ip addroute <ipaddr> <ipnetmask> <gateway> <hops> [<port#>]
in your case this would be as follows:
eth ip addroute 64.xxx.xxx.148 255.255.255.248 64.xxx.xxx.150 1
save
reboot
delete routes with
eth ip delRoute <ipaddr> <ipnetmask> [<interface>]
btw. the router documentation i mentioned can be found at ftp://ftp.efficient.com/pub/outgoing/documentation/5800/5851/5800doc.zip
if you don't have it already on paper.
--asem
eth ip addroute <ipaddr> <ipnetmask> <gateway> <hops> [<port#>]
in your case this would be as follows:
eth ip addroute 64.xxx.xxx.148 255.255.255.248 64.xxx.xxx.150 1
save
reboot
delete routes with
eth ip delRoute <ipaddr> <ipnetmask> [<interface>]
btw. the router documentation i mentioned can be found at ftp://ftp.efficient.com/pub/outgoing/documentation/5800/5851/5800doc.zip
if you don't have it already on paper.
--asem
ASKER
Asem:
Is that all I need to do to the router? Don't I have to tell the router that my network is smaller than it knows about right now? Or am I doing this by adding this route? Thanks.
Is that all I need to do to the router? Don't I have to tell the router that my network is smaller than it knows about right now? Or am I doing this by adding this route? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your help.
Asem:
Thanks so much. This is the networking scheme I had in mind. My major flaws were not having the netmask of the internal side of my DSL router correct and also not having a static route in the DSL router back into my internal LAN. Once these were fixed, by LAN computers were able to "see" the internet. Thanks!!!
Asem:
Thanks so much. This is the networking scheme I had in mind. My major flaws were not having the netmask of the internal side of my DSL router correct and also not having a static route in the DSL router back into my internal LAN. Once these were fixed, by LAN computers were able to "see" the internet. Thanks!!!
hew, i just realized i promised you the commandline to set the router's interface IPs. i don't know if you need it anymore, but here it is:
eth ip addr <ipaddr> <netmask> [<interface>]
so in your case it is
eth ip addr 64.xxx.xxx.149 255.255.255.252
save
reboot
and thanx for the points!
--asem
eth ip addr <ipaddr> <netmask> [<interface>]
so in your case it is
eth ip addr 64.xxx.xxx.149 255.255.255.252
save
reboot
and thanx for the points!
--asem
of course it is not a firewall problem.
why you want to subnet your 16 ip's?
if you want to have internal ips the same as the external ip for the firewall, then you should have the firewall running as a bridge, or better as a bridge-firewall.
as this is difficult to obtain at the best, I advise you to do as follows:
get all the 14 usable ip's (the first is for refering all the subnet and the last ip is the broadcast one) to the eth1 as it seems to be.
then, put all your other computers in the internal network with private addresses
finally, put destination nat and source nat in your fireall, so everytime somebody wants to enter to the ip 64.xxx.xxx.155, the destination nat rule will resent te packages to your internal host, and when the host answers or begins a connection, you rewrite the source address as if that would have been from the 64.xxx.xxx.155 ip.
that way, you have all the functionality you spected, without all the headcaches for the bridging.
-------------
if you want to subnet anyway, then subnet all the networks, not only the eth0 one, but also the eth1, and brdige or route (iproute2) between them.