-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, - ----- Original Message ----- From: MONZ <monz@danbbs.dk> To: Chris Knipe <cgknipe@mweb.co.za> Cc: linux-net <linux-net@vger.kernel.org> Sent: Sunday, October 22, 2000 1:27 PM Subject: Re: DHCP and multiple netsegments > Firstly, to all of you: Sorry about the messagelength this time. I'll rather not say anything about the other one you sent me :) *G*... np about it though, I'll have a look at the dumps just now and send you another message... > Chris Knipe wrote: > > > > From: MONZ <monz@danbbs.dk> > > > > > > There is however options you can specify in your DHCP scope > > > > to 1) force all clients to ALWAYS use the default gateway for > > > > routing, > > Tried, but that ensured w9x clients just couldn't go anywhere. Hmmm... This shouldn't be the case... Let me explain quickly.. Forcing Windows machines to always use the default gateway changes the ARP cache sligtly. What this does, is that whenever the IP address and netmask MATCH (IE: The IP is part of the netmask supplied), the Windows machines will attempt to send the data directly to the target host, without using the gateway (on the same physical wire). If the IP does NOT match the subnet, then the windows client will send the data off to the client. In normal operations (IE: Without explictly telling it all subnets are local), most requests are send through the gateway just after making a ARP broadcast in a attempt to locate where the data must go to.... I only figured that this *may* have been some assistance to you, seeing that I got the idea you are experimenting quite a number of broadcasts (which from a quick peek at your dump, looks like Windows are doing quite allot of ARP requests)... > > > > and 2) you can force a broadcast address to be used, which > > > > means that you will be able to perhaps minimise the mess of > > > > broadcasts > > This is where it started to ease up. I removed the 4x255 routes on > each interface and forced a broadcast address (network.255) on > clints. > Now clients can get through to the world - mostly, because half the > time a website cannot be name resolved, it seems. However, after > traceroute to the same www-adress, which just about always goes > through, the site pops up with no problems. Very well... You have to always keep the basics in mind though. If I recall correctly, your segments are a broken down ClassA network. I think one of the networks you use are 10.13.0.0/255.255.255.0, while another is 10.10.0.0/255.255.255.0? Well, the numbers doesn't really matter.... The point which I want to bring through to you here, is that for those two segments, you are going to require different broadcast addresses. 10.13.0.255 and 10.10.0.255 ain't the same, and frankly, they are not going to see each other... > Another thing is funny: ipchains -L takes a l-o-n-g time to finish > showing up masqueraded nets in the forward chain; they get through > one by one, 10-20 secs apart. Definitely seems related. Make a dump while running the ipchains -L... As was pointed out before... I also seriously believe this to be a named / dns problem. > Dunno if dhcrelay on Linux in any ways can interfere with network > traffic? RTFM? I've never used relays before (never had the need to), so I can't really help you out there... I'm sure you'll be able to get some kinky information on it though... > I did some tcpdumps after correcting as described above. Doesn't > look too strange to me; however, in: > > 12:55:21.352565 B 10.13.0.11.netbios-dgm > > 10.13.255.255.netbios-dgm: NBT UDP (138) > 12:55:57.244198 B arp who-has 10.0.0.1 tell 10.13.0.11 > > the 10.13.255.255.netbios-dgm makes me think about the > broadcast-address I've set to 10.13.0.255, maybe I've misunderstood > something here, and it should've been 10.13.255.255 ? This is exactly the point I've tried to make above... If you subnetted the 10.x.x.x IP block into Class-C addresses (ie: 255.255.255.0) then the broadcast is correct. It is impossible for any machine using one broadcast address, to know anything about a IP in a other network segment, without going through a router or something similar(??). What you can perhaps try... What if you take the 10.x.x.x range, and subnet it as a class-B network, giving you more IPs... Say, you're entire network, sits on 10.10.x.x/255.255.0.0 and u use the one broadcast address of 10.10.255.255. Don't you think this would be easier to perhaps install / route in such a DHCP implementation as you are trying? I don't know for certain, but this just makes a bit more sense to me... Also, if you are using three segments, AND a dhcp-relay, do you even need to break the segments up for routing? BTW, a simple nice (and more than likely incorrect way) for quickly understanding broadcast addresses: subnet: 255.255.255.0 b/cast: x.x.x.255 subnet: 255.255.0.0 b/cast: x.x.255.255 The 0 and 255 always switch arround... > Apart from this, here's a dump approx. from beginning of a session > (it's an educational facility, they play games too, hence the ipx): <SNIP> I'll filter the dumps just now and have a look at the broadcasts and such... > > As to the broadcasts... 10.x.x.x = Class A IP addresses... > > Those broadcasts are right to be on any IP address in the > > 10.x.x.x range if you use the entire subnet (255.0.0.0) > > I use a 255.255.0.0 netmask. Class B... In otherwords, in regards to my comments above... 10.13.x.x and 10.0.x.x WONT know about each other, hence all the broadcasts and ARP requests... My bet would still be to try to get all three the segments on the same numerical IP network... > > Those are options from NT's DHCP server... But if you can locate > > the option numbers (or the value they carry as DHCP options - HEX > > Number I believe), you will be able to configure this with Linux > > aswell... I'll have a look later, perhaps install DHCP on my NT > > quickly, and see if I can get the values for you. > > Please do. These doesn't seem documented in man dhcp-options, but > may well be specified as hex-options. *urgh*, I'll have a look now (IE: Install DHCP quickly again), and get back with the values to you in the priv. email about your dumps and so on... > Firewall resolv.conf : > search domain.dk > three nameserver entries > > Firewall routing table: > Destination Gateway Genmask Flags MSS Window > irtt Iface 10.10.0.1 0.0.0.0 255.255.255.255 UH > 0 0 0 eth0 10.1.0.1 0.0.0.0 > 255.255.255.255 UH 0 0 0 eth2 10.0.0.2 > 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 > 10.12.0.1 0.0.0.0 255.255.255.255 UH 0 0 > 0 eth3 10.13.0.1 0.0.0.0 255.255.255.255 UH > 0 0 0 eth4 10.0.0.0 0.0.0.0 255.255.0.0 > U 0 0 0 eth1 10.1.0.0 0.0.0.0 > 255.255.0.0 U 0 0 0 eth2 10.10.0.0 > 0.0.0.0 255.255.0.0 U 0 0 0 eth0 > 10.12.0.0 0.0.0.0 255.255.0.0 U 0 0 > 0 eth3 10.13.0.0 0.0.0.0 255.255.0.0 U > 0 0 0 eth4 127.0.0.0 0.0.0.0 255.0.0.0 > U 0 0 0 lo 0.0.0.0 10.0.0.1 > 0.0.0.0 UG 0 0 0 eth1 Hmmm... This may sound stupid, but you *do* have IP Forwarding enabled? I am also safe to presume you can ping everything from the firewall? As far as the routing goes, I don't really see anything wrong... I'm not to sure about other people though ?? > Windows 98 IP-configuration : > > 0 Ethernet networkscard : > IP-adress . . . . . . . . . : 10.13.0.11 > Subnetmask . . . . . . . . : 255.255.0.0 > Defaultgateway . . . . . . : 10.13.0.1 This seems pretty fine... You may also wish to select the "more options" or "advance options" in the ipconfig util thingy, and just make sure about what name servers it is using and so forth... Not really neccessary here, but it just gives you that little bit of extra information... > arp -a : > Networkcard: 10.13.0.11 on Interface 0x1000002 > Internet-adress Physical adress Type > 10.13.0.1 00-80-c8-ca-9c-f3 dynamic It's the right MAC address on the firewall box? > Part of dhcpd.conf : > > authoritative; > option domain-name "domain.dk"; > option domain-name-servers 195.129.12.122, 195.129.12.123, > 195.129.12.114; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Use the name servers on the IP addresses of the firewall... 10.10.0.1, 10.0.0.2, 10.1.0.1, 10.12.0.1, 10.13.0.1 If the firewall doesn't have a nameserver, install a caching only server - it can't hurt :) > subnet 10.13.0.0 netmask 255.255.0.0 { > default-lease-time 86400; # One day > max-lease-time 604800; # seven days > range 10.13.0.10 10.13.0.250; > option subnet-mask 255.255.0.0; > option broadcast-address 10.13.0.255; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 10.13.0.0 with subnet 255.255.0.0 has a broadcast of 10.13.255.255 > option routers 10.13.0.1; BTW.... I'm just thinking now brainwave type here, but have you tried this: route add -net 10.13.0.0 netmask 255.255.0.0 dev eth? route add -net 10.12.0.0 netmask 255.255.0.0 dev eth? etc... and then your DHCP subnet looks like: subnet 10.0.0.0 netmask 255.0.0.0 { default-lease-time 86400; # One day max-lease-time 604800; # seven days range 10.13.0.10 10.13.0.250; range 10.12.0.0 10.12.255.255; option subnet-mask 255.255.0.0; option broadcast-address 10.255.255.255; option routers 10.13.0.1; }; BTW: you're making me more and more want to install Linux now just to figure out how to do this *g*... I know I did it before *shrugs*... If I can only remember how I got it working... - --- Regards, Chris Knipe Cell: (083) 430-8151 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOfYKbNH4faKoc4EuEQLymgCfa1EWV8jSS/z0HbkfShAg1YABONwAn31U VYmvlklLc7mzI2NtxnXbVuvk =gX5F -----END PGP SIGNATURE----- - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org