ipv4 forwarding - any known issues?

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

ipv4 forwarding - any known issues?

Per Jessen-2
I'm setting up a new box and started out with ip forwarding enabled.
This seemed to prevent internet access, so I tried disabling forwarding
with yast, but this only caused a hang.  I ended up having to walk to
the datacentre to access the physical console.

Just wondering before I start digging into this - are there any (more or
less) known issues wrt ip forwarding and/or the enabling/disabling
thereof in 12.1 ?  


--
Per Jessen, Zürich (2.5°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

James Knott
Per Jessen wrote:

> I'm setting up a new box and started out with ip forwarding enabled.
> This seemed to prevent internet access, so I tried disabling forwarding
> with yast, but this only caused a hang.  I ended up having to walk to
> the datacentre to access the physical console.
>
> Just wondering before I start digging into this - are there any (more or
> less) known issues wrt ip forwarding and/or the enabling/disabling
> thereof in 12.1 ?
>
>
IP forwarding is used only if you're using the computer as a router.  I
have one box here, which is my firewall & router, where forwarding is
enabled.  All others do not have it enabled.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

Per Jessen-2
James Knott wrote:

> Per Jessen wrote:
>> I'm setting up a new box and started out with ip forwarding enabled.
>> This seemed to prevent internet access, so I tried disabling
>> forwarding with yast, but this only caused a hang.  I ended up having
>> to walk to the datacentre to access the physical console.
>>
>> Just wondering before I start digging into this - are there any (more
>> or less) known issues wrt ip forwarding and/or the enabling/disabling
>> thereof in 12.1 ?
>>
>>
> IP forwarding is used only if you're using the computer as a router.

Yes, this box is set up as a router.


--
Per Jessen, Zürich (6.1°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

James Knott
Per Jessen wrote:

> James Knott wrote:
>
>> Per Jessen wrote:
>>> I'm setting up a new box and started out with ip forwarding enabled.
>>> This seemed to prevent internet access, so I tried disabling
>>> forwarding with yast, but this only caused a hang.  I ended up having
>>> to walk to the datacentre to access the physical console.
>>>
>>> Just wondering before I start digging into this - are there any (more
>>> or less) known issues wrt ip forwarding and/or the enabling/disabling
>>> thereof in 12.1 ?
>>>
>>>
>> IP forwarding is used only if you're using the computer as a router.
> Yes, this box is set up as a router.
>
>
I can't think of a reason for your problems, unless something is
misconfigured.  My router forwards both IPv4 & IPv6 without problem.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

John Andersen-2
In reply to this post by Per Jessen-2
On 2/23/2012 6:15 AM, Per Jessen wrote:

> James Knott wrote:
>
>> Per Jessen wrote:
>>> I'm setting up a new box and started out with ip forwarding enabled.
>>> This seemed to prevent internet access, so I tried disabling
>>> forwarding with yast, but this only caused a hang.  I ended up having
>>> to walk to the datacentre to access the physical console.
>>>
>>> Just wondering before I start digging into this - are there any (more
>>> or less) known issues wrt ip forwarding and/or the enabling/disabling
>>> thereof in 12.1 ?
>>>
>>>
>> IP forwarding is used only if you're using the computer as a router.
>
> Yes, this box is set up as a router.
>
>

And you configured the SuseFirewall?  (or shut it down to test?)


--
_____________________________________
---This space for rent---
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

Per Jessen-2
John Andersen wrote:

> On 2/23/2012 6:15 AM, Per Jessen wrote:
>> James Knott wrote:
>>
>>> Per Jessen wrote:
>>>> I'm setting up a new box and started out with ip forwarding
>>>> enabled. This seemed to prevent internet access, so I tried
>>>> disabling forwarding with yast, but this only caused a hang.  I
>>>> ended up having to walk to the datacentre to access the physical
>>>> console.
>>>>
>>>> Just wondering before I start digging into this - are there any
>>>> (more or less) known issues wrt ip forwarding and/or the
>>>> enabling/disabling thereof in 12.1 ?
>>>>
>>>>
>>> IP forwarding is used only if you're using the computer as a router.
>>
>> Yes, this box is set up as a router.
>>
>
> And you configured the SuseFirewall?  (or shut it down to test?)

Yes, it's disabled, I never use it.  There is no other firewall active
either.  The YaST issue I mentioned has disappeared, but I'm still left
with access to external networks (e.g. websites) not working when I
activate ip forwarding.  The box is set up as follows:

Subnet1 = 192.168.0.0/21
Subnet2 = 192.168.8.0/21
Default route = 192.168.2.7

When forwarding is disabled, everything works as normal (as on any other
box on subnet1.  When I enable forwarding, access to external networks
via the default route eventually time out.  I have not yet investigated
it in depth, I was just wondering if there were any known issues.


--
Per Jessen, Zürich (2.1°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

James Knott
Per Jessen wrote:
> Default route = 192.168.2.7

Do you have some other device providing your Internet connection?
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

Per Jessen-2
James Knott wrote:

> Per Jessen wrote:
>> Default route = 192.168.2.7
>
> Do you have some other device providing your Internet connection?

Yes I do.  192.168.2.7 is the firewall/router with the fibre connection.


--
Per Jessen, Zürich (7.4°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

Hans de Faber-2
Hi Per
Long time ago I did this kind of work.

I see you mention only one default gateway.
If forwarding is a router functionality then each subnet should have its
own default gateway.
Am I correct ?
Succes, hans

On 24/02/12 19:27, Per Jessen wrote:

> James Knott wrote:
>
>> Per Jessen wrote:
>>> Default route = 192.168.2.7
>>
>> Do you have some other device providing your Internet connection?
>
> Yes I do.  192.168.2.7 is the firewall/router with the fibre connection.
>
>
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

James Knott
Hans de Faber wrote:
> I see you mention only one default gateway.
> If forwarding is a router functionality then each subnet should have
> its own default gateway.
> Am I correct ?

Absolutely not.  While there may be other routes, there can only be one
default route, which is used when no other route matches.  It's used
when the router says "I don't know where this goes, let the next guy
worry about it".

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

L A Walsh
In reply to this post by Per Jessen-2
Per Jessen wrote:

> John Andersen wrote:
>
>> On 2/23/2012 6:15 AM, Per Jessen wrote:
>>> James Knott wrote:
>>>
>>>> Per Jessen wrote:
>>>>> I'm setting up a new box and started out with ip forwarding
>>>>> enabled. This seemed to prevent internet access, so I tried
>>>>> disabling forwarding with yast, but this only caused a hang.  I
>>>>> ended up having to walk to the datacentre to access the physical
>>>>> console.
>>>>>
>>>>> Just wondering before I start digging into this - are there any
>>>>> (more or less) known issues wrt ip forwarding and/or the
>>>>> enabling/disabling thereof in 12.1 ?
>>>>>
>>>>>
>>>> IP forwarding is used only if you're using the computer as a router.
>>> Yes, this box is set up as a router.
>>>
>> And you configured the SuseFirewall?  (or shut it down to test?)
>
> Yes, it's disabled, I never use it.  There is no other firewall active
> either.

But do you have iptables built into your kernel? (probably)

How are those rules set?

Is forwarding in the iptables set to drop or forward?

Since you can reach the box, I assume that the input/output chains are
ok....

But I can turn on forward all I want, you also have to have the interfaces
set to forward and the iptables set to be 'compatible' (not running a FW
DOESN'T mean they are instantly compatible....especially if the default FORWARDING
rules are set to drop.

Are you wanting it to route your packets to your internal net?

(i.e. it sounds like you want it to do masquarading? -- if so, have I got a
script for you...)...


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

L A Walsh
In reply to this post by James Knott
James Knott wrote:

> Hans de Faber wrote:
>> I see you mention only one default gateway.
>> If forwarding is a router functionality then each subnet should have
>> its own default gateway.
>> Am I correct ?
>
> Absolutely not.  While there may be other routes, there can only be one
> default route, which is used when no other route matches.  It's used
> when the router says "I don't know where this goes, let the next guy
> worry about it".
>

----

Each subnet **could** have a separate default route,  since each subnet may
have one single machine that is different for each subnet, that allows then
got "get out" (to the internet).

It is not required that they be separate machines, but they WILL likely
be different addresses, since a default route, AFAIK, has to be on the
same subnet (or has to be directly reachable) by the machines using that
gateway.



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

James Knott
Linda Walsh wrote:

> James Knott wrote:
>
>> Hans de Faber wrote:
>>> I see you mention only one default gateway.
>>> If forwarding is a router functionality then each subnet should have
>>> its own default gateway.
>>> Am I correct ?
>>
>> Absolutely not.  While there may be other routes, there can only be
>> one default route, which is used when no other route matches.  It's
>> used when the router says "I don't know where this goes, let the next
>> guy worry about it".
> Each subnet **could** have a separate default route,  since each
> subnet may have one single machine that is different for each subnet,
> that allows then
> got "get out" (to the internet).

I thought we were talking about a router with more than 1 interface.  A
router can only have a single default route (ignoring fall back
protection etc.), no matter how many interfaces it has.  In your example
of those single machines, the single default route still applies.  Don't
forget, "default" means what you get, if you don't make a choice.  You
can't have more than one of those.



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

Per Jessen-2
James Knott wrote:

> Linda Walsh wrote:
>> James Knott wrote:
>>
>>> Hans de Faber wrote:
>>>> I see you mention only one default gateway.
>>>> If forwarding is a router functionality then each subnet should
>>>> have its own default gateway.
>>>> Am I correct ?
>>>
>>> Absolutely not.  While there may be other routes, there can only be
>>> one default route, which is used when no other route matches.  It's
>>> used when the router says "I don't know where this goes, let the
>>> next guy worry about it".
>> Each subnet **could** have a separate default route,  since each
>> subnet may have one single machine that is different for each subnet,
>> that allows then
>> got "get out" (to the internet).
>
> I thought we were talking about a router with more than 1 interface.
> A router can only have a single default route (ignoring fall back
> protection etc.), no matter how many interfaces it has.  In your
> example
> of those single machines, the single default route still applies.
> Don't forget, "default" means what you get, if you don't make a
> choice.  You can't have more than one of those.

Well, actually you have one default route per routing table. I guess
this could be construed as having multiple default routes :-)



--
Per Jessen, Zürich (5.1°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

Per Jessen-2
In reply to this post by L A Walsh
Linda Walsh wrote:

> Per Jessen wrote:
>
>> John Andersen wrote:
>>
>>> On 2/23/2012 6:15 AM, Per Jessen wrote:
>>>> James Knott wrote:
>>>>
>>>>> Per Jessen wrote:
>>>>>> I'm setting up a new box and started out with ip forwarding
>>>>>> enabled. This seemed to prevent internet access, so I tried
>>>>>> disabling forwarding with yast, but this only caused a hang.  I
>>>>>> ended up having to walk to the datacentre to access the physical
>>>>>> console.
>>>>>>
>>>>>> Just wondering before I start digging into this - are there any
>>>>>> (more or less) known issues wrt ip forwarding and/or the
>>>>>> enabling/disabling thereof in 12.1 ?
>>>>>>
>>>>>>
>>>>> IP forwarding is used only if you're using the computer as a
>>>>> router.
>>>> Yes, this box is set up as a router.
>>>>
>>> And you configured the SuseFirewall?  (or shut it down to test?)
>>
>> Yes, it's disabled, I never use it.  There is no other firewall
>> active either.
>
> But do you have iptables built into your kernel? (probably)

It's the vanilla openSUSE 12.1 kernel, so yes.

> How are those rules set?
> Is forwarding in the iptables set to drop or forward?
> Since you can reach the box, I assume that the input/output chains are
> ok....

No iptables rules are set.

Thank for your help everyone - there's something basic missing here, I
suspect operator error.
 

--
Per Jessen, Zürich (5.2°C)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: ipv4 forwarding - any known issues?

suse
If you are going from one subnet A over the linux box to another subnet B and then via router to the internet, you will need to do a SNAT on the linux box.
You have to hide subnet A on the Linux box to it's IP address on the B subnet.

Or you have to add a static route on your router for subnet A going to the linux box subnet B IP address.
This way host on subnet B can also talk to hosts on subnet A, as their traffic will go to your router (default gateway on PC's) and the router will send then the traffic for subnet A to the Linux box because of the static route.

Rob.


-----Original Message-----
From: Per Jessen [mailto:[hidden email]]
Sent: Sunday, February 26, 2012 9:33 AM
To: [hidden email]
Subject: Re: [opensuse] ipv4 forwarding - any known issues?

Linda Walsh wrote:

> Per Jessen wrote:
>
>> John Andersen wrote:
>>
>>> On 2/23/2012 6:15 AM, Per Jessen wrote:
>>>> James Knott wrote:
>>>>
>>>>> Per Jessen wrote:
>>>>>> I'm setting up a new box and started out with ip forwarding
>>>>>> enabled. This seemed to prevent internet access, so I tried
>>>>>> disabling forwarding with yast, but this only caused a hang.  I
>>>>>> ended up having to walk to the datacentre to access the physical
>>>>>> console.
>>>>>>
>>>>>> Just wondering before I start digging into this - are there any
>>>>>> (more or less) known issues wrt ip forwarding and/or the
>>>>>> enabling/disabling thereof in 12.1 ?
>>>>>>
>>>>>>
>>>>> IP forwarding is used only if you're using the computer as a
>>>>> router.
>>>> Yes, this box is set up as a router.
>>>>
>>> And you configured the SuseFirewall?  (or shut it down to test?)
>>
>> Yes, it's disabled, I never use it.  There is no other firewall
>> active either.
>
> But do you have iptables built into your kernel? (probably)

It's the vanilla openSUSE 12.1 kernel, so yes.

> How are those rules set?
> Is forwarding in the iptables set to drop or forward?
> Since you can reach the box, I assume that the input/output chains are
> ok....

No iptables rules are set.

Thank for your help everyone - there's something basic missing here, I suspect operator error.
 

--
Per Jessen, Z rich (5.2 C)

--
To unsubscribe, e-mail: [hidden email] To contact the owner, e-mail: [hidden email]


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

James Knott
In reply to this post by Per Jessen-2
Per Jessen wrote:
> Well, actually you have one default route per routing table. I guess
> this could be construed as having multiple default routes:-)
>

At any given time, how many routing tables would you have in use?
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

James Knott
In reply to this post by suse
[hidden email] wrote:
> If you are going from one subnet A over the linux box to another subnet B and then via router to the internet, you will need to do a SNAT on the linux box.
> You have to hide subnet A on the Linux box to it's IP address on the B subnet.

????

If you have to go from subnet A via subnet B then just use a router.  
That's what they're used for.  If a subnet uses RFC1918 addresses, then
NAT is required.  Eitherway, any device on either subnet still has one
default route.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

Rüdiger Meier
In reply to this post by James Knott
On Sunday 26 February 2012, James Knott wrote:
> Per Jessen wrote:
> > Well, actually you have one default route per routing table. I
> > guess this could be construed as having multiple default routes:-)
>
> At any given time, how many routing tables would you have in use?

I guess even you have more than one routing table in use. At least 4
ones: local/ipv4, local/ipv6, main/ipv6, main/ipv6.

Compare
ip -6 route show
ip -6 route show table local
ip -6 route show table main
ip -6 route show table all

and the same for with -4.

If want do policy based routing you need even more custom tables, see
also
ip rule


cu,
Rudi
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ipv4 forwarding - any known issues?

James Knott
Ruediger Meier wrote:
>> At any given time, how many routing tables would you have in use?
> I guess even you have more than one routing table in use. At least 4
> ones: local/ipv4, local/ipv6, main/ipv6, main/ipv6.
>

What are you referring to be local and main?  Routing is only used for
destinations that are not on the local network.  Therefore, there
shouldn't ben any routing table entries for anything on the local
network.  The way this works is your computer compares the destination
address with the subnet mask.  If the destination is on the local
subnet, the computer does an arp request (IPv4, IPv6 uses neighbour
discovery and advertisements), to determine the MAC address of the
destination and sends the packet to that MAC address.  If the
destination is not on the local netork, then the computer checks the
routing tables to see if it's on a known network and uses the
appropriate route.  If it's not on a known network, then it uses the
default route, so that the next router can try to forward it.  If it
also doesn't know, then it passes it along it's default route etc.  This
process ends when the packet reaches a router that knows how to get to
the destination.  Top level routers, that is those that tie the Internet
together, do not have default routes, as they're supposed to know how to
reach everywhere.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

12