On Monday, 24 May 2004, at 09:44:43 +0200, Rafal Krzewski wrote: > +-------------+ +-------------+ > | actaea | eth0 | ilex | > | 192.168.1.4 |------ localnet ------| 192.168.1.1 | > +-------------+ 192.168.1.0/24 +-------------+ > eth1 / | ppp0 > 80.72.34.162 83.31.149.159 > > / | > wlnet tpsa > 80.72.34.160/24 | > / | > +--------------+ +------------+ > | 80.72.34.161 | | 213.25.2.3 | > +--------------+ +------------+ > \ / > \-----------, / > +--------------+ "" \ > | salix | / Internet " > | 212.87.7.182 |--------'-, ,-" > +--------------+ "--------" > > I want ilex to respond to any incoming trafic on 80.72.34.162 address > (it is running a DNS server). All outgoing trafic from localnet should > go through tpsa link (faster but non-static IP). Resposnses to the > latter should also return through tpsa link. > For the localnet traffic to exit your premises through tpsa you must route this traffic through 213.25.2.3 as next hop with outgoing device ppp0. You _must_ SNAT this traffic to 83.31.149.159, this way return traffic will always come back from the Internet trhrough this same link. > after running: > ip route del default > ip route add default via 213.25.2.3 > localnet traffic flows fine, BUT ilex no longer responds to pings from > salix on 80.72.34.162 address > The problem seems clear to me: your routing table at ilex will only have entries for the directly connected networks and the default route you have just show. So every traffic coming from a network different from the local connected ones will get routed through the default gateway. Maybe traffic arrives at its destination, but in its way back gets routed along a different path (asymmetric routing) and is dropped or lost somewhere. > 4. What I did to diagnose the problem: > Tried pinging ilex from salix tracing the traffic with iptables -j LOG > (settings below). I'm able to see ping request packets, but no ping > response packets. I also tried monitoring the trafic with ethereal, both > on the virtuall 'all' interface, and also on each of the physical > interface (well, ppp0 isn't actually physical, but you get the idea) in > promiscous mode. Only ping request packets are visible. > I think tcpdump or ethereal is the way to go. Try to detect the traffic from its source to its destination, and at each point see if packets are as expected with respect to IP addresses. It seems traffic arrives OK at ilex but this box doesn't reply to this traffic, whether this is ICMP or even TCP connections (ssh). Put a tcpdump/ethereal on the incoming interface, note down IP addresses and ports (if applicable), and then have a look at: http://www.docum.org/stef.coene/qos/kptd/ Try to depict the path the traffic would theoretically follow inside the kernel paying attention both to iptables rules as well as the routing policy database (both "ip rules" and "ip routes"). Traffic should end up being received by the "kernel", and a reply should come back. Even if it is not the case the kernel should log something, check with "dmesg". > ilex:~# ip rule show > 0: from all lookup local > 32764: from 213.25.2.3 lookup tpsa > 32765: from 80.72.34.161 lookup wlnet > 32766: from all lookup main > 32767: from all lookup default > "ip rules" 32764 and 32765 will only apply to traffic with source IP addresses as shown, but not to traffic coming through any of the associated routers (except this routers also do SNAT to traffic coming from the Internet). So packets from salix (212.87.7.182) will be routed looking first at table local (the one that should apply to traffic ending at ilex itself), and then loooking at "table main". The good thing about "table local" is that should be ok with no administrator intervention, so the problem must be somewhere. I apologize for not reading and checking the whole email to see if I find the problem, but I am convinced this is a simple problem with routing. The strange thing is traffic arriving at ilex, but this box no replying back to the source. Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.6) _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
