-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
- ----- Original Message -----
From: MONZ <monz@danbbs.dk>
To: Chris Knipe <cgknipe@mweb.co.za>
Cc: linux-net <linux-net@vger.kernel.org>
Sent: Sunday, October 22, 2000 1:27 PM
Subject: Re: DHCP and multiple netsegments
> Firstly, to all of you: Sorry about the messagelength this time.
I'll rather not say anything about the other one you sent me :)
*G*... np about it though, I'll have a look at the dumps just now
and send you another message...
> Chris Knipe wrote:
> >
> > From: MONZ <monz@danbbs.dk>
> >
> > > > There is however options you can specify in your DHCP scope
> > > > to 1) force all clients to ALWAYS use the default gateway for
> > > > routing,
>
> Tried, but that ensured w9x clients just couldn't go anywhere.
Hmmm... This shouldn't be the case... Let me explain quickly..
Forcing Windows machines to always use the default gateway changes
the ARP cache sligtly. What this does, is that whenever the IP
address and netmask MATCH (IE: The IP is part of the netmask
supplied), the Windows machines will attempt to send the data
directly to the target host, without using the gateway (on the same
physical wire). If the IP does NOT match the subnet, then the
windows client will send the data off to the client. In normal
operations (IE: Without explictly telling it all subnets are local),
most requests are send through the gateway just after making a ARP
broadcast in a attempt to locate where the data must go to.... I
only figured that this *may* have been some assistance to you, seeing
that I got the idea you are experimenting quite a number of
broadcasts (which from a quick peek at your dump, looks like Windows
are doing quite allot of ARP requests)...
> > > > and 2) you can force a broadcast address to be used, which
> > > > means that you will be able to perhaps minimise the mess of
> > > > broadcasts
>
> This is where it started to ease up. I removed the 4x255 routes on
> each interface and forced a broadcast address (network.255) on
> clints.
> Now clients can get through to the world - mostly, because half the
> time a website cannot be name resolved, it seems. However, after
> traceroute to the same www-adress, which just about always goes
> through, the site pops up with no problems.
Very well... You have to always keep the basics in mind though. If
I recall correctly, your segments are a broken down ClassA network.
I think one of the networks you use are 10.13.0.0/255.255.255.0,
while another is 10.10.0.0/255.255.255.0? Well, the numbers doesn't
really matter.... The point which I want to bring through to you
here, is that for those two segments, you are going to require
different broadcast addresses. 10.13.0.255 and 10.10.0.255 ain't the
same, and frankly, they are not going to see each other...
> Another thing is funny: ipchains -L takes a l-o-n-g time to finish
> showing up masqueraded nets in the forward chain; they get through
> one by one, 10-20 secs apart. Definitely seems related.
Make a dump while running the ipchains -L... As was pointed out
before... I also seriously believe this to be a named / dns problem.
> Dunno if dhcrelay on Linux in any ways can interfere with network
> traffic?
RTFM? I've never used relays before (never had the need to), so I
can't really help you out there... I'm sure you'll be able to get
some kinky information on it though...
> I did some tcpdumps after correcting as described above. Doesn't
> look too strange to me; however, in:
>
> 12:55:21.352565 B 10.13.0.11.netbios-dgm >
> 10.13.255.255.netbios-dgm: NBT UDP (138)
> 12:55:57.244198 B arp who-has 10.0.0.1 tell 10.13.0.11
>
> the 10.13.255.255.netbios-dgm makes me think about the
> broadcast-address I've set to 10.13.0.255, maybe I've misunderstood
> something here, and it should've been 10.13.255.255 ?
This is exactly the point I've tried to make above... If you
subnetted the 10.x.x.x IP block into Class-C addresses (ie:
255.255.255.0) then the broadcast is correct. It is impossible for
any machine using one broadcast address, to know anything about a IP
in a other network segment, without going through a router or
something similar(??). What you can perhaps try... What if you take
the 10.x.x.x range, and subnet it as a class-B network, giving you
more IPs...
Say, you're entire network, sits on 10.10.x.x/255.255.0.0 and u use
the one broadcast address of 10.10.255.255. Don't you think this
would be easier to perhaps install / route in such a DHCP
implementation as you are trying? I don't know for certain, but this
just makes a bit more sense to me... Also, if you are using three
segments, AND a dhcp-relay, do you even need to break the segments up
for routing?
BTW, a simple nice (and more than likely incorrect way) for quickly
understanding broadcast addresses:
subnet: 255.255.255.0
b/cast: x.x.x.255
subnet: 255.255.0.0
b/cast: x.x.255.255
The 0 and 255 always switch arround...
> Apart from this, here's a dump approx. from beginning of a session
> (it's an educational facility, they play games too, hence the ipx):
<SNIP>
I'll filter the dumps just now and have a look at the broadcasts and
such...
> > As to the broadcasts... 10.x.x.x = Class A IP addresses...
> > Those broadcasts are right to be on any IP address in the
> > 10.x.x.x range if you use the entire subnet (255.0.0.0)
>
> I use a 255.255.0.0 netmask.
Class B... In otherwords, in regards to my comments above...
10.13.x.x and 10.0.x.x WONT know about each other, hence all the
broadcasts and ARP requests... My bet would still be to try to get
all three the segments on the same numerical IP network...
> > Those are options from NT's DHCP server... But if you can locate
> > the option numbers (or the value they carry as DHCP options - HEX
> > Number I believe), you will be able to configure this with Linux
> > aswell... I'll have a look later, perhaps install DHCP on my NT
> > quickly, and see if I can get the values for you.
>
> Please do. These doesn't seem documented in man dhcp-options, but
> may well be specified as hex-options.
*urgh*, I'll have a look now (IE: Install DHCP quickly again), and
get back with the values to you in the priv. email about your dumps
and so on...
> Firewall resolv.conf :
> search domain.dk
> three nameserver entries
>
> Firewall routing table:
> Destination Gateway Genmask Flags MSS Window
> irtt Iface 10.10.0.1 0.0.0.0 255.255.255.255 UH
> 0 0 0 eth0 10.1.0.1 0.0.0.0
> 255.255.255.255 UH 0 0 0 eth2 10.0.0.2
> 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
> 10.12.0.1 0.0.0.0 255.255.255.255 UH 0 0
> 0 eth3 10.13.0.1 0.0.0.0 255.255.255.255 UH
> 0 0 0 eth4 10.0.0.0 0.0.0.0 255.255.0.0
> U 0 0 0 eth1 10.1.0.0 0.0.0.0
> 255.255.0.0 U 0 0 0 eth2 10.10.0.0
> 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 10.12.0.0 0.0.0.0 255.255.0.0 U 0 0
> 0 eth3 10.13.0.0 0.0.0.0 255.255.0.0 U
> 0 0 0 eth4 127.0.0.0 0.0.0.0 255.0.0.0
> U 0 0 0 lo 0.0.0.0 10.0.0.1
> 0.0.0.0 UG 0 0 0 eth1
Hmmm... This may sound stupid, but you *do* have IP Forwarding
enabled? I am also safe to presume you can ping everything from the
firewall? As far as the routing goes, I don't really see anything
wrong... I'm not to sure about other people though ??
> Windows 98 IP-configuration :
>
> 0 Ethernet networkscard :
> IP-adress . . . . . . . . . : 10.13.0.11
> Subnetmask . . . . . . . . : 255.255.0.0
> Defaultgateway . . . . . . : 10.13.0.1
This seems pretty fine... You may also wish to select the "more
options" or "advance options" in the ipconfig util thingy, and just
make sure about what name servers it is using and so forth... Not
really neccessary here, but it just gives you that little bit of
extra information...
> arp -a :
> Networkcard: 10.13.0.11 on Interface 0x1000002
> Internet-adress Physical adress Type
> 10.13.0.1 00-80-c8-ca-9c-f3 dynamic
It's the right MAC address on the firewall box?
> Part of dhcpd.conf :
>
> authoritative;
> option domain-name "domain.dk";
> option domain-name-servers 195.129.12.122, 195.129.12.123,
> 195.129.12.114;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Use the name servers on the IP addresses of the firewall...
10.10.0.1, 10.0.0.2, 10.1.0.1, 10.12.0.1, 10.13.0.1 If the firewall
doesn't have a nameserver, install a caching only server - it can't
hurt :)
> subnet 10.13.0.0 netmask 255.255.0.0 {
> default-lease-time 86400; # One day
> max-lease-time 604800; # seven days
> range 10.13.0.10 10.13.0.250;
> option subnet-mask 255.255.0.0;
> option broadcast-address 10.13.0.255;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
10.13.0.0 with subnet 255.255.0.0 has a broadcast of 10.13.255.255
> option routers 10.13.0.1;
BTW.... I'm just thinking now brainwave type here, but have you
tried this:
route add -net 10.13.0.0 netmask 255.255.0.0 dev eth?
route add -net 10.12.0.0 netmask 255.255.0.0 dev eth?
etc...
and then your DHCP subnet looks like:
subnet 10.0.0.0 netmask 255.0.0.0 {
default-lease-time 86400; # One day
max-lease-time 604800; # seven days
range 10.13.0.10 10.13.0.250;
range 10.12.0.0 10.12.255.255;
option subnet-mask 255.255.0.0;
option broadcast-address 10.255.255.255;
option routers 10.13.0.1;
};
BTW: you're making me more and more want to install Linux now just to
figure out how to do this *g*... I know I did it before *shrugs*...
If I can only remember how I got it working...
- ---
Regards,
Chris Knipe
Cell: (083) 430-8151
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOfYKbNH4faKoc4EuEQLymgCfa1EWV8jSS/z0HbkfShAg1YABONwAn31U
VYmvlklLc7mzI2NtxnXbVuvk
=gX5F
-----END PGP SIGNATURE-----
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
