red hat 7.3 router - clients not seeing the internet

barthalamu
barthalamu used Ask the Experts™
on
I am not sure why computers on my local network cannot see the internet.  I have taken a block of 16 IP's (internet IP's) that my ISP has given me and I have submasked it smaller.  This is what my network looks like:

Given to me by my ISP:  64.xxx.xxx.146 - 159 usable IP's (netmask 255.255.255.240)

My configuration on my linux router:

eth0:
  IP 64.xxx.xxx.146
  netmask 255.255.255.240

eth1:
  IP 64.xxx.xxx.154
  netmask 255.255.255.248

default gateway:
  64.xxx.xxx.145


One of my internal clients looks like this:
  IP 64.xxx.xxx.155
  netmask 64.xxx.xxx.248
  default gateway 64.xxx.xxx.154

The linux router can get on the internet just fine.  My internal client cannot get on the internet though.  It can however ping both IP addresses on the linux router.(so I know that it is ip_forwarding)  I am not sure why my router will not route traffic through to the internet for my clients though.  Thanks for any help you can give me.


netstat -r :
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
64.xxx.xxx.152   *               255.255.255.248 U        40 0          0 eth1
64.xxx.xxx.144   *               255.255.255.240 U        40 0          0 eth0
127.0.0.0       *               255.0.0.0       U        40 0          0 lo
default         64.xxx.xxx.145  0.0.0.0         UG       40 0          0 eth0
default         *               0.0.0.0         U        40 0          0 eth0


P.S.  It is not a firewall problem.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gabriel OrozcoSolution Architect

Commented:
Ok.
of course it is not a firewall problem.

why you want to subnet your 16 ip's?
if you want to have internal ips the same as the external ip for the firewall, then you should have the firewall running as a bridge, or better as a bridge-firewall.

as this is difficult to obtain at the best, I advise you to do as follows:

get all the 14 usable ip's (the first is for refering all the subnet and the last ip is the broadcast one) to the eth1 as it seems to be.

then, put all your other computers in the internal network with private addresses

finally, put destination nat and source nat in your fireall, so everytime somebody wants to enter to the ip 64.xxx.xxx.155, the destination nat rule will resent te packages to your internal host, and when the host answers or begins a connection, you rewrite the source address as if that would have been from the 64.xxx.xxx.155 ip.

that way, you have all the functionality you spected, without all the headcaches for the bridging.

-------------
if you want to subnet anyway, then subnet all the networks, not only the eth0 one, but also the eth1, and brdige or route (iproute2) between them.

Author

Commented:
The reason I am trying to subnet those IP's is because I want all internet traffic to go through my linux router.  Is there a better way to do this?  I don't want to use NAT because I want to have real IP's so I can get to the computers in my LAN from the internet.  I know I can do port mapping with NAT to achieve this, but I would rather not.

I guess what I want is for my linux box to function as a router (and firewall), to my internal network.  I want all traffic that goes to and from the internet on my LAN to pass through my linux router and firewall.   I want my internal network to have real IP addresses, yet also be protected by a firewall.  Again, is there a better way to do this??

Thanks for the help.

Commented:
You can't do subnetting this way. Period. The problem here is that, for the linux router, the IP 64.xx.xx.xx.156 is in *both* networks.

It both complies the network mask/range of the eth0 interface (which is  64.xxx.xxx.146 - 159)  and the range for the eth1 interface (which is 64.xxx.xxx.153-158). What will the kernel do here (he has two routes for the same IP address):

- incoming packets will *not* be forwarded back in (since the IP is in the router's range it will assume that someone else will anser it, not hime)

- outgoing packets (from the router) will be sent to either eth1 or eth0

- forwarded packets (from behind) will be sent from eth1 to the default gateway.

You have a mess in your hands if you want to do subnetting like this.

You have two options:

1.- use the linux machine as a *bridge* instead of a router. It will have no IP address and you can configure all the network behind the router with the network/mask/default gateway given by the ISP. You can read information on how to setup a Bridge looking the documents at the TLDP: http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html. I believe you have to patch the kernel if you are using 2.2 (the bridge code is there in 2.4)

2.- use static NAT in the router with arp proxying. You can have the router do static NAT for the internal machines using the IP address range given by the ISP. Setup a private (RFC1918) network behind the router and have the machines route through the Linux router. Add NAT rules in the router so that each machines gets an IP address in the range.

In both cases you can add security to the network by introducing filtering rules. Static NAT has the advantage that you can specify static NAT for outgoing connections from the internal network and not from incoming (or only for selected ports).

Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Gabriel OrozcoSolution Architect

Commented:
javifs is right.

What you want to do is what the bridge+firewall document answers, but you need to patch the kernel in order for the bridge, who doesn't know about ip protocol (is only layer two = no ip's) to be able to look into the packets and see the ip protocol and then be able to apply firewall rules.

this is not very easy. it's because of this you will find a lot of static nat in the internet. it has it's advantages and disadvantages, but for clarity reasons, better use the static nat approach, as we suggest.

Author

Commented:
If I were to make the netmask on eth0 more restrictive, say 255.255.255.248, could this setup now work?  Now the IP 64.xx.xx.xx.156 is not in both networks.  Thanks for the help.
Gabriel OrozcoSolution Architect

Commented:
well, you should give it a try.
test it and if this is not what you want, you always have our recommendation which we posted.

Commented:
If you want to avoid patching the kernel, there is a third option, which is fairly close to what the original poster was trying to do.

On the firewall's internal interface, add a network route as normal.
On the firewall's external interface, add a host route to the gateway.
On the internal machines, set the default route to point to the firewall.

Eg. Assuming eth0 is the external interface and the firewall has address 64.xxx.xxx.146

ifconfig eth0 64.xxx.xxx.146 netmask 255.255.255.255 up
ifconfig eth1 64.xxx.xxx.146 netmask 255.255.255.240 up
route add -host 64.xxx.xxx.145 dev eth0
route add default gw 64.xxx.xxx.145

Like option (2), this needs proxy arp to be turned on, but no NAT is required.

Commented:
> If I were to make the netmask on eth0 more restrictive, say 255.255.255.248, could this setup now work?

there seems to be an additional router (maybe a DSL router) before your linux box, right? then you should narrow the netmask of this network. if there are only these two devices you can take the subnet

64.xxx.xxx.148/30 broadcast 64.xxx.xxx.151

and configure the router interface to 64.xxx.xxx.149 and eth0 to 64.xxx.xxx.150. you can then configure your internal net to 64.xxx.xxx.152/29 broadcast 64.xxx.xxx.159 including eth1 of the linux box. now you'll have to add a route for the internal net to you DSL router:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
64.xxx.xxx.148  64.xxx.xxx.150  255.255.255.248 UG      40   0          0 eth1

the default gateway of the linux box should be the DSL router and that of your internal clients eth1 of the linux machine.

this should be all, pretty clean network configuration, no NAT or ARP quirks needed.

ISP
   |
   |      64.xxx.xxx.144/30 (assumed)
   |
DSL router
   |  .149
   |      64.xxx.xxx.148/30
   |  .150
linux router
   |  .153
   |      64.xxx.xxx.152/29
   |  .154 - .158
LAN

--asem

Author

Commented:
Thank you everyone for the help!


pjb1008:

How would I turn proxy ARP on?  What does this do?  Are there any undesirable effects of doing this? (security, speed, etc.??)

Asem:

I have tried doing this, but I am not sure how to change the routing table in my router. (to tell it that the inside of my network is going to be 64.xxx.xxx.148/30, right?)  As soon as I change the netmask of eth0 (external) on the linux box, it does not seem to work.  I assume this is because I have not told my hardware router about the change.  Please excuse my ignorance, but I don't know how to do that.  I am able to telnet into the Efficient Networks 5851 router though. (just don't know what to do)  Could you help with the commands, or just tell me what we are trying to accomplish.

If it helps, when I do an 'eth list' command, I get lots of info including:

ETHERNET INFORMATION FOR <ETHERNET/0>

ipaddress/subnet mask:               64.xxx.xxx.145/255.255.255.240



This IP address is the 'gateway' that the DSL people told me to use.  This is not what I am looking for, is it???

Thanks for the help.

Commented:
according to the documentation you can add routes on your router's command line with:

eth ip addroute <ipaddr> <ipnetmask> <gateway> <hops> [<port#>]

in your case this would be as follows:

eth ip addroute 64.xxx.xxx.148 255.255.255.248 64.xxx.xxx.150         1
save
reboot

delete routes with

eth ip delRoute <ipaddr> <ipnetmask> [<interface>]

btw. the router documentation i mentioned can be found at ftp://ftp.efficient.com/pub/outgoing/documentation/5800/5851/5800doc.zip
if you don't have it already on paper.

--asem

Author

Commented:
Asem:

Is that all I need to do to the router?  Don't I have to tell the router that my network is smaller than it knows about right now?  Or am I doing this by adding this route?  Thanks.
Commented:
sorry, i did a mistake. the right network address is 64.xxx.xxx.152 instead 64.xxx.xxx.148, as shown in my network plan above.

and, of course, you have to configure your router's ethernet interface to IP 64.xxx.xxx.149, netmask /30 or 255.255.255.252, which is the same in another notation (there are 30 bits set to '1' in the binary notation of the netmask) and broadcast 64.xxx.xxx.151. this can be done through the web interface of the DSL router. when i'm at work again at monday, where i have the documentation, i can tell you the commandline version too.

but then, yes, that should be enough. the size of your internal network can be determined by the route's netmask of 255.255.255.248, which means there are 8 addresses in the internal net (from which 5 are availabe to internal servers). any packet with destination address of one of these 8 is routed to the linux router/firewall, which knows them as members of its internal network.

--asem

Author

Commented:
Thank you all for your help.

Asem:
Thanks so much.  This is the networking scheme I had in mind.  My major flaws were not having the netmask of the internal side of my DSL router correct and also not having a static route in the DSL router back into my internal LAN.  Once these were fixed, by LAN computers were able to "see" the internet.  Thanks!!!

Commented:
hew, i just realized i promised you the commandline to set the router's interface IPs. i don't know if you need it anymore, but here it is:

eth ip addr <ipaddr> <netmask> [<interface>]

so in your case it is

eth ip addr 64.xxx.xxx.149 255.255.255.252
save
reboot

and thanx for the points!

--asem

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial