Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Route addition failed

Posted on 2012-09-21
8
Medium Priority
?
1,973 Views
Last Modified: 2012-09-21
Hi
I have a router on subnet "A" (192.168.1.X). There are certain computers that has to go through that particular router in order to get to it's destination. On these computers we also have to add a persistent route or the destination will not be reached. This works fine on the computers in subnet "A"

Here is the persistent route that we add in subnet "A":
route add 170.209.0.2 192.168.1.193 -p

I have another computer in subnet "B" (192.168.3.X) I have to add the above mentioned persistent route to that  computer too. When I try to add the persistent route in subnet "B" I get the following message.
"The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP address table for the machine."
I understand that the gateway that I'm trying to use is in another subnet.
Can anybody help me make this work?
NOTE: Traffic between this two subnets is already allowed on the routers.

Thanks for any help!
MC
0
Comment
Question by:cmc4
  • 4
  • 2
  • 2
8 Comments
 
LVL 10

Expert Comment

by:asavah
ID: 38423395
You can not add a route through a router that is not in the same subnet as the host.
In order to do what you want your router connected to 170.* subnet should have been configured  to be in 192.168.1 192.168.3 and 170.209.0 subnets.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 38423399
The answer is in your question, though I do have to make some assumptions on your mask here.  I am assuming you are using a standard Class C mask (255.255.255.0)

Computers that work are in subnet 192.168.1.x along with the gateway 192.168.1.193.

Compuer that does not work is in a different subnet (192.168.3.x) so cannot use 192.168.1.193 as a gateway address.

Basic networking...Your next next hop gateway must be in the same subnet as the system using it.


Now for the help...I hate to say this but your network is set up incorrectly if you are putting static routes on the individual workstations.  What you should do is set up the router with all necessary routes to access the 170.209.0.x subnet as well as the Internet and any other subnets you may have.  When a 192.168.1.x or 192.168.3.x system attempts to access any "off subnet" comptuer it should send to the default gateway (your router).  That router would then direct traffic appropriate for the destination.
0
 
LVL 10

Expert Comment

by:asavah
ID: 38423413
Off course I can't see your network topology from here but in many networks such things are done by properly configured level 3 managed switches, intervlan routing.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 

Author Comment

by:cmc4
ID: 38423513
Hi mds-cos,
Thanks for the response!
The reason that the static route is on the individual computers is security reasons. (Which we didn't implement) In order for these computers to get to the destination, we have to certify the IP address that will connect with the destination folks and add the aforementioned route on the computer. Any traffic that goes to 170.209.0.2 must route through this particular router. (This router is not the default gateway on our network.) This router is something similar to a VPN to the destination. The 192.168.1.193 is the inside address of this router. (I think...this router comes to us pre-configured and we have no access) We have to use 192.168.1.193 as the GW in the route add command.

By the way, the sm you assumed was correct! (24bit)
I'm sorry if my description is vague. I can upload a Visio of what I'm trying to accomplish if possible. (I'm new to Experts Exchange...in fact I just signed up when I posted this message.)

Thanks
MC
0
 
LVL 14

Accepted Solution

by:
mds-cos earned 2000 total points
ID: 38423565
Sorry to disagree, but the static route approach is lower security.  Any hack can add a route to their computer and change their IP address to a "cleared" address.  Control the routing at the router (or better at the firewall) and you have locked the door instead of just closing it.

Since you pointed out so fast that you did not design this "security" solution, I'm guessing you have similer thoughts on it's lack of effectiveness!


So since you cannot implement a proper design, sounds like you are stuck working with what you have.  Bottom line is that your 192.168.3.x system is not going to be able to use 192.168.1.193 as a gateway.

What needs to happen is the owners of the .193 gateway need to place a route in it so that it is aware of your 192.168.3.x segment.  You then need to put a corresponding route in your router for the 170..209.0.2 network that point to 192.168.1.193 as it's next hop.  Now all traffic from 192.168.3.0 destined to 170.209.0.2 will route properly.


If they will not add the route, there is an (ugly) way around your problem.  You can use your router to create a 1-1 NAT for the 192.168.3.x computer so that it appears as a 192.168.1.x address to the .193 gateway.  Provide the nat to address as the "authorized IP".


By the way -- if you put the above mentioned route into your router (again, making an assumption that the router you have is capable of ingress/egress routing on the same port), you should be able to dispense with static routes.  Here is the traffic flow:

192.168.1.200 computer -->
192.168.1.1 gateway -->
  (sees destination as 170.209.0.x)
192.168.1.193 -->
170.209.0.x -->
  (their network)  -->
170.209.0.x -->
192.168.1.200 computer


Note that return trip it does not hit your router like it did on the outbound trip.  This is because their router is on the 192.168.1.x segment so communicates direct with the initiating computer.

Remember that when network traffic is routed, the packet still contains IP address of initiating computer.  If they are using IP address as their "security", it will still pass the traffic regardless of routers traversed on your end.
0
 

Author Comment

by:cmc4
ID: 38423583
You are correct again!
I may have what I need to resolve this!
I originally called their tech guys but sometimes one doesn't quite get the tech that one would like to get!
Thanks again.
MC
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 38423587
Just as FYI, if you have any say-so at all on this thing...the best security approach for something like this with an "off site network" access would be:

Your edge router --> your router --> your firewall --> DMZ on your firewall --> their gateway --> their firewall (possibly with DMZ on their end) --> their edge router --> their network

Why?

1)  Full protection of your network from their systems (hey, security goes both ways!);
2)  Capability to set up granular firewall policy based rules controlling type of traffice permitted and specific computers permitted;
3)  Centralized managment and monitoring of access both directions.
0
 
LVL 14

Expert Comment

by:mds-cos
ID: 38423606
With you on that!  Good luck.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Is your computer hacked? learn how to detect and delete malware in your PC
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question