Semi-Complex routing and Ipchains

**groundzero** · 04-17-2002, 12:52 PM

Definitions:
UnixA : Multi Homed
eth0 222.x.x.x
eth1 192.168.100.130
LinuxA Firewall (ipchains)
eth0 222.x.x.x
eth1 192.168.100.100
RouterA
eth0 192.168.100.101
>>>>>>>>>>>>&g t;>>>>>>>.
I need to get the traffic on UnixA eth1 to route to 192.168.100.101.
I added a static route on UnixA:
route add 192.168.100.130 192.168.100.100
That took ok so the info goes to the firewall.
No I need to add aroute on the firewall so it is not forwarded out eth0 like all the other 192s but instead is sent to the router.
Thanx, I know is strage you just have to trust I know what im doing (sometimes)

**tolstoy** · 04-17-2002, 02:13 PM

Your question seems a little foggy, so I'm going to answer it as best as I can (though this may not be the exact answer to the question).

I need to get the traffic on UnixA eth1 to route to 192.168.100.101.

Is UnixA also routing traffic between its networks? Is routerA multihomed? Do you want all traffic on the 192.168.100.x subnet to go through RouterA? If so, then make that the default gateway for all those boxes on that subnet.

Traffic on UnixA--as long as the traffic is local to the 192.168.100.x subnet--should be automatically sent out eth1, directly to its destination. If all your boxes are on the same subnet (192.168.100.130, 192.168.100.100, 192.168.100.101) then your routing tables will not be consulted at all, unless the destination IPs lies outside of that subnet. *

Subnets *rely on ARP brodcasts for local address location. Only when ARP broadcasts fail to return a MAC address for a given IP will a computer then send packets to its default gateway. If you want packets for destinations other then the 192.168.100.x subnet to go through 192.168.100.101, then you will need to make that ip UnixA's default gateway.

No I need to add a route on the firewall so it is not forwarded out eth0 like all the other 192s but instead is sent to the router.

Disable the external interface (eth0) if possible or disable ip forwarding (if its enabled). Make 192.168.100.101 the firewall's default gateway.

I hope this helps a little bit. Like I said, it is a strange setup. Perhaps if you told us what you to do in the end we can be of more help.

**groundzero** · 04-17-2002, 03:50 PM

It is rather complex.
Here are some more xplainations.
UnixA is out app server. Its eth0 222 nic servers data out to our remote site all over the US. Its eth1 192 nic serves data to our internal network that is all 192.168.100.x
LinuxA is our firewall. eth0 222 nic is the interface that eth1 192 forwards everything throught to get out to the real world from inside our internal network.
RouterA is part of a new VPN switchover we are doing. Out at location X there is another router like RouterA. They both connect to a main VPN server out in the world somewhere on a specific port. This port i forward through LinuxA directly to RouterA. Ok now I have explain it some more. From UnixA I need to ping 192.168.3.2 for instance. 192.168.3.2 in LocationX. RouterA and the counterpart at location X know how to handle this. I need for UnixA to route this request to LinuxA and LinuxA route this request to RouterA sibnce he is the only guy that can get to his counterpart at 192.168.3.2.
Does that help. I have the request from UnixA going to eth1 on LinuxA Already But I am afraid that LinuxA if masqing it out eth0 as it does with all other request. I need for it to route everythin from 192.168.100.130 to 192.168.100.101 unless it on the LAN in witch case it should bother and routes by default. Wow this get more complicated by the minute.
TIA Guyz,
GZ

**tolstoy** · 04-17-2002, 04:26 PM

Try this on UnixA. Update your local routing table as such:

Code:

route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.100.101 metric 1

This should send anything destined to the remote 192.168.3.0 network to routerA (rather than sending it from UnixA to LinuxA then to routerA). I'm assuming that 192.168.3.0 has a standard 255.255.255.0 netmask. If not just adjust the above code.

If LinuxA is the default gateway for your entire LAN, and everything destined for LocationX, not just traffic from UnixA, needs to go through your VPN box, then just add that route to LinuxA and set all your LAN box to use LinuxA as their default gateway. However, if you need to maintain static routing tables on a lot of boxes, you should look into setting up something like routed.

**groundzero** · 04-18-2002, 10:39 AM

This is almost too trick to explain. I am dealing with 3 netowrks . 222.x.x.x., 192.168.100.x, and 192.168.x.x. and some complex VPN ltp2 tunneling. I might have it figured out, if not i will repost here and let you all exercise the routing portion of your brains as mine is toast.

Thanx

**tolstoy** · 04-18-2002, 07:53 PM

It shouldn't be that tricky if you have all your routing tables updated correctly with directions to each network/subnet. As AFAIK, the entire thing is a routing issue and can be resolved without modifying you ipchains at all. As long as the two VPN boxes know how to route data to each other, the rest shouldn't be that hard to resolve.

If you haven't already done so, I would draw a map of your network on a peice of paper and write out what entries need to be made in each router or host's routing table. Sit down at each router or host and make sure you can ping all parts of your network or run traceroute.

**groundzero** · 04-22-2002, 02:17 PM

We had a pretty pi__poor drawing. Redoing that now. Also one that that complicates things a bit is there are going to be more than 100 nodes on the VPN all with different subnets so I want to let the VPN routers do the bulk of the work. I am not doing a good job of explaining this . I can't work on it at the moment becuase now upper management has a bigger problem they want fixed. I need to start a new thread.
Thanx for the help so far all.

**tolstoy** · 04-23-2002, 01:37 PM

If your routed network is that complex, I would look into setting up something like RIP on all your routers. This way you don't have to maintain static routes across multiple routers for a ton of subnets.

**Stix** · 04-23-2002, 02:42 PM

I've been following this thread and have found it to be pretty interesting. I also think that implementing some kind of routing protocol like RIP/RIPv2 might be the answer here simply because, as tolstoy stated, maintaining static routes across multiple routers/subnets can prove to be cumbersome. Using RIP does have some limitations, like slow convergence and a network diameter that's limited to 15 hops but for your particular case these are probably not going to be issues.

**groundzero** · 04-30-2002, 11:24 AM

Well, I added 192.168 static router to 192.168.100.101(routerA) and everything works. I guess it wasnt so complex.
I just wasnt working before because the provider needed to do somethings with thier access list.
Thanx for all the help fellas