?
Solved

Laptop on subnet 2 cannot see the server on subnet 1

Posted on 2007-09-30
12
Medium Priority
?
434 Views
Last Modified: 2013-12-06
All IP addresses are statically assigned.  Server1 on subnet 1 can see the laptop client, but this client cannot see server 1.  Routing between the two subnets is via server2, which is directly connected to the laptop client via NIC2.  The client can ping both NICs on server2 (one in each subnet) but can't get past the server2 gateway.  Server1 = RHES v4, server2 = Fedora 2.6, and the laptop client is on an older version of Ubuntu (Debian).  The PIX firewall allows all icmp packets thru its inside and outside interfaces: the inside interface is on a private IP address on subnet1 and its outside interface is a routable IP address assigned by the ISP.    
The laptop (192.168.1.130):
$ ip route show      
192.168.1.0/25 via 192.168.1.129 (129 = NIC2 on server2; NIC1 on server2 is on subnet 1 and the laptop can reach NIC1 but not the rest of subnet 1)
192.168.1.128/25 dev eth0 proto kernel scope link src 192.168.1.130
default via 192.168.1.129 dev eth0
Server2's routing table:
# ip route show
192.168.1.0/25 dev eth0  proto kernel  scope link  src 192.168.1.105
192.168.1.128/25 dev eth1  proto kernel  scope link  src 192.168.1.129
169.254.0.0/16 dev eth1  scope link
default via 192.168.1.3 dev eth0
The laptop is on a 10 Mbps connection (it's old and I want to make it a DRBL client)
but the servers are on 100 Mbps.  I need to understand the routing issue before proceeding with DRBL (and DHCP). How to fix this?
0
Comment
Question by:sara_bellum
  • 7
  • 5
12 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 19987370
you need to enable ip forwarding on your fedora box:

echo 1 > /proc/sys/net/ipv4/ip_forward

but for doing it right on both redhat or fedora:
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/
0
 

Author Comment

by:sara_bellum
ID: 19987501
Thanks very much!   I get icmp replies from the laptop client now, which is great.  I made the change permanent, so I don't have to reenable ip forwarding each time I reboot the Fedora server.  But I did see this, not sure if the error shows up because I'm using a cross-over cable connection on eth1 to the laptop NIC:
server2 # service network restart
Shutting down interface default:                           [  OK  ]
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Disabling IPv4 packet forwarding:  net.ipv4.ip_forward = 0
                                                           [  OK  ]
SIOCGIFFLAGS: No such device
Bringing up loopback interface:                            [  OK  ]
Bringing up interface default:  
Determining IP information for eth1... failed.
                                                           [FAILED]
Bringing up interface eth0:                                [  OK  ]
Bringing up interface eth1:                                [  OK  ]
Both eth1 and the laptop NIC were replying to icmp requests before I restarted the network service, so it's strange.  Finally (and more importantly) I need to get the laptop to resolve, but DNS fails.  Adding clients to my LAN was no problem in the past - all I needed to configure were the client /etc/hosts and /etc/resolv.conf files and/or Windows equivalent and all was well.  But in the past, clients from subnet2 connected through a wireless router.  Now that server2 is routing between the two subnets via ip forwarding, there may be some other setting in DNS I have to change, but I don't know what that is.  Let me know if I need to open another question to get this answer, thanks.
   
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 1500 total points
ID: 19987639
well, for first question you need to go to your control panel and edit what are you starting on the networking side. you should see something about that weird message "Disabling IPv4 packet forwarding"

however, looking at some googling I see this:
http://www.mail-archive.com/cooker@linux-mandrake.com/msg126802.html
as you see, you can edit your /etc/sysconfig/network by hand and add
FORWARD_IPV4=yes
the "determining IP information" I would not pay much attention if that information is being provided in a later step. you see that since your eth1 is responsive and working. so if you want to get rid of that message you would need to troubleshoot your script. maybe we can see that in another thread.

for your second question, your laptop has to have the server2 ip as its default gateway. if you can do a traceroute to the ip of your internal dns, then the dns should respond unless there is a firewall in the middle filtering port tcp/53 and/or udp/53
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:sara_bellum
ID: 19996729
I did a traceroute to server1.my.domain.com's internal IP
0
 

Author Comment

by:sara_bellum
ID: 19996750
Sorry, no idea how that actually transmitted...I'll try again:
I did a traceroute to server1.my.domain.com's internal IP from the laptop and there are 2 hops: the gateway (server2) and the DNS server (server1)
This laptop and another one similarly configured (the first is Linux and the 2d one is XP) only get icmp replies from the internal IP of server1, but not from www.mydomain.com
$ nslookup www.mydomain.com
Can't find server name for address 192.168.1.103: query refused
Can't find server name for address 192.168.1.105: query refused
Default servers are not available
(The IP addresses are for server1 and server2, respectively)
 What gives?
 
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 19999635
please post your /etc/resolv.conf

does it have the line
nameserver ip.of.your.real.nameserverhere  ?
0
 

Author Comment

by:sara_bellum
ID: 20004194
cat /etc/resolv.conf
search mydomain.com
nameserver 192.168.1.103
nameserver 192.168.1.105
This file is the same on server2 as it is on the Linux laptop.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 20007967
your resolv.conf is okay

do you have firewall enabled on these two servers? open a temporary hole for dns with this:

iptables -I INPUT -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT

if after this your dns requests begin to work, then you will need to make these changes permanent, and specify -s network/24 so no external server is able to access the dns

you also need to check you have dns (named) runing on those two servers. if your dns server is not one of these two, you will need to change your /etc/resolv.conf to point to the correct dns server
0
 

Author Comment

by:sara_bellum
ID: 20038207
Sorry it took me so long, I've been on travel.  I don't use IP tables, but I am using a PIX firewall which is in the first subnet, and it's possible that it's blocking DNS requests from outside its own subnet.  I didn't see that because the traceroute command showed only 2 hops: server1 and server2, and there's nothing in the /etc/hosts.allow or hosts.deny files that would block client requests from subnet 2.  But it's possible that the PIX is blocking subnet 2 requests, and if that's happening, I'll need to add a rule (or more) to the PIX for subnet 2.  Should get to that in about 3 hours or so.
0
 

Author Comment

by:sara_bellum
ID: 20038855
Unfortunately, the PIX (on subnet 1) gets no icmp replies from hosts on subnet 2 - the rule is there to open DNS to both subnets, but the PIX is not a router...
server1 and server2 get icmp replies from ping hostx.mydomain.com, so it's fair to say that DNS requests between subnets are not passing thru the PIX.
However DNS requests only work from the server to the client, not from the client to the server: ping hostx.mydomain.com on a subnet 2 host gets no icmp replies from server1.mydomain.com or server2.mydomain.com
# route  //on server2 (the gateway) shows:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.128 U     0      0        0 eth0
192.168.1.128   *               255.255.255.128 U     0      0        0 eth1
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         192.168.1.x     0.0.0.0         UG    0      0        0 eth0 //the default gateway is the PIX firewall
What to look for next?

0
 

Author Comment

by:sara_bellum
ID: 20062910
I finally found the answer to my problem by changing this line in /etc/named.conf:
 allow-query { My_Workgroup; };  to
 allow-query { 192.168.1.129/25; };
and all is right with the world :-)
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 20078118
great! congratz...
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question