Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Ubuntu routing + VLAN + iptables = hair-loss

Avatar of fuats
fuatsFlag for United States of America asked on
NetworkingLinux NetworkingSoftware Firewalls
3 Comments1 Solution6342 ViewsLast Modified:
Inherited a network that has been grown up by several different people over the last 10 years.  It's pretty messy, and I'm trying to clean it up.  The current priority project is getting a VLAN functioning.  The switches know of the VLAN, and can handle the tagging part.  Everything is getting routing via a Ubuntu firewall/router with several NICs.  Some items documented as VLANs I've found are not really VLANs, but just class B addresses with varying third octets.

Kernel is 2.6.27

eth0 - External IP 1
eth0:5 - External IP 2
eth0:6 - External IP 3
...
eth1 - 10.10.1.1 (10.10.0.0/16)
eth2 - External IP 7
eth3 - External IP 8
eth4 - 10.10.200.1 (VLAN Trunk)
vlan172 - 172.16.172.1 (172.16.172.0/24, bound to eth4)
vlan173 - 172.16.173.1 (172.16.172.0/24, bound to eth4)
vlan109 - 10.10.109.1 (10.10.109.0/24, bound to eth4)
---------------------------------------ifaces-----------------------------------
iface eth4 inet static
      address 10.10.200.1
      netmask 255.255.255.0
      vlan_raw_device eth4
iface vlan109 inet static
      address 10.10.109.1
      netmask 255.255.255.0
      vlan_raw_device eth4
iface vlan172 inet static
      address 172.16.172.1
      netmask 255.255.255.0
      vlan_raw_device eth4
iface vlan173 inet static
      address 172.16.173.1
      netmask 255.255.255.0
      vlan_raw_device eth4

-------------------Abbreviated Firewall Script -----------------------------
#!/bin/sh

# I've removed all comments, and extraneous garbage that I don't feel is pertinent.

IPTABLES=/sbin/iptables
ROUTE=/sbin/route

WANIFACE="eth0"
LANIFACE="eth1"
VTRUNK="eth4"

VLAN109="vlan109"

$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT

$IPTABLES -t nat -I POSTROUTING -o $WANIFACE -s 10.10.0.0/16 -j SNAT --to <external>

$IPTABLES -t nat -I POSTROUTING -o $WANIFACE -s 172.16.173.0/24 -j SNAT --to <external>
$IPTABLES -t nat -I POSTROUTING -o $WANIFACE -s 10.10.202.0/24 -j SNAT --to <external>

$IPTABLES -t nat -I POSTROUTING -o $WANIFACE -s 172.16.172.0/24 -j SNAT --to <external>
$IPTABLES -t nat -I POSTROUTING -o $WANIFACE -s 10.10.203.0/24 -j SNAT --to <external>

$IPTABLES -A FORWARD -p gre -j ACCEPT

$IPTABLES -A FORWARD -i vlan109 -o $LANIFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LANIFACE -o vlan109 -j ACCEPT

$IPTABLES -A FORWARD -i vlan172 -o $WANIFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WANIFACE -o vlan172 -j ACCEPT

$IPTABLES -A FORWARD -i vlan109 -o $WANIFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WANIFACE -o vlan109 -j ACCEPT

$IPTABLES -A FORWARD -i vlan173 -o $WANIFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WANIFACE -o vlan173 -j ACCEPT

---------------------------------------------------------------------------

From a node (10.10.109.109), I can ping other nodes on that same switch within the 10.10.109.x range.  I can also ping from 10.10.109.109 (test laptop) to the gateway (10.10.109.1) on eth4 where VL109 is bound.  This goes through two other switches to get to the Ubuntu box...so I know the switches have their tagging act together.  I can also ping 10.10.200.1 (still eth4) from 10.10.109.109.  The traffic will not leave the router though.

From 10.10.25.100, etc. I can ping pretty much any address on the class B subnet, and hit eth4 (10.10.109.1, 10.10.200.1) with no problem.   I cannot ping through from any 10.10.x.x address to 10.10.109.2-254.

SSH'd into the router, and I can ping all nodes on the 10.10.109.x VLAN.

I've zero'd out rp_filter for vlan109, then eth4, then eth0, and finally for all.  Tried in incrementally because this is a production environment that pretty much has no downtime, and I didn't want to break anything.

I've made all sorts of changes to the iptables script, reloaded, and still same behavior.

iptables -nvL shows eth4 and eth0 passing traffic, and eth0 and vlan172 / vlan173 throwing packets happily, but vlan109 and eth4 are no-go.  eth4 and eth1 are chattering away fine as well.

I'm still trying different things, but have noticed I'm starting to do some of the same things I've already tried.  When it gets circular, it's time to ask for help.

Is anything jumping out at anyone out there as a cause for the problem?
ASKER CERTIFIED SOLUTION
Avatar of noci
nociSoftware Engineer
Commented:
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answers