We help IT Professionals succeed at work.

Laptop on subnet 2 cannot see the server on subnet 1

453 Views
Last Modified: 2013-12-06
All IP addresses are statically assigned.  Server1 on subnet 1 can see the laptop client, but this client cannot see server 1.  Routing between the two subnets is via server2, which is directly connected to the laptop client via NIC2.  The client can ping both NICs on server2 (one in each subnet) but can't get past the server2 gateway.  Server1 = RHES v4, server2 = Fedora 2.6, and the laptop client is on an older version of Ubuntu (Debian).  The PIX firewall allows all icmp packets thru its inside and outside interfaces: the inside interface is on a private IP address on subnet1 and its outside interface is a routable IP address assigned by the ISP.    
The laptop (192.168.1.130):
$ ip route show      
192.168.1.0/25 via 192.168.1.129 (129 = NIC2 on server2; NIC1 on server2 is on subnet 1 and the laptop can reach NIC1 but not the rest of subnet 1)
192.168.1.128/25 dev eth0 proto kernel scope link src 192.168.1.130
default via 192.168.1.129 dev eth0
Server2's routing table:
# ip route show
192.168.1.0/25 dev eth0  proto kernel  scope link  src 192.168.1.105
192.168.1.128/25 dev eth1  proto kernel  scope link  src 192.168.1.129
169.254.0.0/16 dev eth1  scope link
default via 192.168.1.3 dev eth0
The laptop is on a 10 Mbps connection (it's old and I want to make it a DRBL client)
but the servers are on 100 Mbps.  I need to understand the routing issue before proceeding with DRBL (and DHCP). How to fix this?
Comment
Watch Question

Gabriel OrozcoSolution Architect

Commented:
you need to enable ip forwarding on your fedora box:

echo 1 > /proc/sys/net/ipv4/ip_forward

but for doing it right on both redhat or fedora:
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

Author

Commented:
Thanks very much!   I get icmp replies from the laptop client now, which is great.  I made the change permanent, so I don't have to reenable ip forwarding each time I reboot the Fedora server.  But I did see this, not sure if the error shows up because I'm using a cross-over cable connection on eth1 to the laptop NIC:
server2 # service network restart
Shutting down interface default:                           [  OK  ]
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Disabling IPv4 packet forwarding:  net.ipv4.ip_forward = 0
                                                           [  OK  ]
SIOCGIFFLAGS: No such device
Bringing up loopback interface:                            [  OK  ]
Bringing up interface default:  
Determining IP information for eth1... failed.
                                                           [FAILED]
Bringing up interface eth0:                                [  OK  ]
Bringing up interface eth1:                                [  OK  ]
Both eth1 and the laptop NIC were replying to icmp requests before I restarted the network service, so it's strange.  Finally (and more importantly) I need to get the laptop to resolve, but DNS fails.  Adding clients to my LAN was no problem in the past - all I needed to configure were the client /etc/hosts and /etc/resolv.conf files and/or Windows equivalent and all was well.  But in the past, clients from subnet2 connected through a wireless router.  Now that server2 is routing between the two subnets via ip forwarding, there may be some other setting in DNS I have to change, but I don't know what that is.  Let me know if I need to open another question to get this answer, thanks.
   
Solution Architect
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
I did a traceroute to server1.my.domain.com's internal IP

Author

Commented:
Sorry, no idea how that actually transmitted...I'll try again:
I did a traceroute to server1.my.domain.com's internal IP from the laptop and there are 2 hops: the gateway (server2) and the DNS server (server1)
This laptop and another one similarly configured (the first is Linux and the 2d one is XP) only get icmp replies from the internal IP of server1, but not from www.mydomain.com
$ nslookup www.mydomain.com
Can't find server name for address 192.168.1.103: query refused
Can't find server name for address 192.168.1.105: query refused
Default servers are not available
(The IP addresses are for server1 and server2, respectively)
 What gives?
 
Gabriel OrozcoSolution Architect

Commented:
please post your /etc/resolv.conf

does it have the line
nameserver ip.of.your.real.nameserverhere  ?

Author

Commented:
cat /etc/resolv.conf
search mydomain.com
nameserver 192.168.1.103
nameserver 192.168.1.105
This file is the same on server2 as it is on the Linux laptop.
Gabriel OrozcoSolution Architect

Commented:
your resolv.conf is okay

do you have firewall enabled on these two servers? open a temporary hole for dns with this:

iptables -I INPUT -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT

if after this your dns requests begin to work, then you will need to make these changes permanent, and specify -s network/24 so no external server is able to access the dns

you also need to check you have dns (named) runing on those two servers. if your dns server is not one of these two, you will need to change your /etc/resolv.conf to point to the correct dns server

Author

Commented:
Sorry it took me so long, I've been on travel.  I don't use IP tables, but I am using a PIX firewall which is in the first subnet, and it's possible that it's blocking DNS requests from outside its own subnet.  I didn't see that because the traceroute command showed only 2 hops: server1 and server2, and there's nothing in the /etc/hosts.allow or hosts.deny files that would block client requests from subnet 2.  But it's possible that the PIX is blocking subnet 2 requests, and if that's happening, I'll need to add a rule (or more) to the PIX for subnet 2.  Should get to that in about 3 hours or so.

Author

Commented:
Unfortunately, the PIX (on subnet 1) gets no icmp replies from hosts on subnet 2 - the rule is there to open DNS to both subnets, but the PIX is not a router...
server1 and server2 get icmp replies from ping hostx.mydomain.com, so it's fair to say that DNS requests between subnets are not passing thru the PIX.
However DNS requests only work from the server to the client, not from the client to the server: ping hostx.mydomain.com on a subnet 2 host gets no icmp replies from server1.mydomain.com or server2.mydomain.com
# route  //on server2 (the gateway) shows:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.128 U     0      0        0 eth0
192.168.1.128   *               255.255.255.128 U     0      0        0 eth1
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         192.168.1.x     0.0.0.0         UG    0      0        0 eth0 //the default gateway is the PIX firewall
What to look for next?

Author

Commented:
I finally found the answer to my problem by changing this line in /etc/named.conf:
 allow-query { My_Workgroup; };  to
 allow-query { 192.168.1.129/25; };
and all is right with the world :-)
Gabriel OrozcoSolution Architect

Commented:
great! congratz...

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.