Routing from Hell!!! - Help

backroger

Member
Mar 6, 2005
32
0
0
I have this:

[Internet/University Firewall Server IP 10.10.255.254]
|
|
[3com Stack III 12-Port Fiber Switch HUB]
|
|
[RHEL AS 4.0 Server (eth0)]
[IP 10.10.1.2 /NM 255.255.0.0 /GW 10.10.255.254 /DNS 10.0.1.1]
[RHEL AS 4.0 Server (eth1)]
[IP 192.168.0.254 /NM 255.255.255.0 /GW 10.10.1.2 /DNS 10.0.1.1]
|
|
[D-Link 10/100 8-Port Switch Hub]
|
|
[WRT54G 4-Port Switch]
[Network Setup - Static]
[IP 192.168.0.253/NM 255.255.255.0/GW 192.168.0.254/1st DNS 10.0.1.1]
[Router IP]
[IP 192.168.0.253/NM 255.255.255.0]
[DHCP - Disabled]
|
|
[Windows XP]
[IP 192.168.0.1/NM 255.255.255.0/GW 192.168.0.253/DNS 10.0.1.1]

I have set "enabled" the Firestater Firewall NAT (Network Address Translation)/DHCP Disabled on eth1 in the RHEL AS 4.0 to make IPv4 forwarding. Set the Network Proxy Server in RHEL AS 4.0 "proxy.xxxxxxx.xxx.xx:3128".

I can ping the router (WRT54G) from Windows XP. But when I ping the WRT54G/router 192.168.0.253 from RHEL AS 4.0, I only got "unreacheable host".

However....when I take out the WRT54G and change the Gateway Address of Windows XP to 192.168.0.254. It went okay.

Note: Currently using the WRT54G as a Switch/HUB not yet venturing to Wireless and not yet setup any routing in the linux box.

Do I need to setup routing in the linux box?

Also, is it possible to hook up 7 more WRT54G Router in my D-Link hub?

Any help would very much appreciated.
 

randal

Golden Member
Jun 3, 2001
1,890
0
71
I'm not sure if this is related, but in my experience you can't NAT between the same networks on both sides of the router. Your diagram indicates that your WRT54G router has the WAN IP of 192.168.0.253/24, but youre internal hosts have LAN IPs of 192.168.0.1/24.

If that is correct, try changing your internal network to be 192.168.1.xxx and it should work.

(please note that the RHEL server has 10.10.1.2/16 as it's WAN IP, and has 192.168.0.x as it's internal IP -- this is to avoid the problem you're having)
 

randal

Golden Member
Jun 3, 2001
1,890
0
71
I just reread your description, and my original entry may be offbase. I am not sure if you have a second NAT device in the way, as you have the WRT54G and then a mystery device called "[Router IP]" and I have no idea what that is. If you do indeed have a second router (the RHEL counts as one) than my original post stands.

Edit - also of note ... you can NAT multiple times without a problem. I've only ever done it three deep in a lab, but it worked A-OK.
 

backroger

Member
Mar 6, 2005
32
0
0
If I revised the WRT54G [Network Setup] to this...

[WRT54G 4-Port Switch]
[Network Setup - Static]
[IP 192.168.1.254/NM 255.255.255.0/GW 192.168.0.254/1st DNS 10.0.1.1]
[Router IP]
[IP 192.168.0.253/NM 255.255.255.0]
[DHCP - Disabled]

I will have a problem!..the [GW 192.168.0.254]!

I won't let me save that setting since the "192.168.0.254" is not within the subnet.

However if I do set the GW on any 192.168.1.XXX its okay. But problem is what do I accomplish with that...

Also do I have to do an "route add -net 192.168.1.0/24 gw 192.168.0.253" in my linux box?

The [Router IP] is another thing...it maybe the IP that you want to put your browser to be able to access the WRT54G.

Or is my WRT54G broken?

Originally posted by: randal
I just reread your description, and my original entry may be offbase. I am not sure if you have a second NAT device in the way, as you have the WRT54G and then a mystery device called "[Router IP]" and I have no idea what that is. If you do indeed have a second router (the RHEL counts as one) than my original post stands.

Edit - also of note ... you can NAT multiple times without a problem. I've only ever done it three deep in a lab, but it worked A-OK.
 

theblaznee

Member
Jan 28, 2005
45
0
0
First of all your IP setup on your RHAL AS 4.0 server is faulty, and that maybe why you're getting strange results. First of all no matter how many network interfaces you have, you can always only have 1 default gateway. All the rest should not have a GW defined. Also, your eth1 onterface has a GW defined that is not on the same network as the interface itself. Now that'll never work :).. Pick one interface to have a deault gateway and make sure the gateway is on the same net as the interface itself.

The setup matches fine otherwise with networks and subnet masks, so as soon as you sort out your ip config on the RHAL server you should be fine..
 

backroger

Member
Mar 6, 2005
32
0
0
You mean no GW in the WRT54G?? like this?


[WRT54G 4-Port Switch]
[Network Setup - Static]
[IP 192.168.1.254/NM 255.255.255.0/GW 0.0.0.0/1st DNS 10.0.1.1]
[Router IP]
[IP 192.168.0.253/NM 255.255.255.0]
[DHCP - Disabled]


The eth1 work like a charm in the D-Link (without the WRT54G in the middle).

[root@eapi root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0A:5E:48:CA:2E
inet addr:10.10.1.2 Bcast:10.10.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:133 errors:0 dropped:0 overruns:1 frame:0
TX packets:114 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16313 (15.9 Kb) TX bytes:12952 (12.6 Kb)
Interrupt:9 Base address:0xa400

eth1 Link encap:Ethernet HWaddr 00:60:08:67:A3:BB
inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:2 carrier:2
collisions:0 txqueuelen:1000
RX bytes:10909 (10.6 Kb) TX bytes:0 (0.0 b)
Interrupt:9 Base address:0x9400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:243 errors:0 dropped:0 overruns:0 frame:0
TX packets:243 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:16768 (16.3 Kb) TX bytes:16768 (16.3 Kb)

[root@eapi root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 10.10.255.254 0.0.0.0 UG 0 0 0 eth0

-----------------> Below is the eth1 transaction <--------------------

[root@eapi root]# tcpdump -i eth1
tcpdump: listening on eth1
12:25:16.630393 arp who-has 192.168.0.254 tell 192.168.0.1
12:25:16.630454 arp reply 192.168.0.254 is-at 0:a:5e:48:c9:bb
12:25:16.630741 192.168.0.1.1074 > 10.XXX.XXX.XXX.http: S 288709428:288709428(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
12:25:16.632956 10.XXX.XXX.XXX.http > 192.168.0.2.1074: S 3661149227:3661149227(0) ack 288709429 win 5840 <mss 1460,nop,nop,sackOK> (DF)
12:25:16.633453 192.168.0.1.1074 > 10.XXX.XXX.XXX.http: . ack 1 win 17520 (DF)
12:25:16.634358 192.168.0.1.1074 > 10.XXX.XXX.XXX.http: P 1:199(198) ack 1 win 17520 (DF)
12:25:16.635230 10.XXX.XXX.XXX.http > 192.168.0.1.1074: . ack 199 win 6432 (DF)
12:25:16.635759 10.XXX.XXX.XXX.http > 192.168.0.1.1074: P 1:191(190) ack 199 win 6432 (DF)
12:25:16.738018 192.168.0.1.1075 > proxy.xxxxxx.xxx.xx.squid: S 288796619:288796619(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
12:25:16.739511 proxy.xxxxxx.xxx.xx.squid > 192.168.0.1.1075: S 2841021943:2841021943(0) ack 288796620 win 5840 <mss 1460,nop,nop,sackOK> (DF)
12:25:16.739954 192.168.0.1.1075 > proxy.xxxxxx.xxx.xx.squid: . ack 1 win 17520 (DF)
12:25:16.743396 192.168.0.1.1075 > proxy.xxxxxx.xxx.xx.squid: P 1:255(254) ack 1 win 17520 (DF)
12:25:16.745195 proxy.xxxxxx.xxx.xx.squid > 192.168.0.1.1075: . ack 255 win 6432 (DF)
12:25:16.798648 192.168.0.1.1074 > 10.XXX.XXX.XXX.http: . ack 191 win 17330 (DF)
12:25:17.596882 proxy.xxxxxx.xxx.xx.squid > 192.168.0.1.1075: . 1:1461(1460) ack 255 win 6432 (DF)
12:25:17.598092 proxy.xxxxxx.xxx.xx.squid > 192.168.0.1.1075: . 1461:2921(1460) ack 255 win 6432 (DF)
12:25:17.600027 192.168.0.1.1075 > proxy.xxxxxx.xxx.xx.squid: . ack 2921 win 17520 (DF)

If I hook up the Windows XP Client diret to D-Link...thats the result its okay....Client have internet access. I can Add Eht2 or Alias it to different NAT 192.168.X's

But putting the WRT54G in the middle make my hair split...is the router broken?

Originally posted by: theblaznee
First of all your IP setup on your RHAL AS 4.0 server is faulty, and that maybe why you're getting strange results. First of all no matter how many network interfaces you have, you can always only have 1 default gateway. All the rest should not have a GW defined. Also, your eth1 onterface has a GW defined that is not on the same network as the interface itself. Now that'll never work :).. Pick one interface to have a deault gateway and make sure the gateway is on the same net as the interface itself.

The setup matches fine otherwise with networks and subnet masks, so as soon as you sort out your ip config on the RHAL server you should be fine..

 

theblaznee

Member
Jan 28, 2005
45
0
0
Damn dude, you're making this totally confusing :-D..

Where did you get the idea that the WRT54G should have it's GW removed when I only talked about the RHAS server ?:p

Now I'm not sure if I understand the setup any longer.. Do you have Visio or something similar where you can make a quick network drawing?
 

theblaznee

Member
Jan 28, 2005
45
0
0
Ah, thanks for the drawing.. Would have been perfect if the ip's had been there also, but I can't get it all :)

It looks like you're using the WRTG54G setup as a "route on a stick" meaning that it actually only uses 1 interface (The one on the 192.168.0.0/24 net).. I'm not 100% familiar with Linksys routers (if it's the same as the picture), but perhaps it doesn't really work in an "on-a-stick" configuration.. Especially if you're running any kind of NAT on it...

I would suggest moving the 8 port hub "down" to the 192.168.0.0 network, and then making a small transfer net between the WRT54G router and your RHEL server..Just a small /30 net.. Then you'll force the router to actually route and any NAT stuff you'll be doing will be much easier to config, because you'll have a clearly defined inside and outside of the router..

Now you'll have a Wireless/wired network that you can put access restrictions on, and enable visitors to surf the Net nomatter if they have wireless of wired equipment.. That's the whole point of the setup I presume? :)
 

randal

Golden Member
Jun 3, 2001
1,890
0
71
This will work.

[Internet/University Firewall Server IP 10.10.255.254]
|
|
[3com Stack III 12-Port Fiber Switch HUB]
|
|
[RHEL(eth0) IP 10.10.1.2 /NM 255.255.0.0 /GW 10.10.255.254 /DNS 10.0.1.1]
[RHEL(eth1) IP 192.168.0.254 /NM 255.255.255.0]
|
|
[D-Link 10/100 8-Port Switch Hub]
|
|
[WRT54G WAN: IP 192.168.0.253/NM 255.255.255.0/GW 192.168.0.254/1st DNS 10.0.1.1]
[WRT54G LAN: IP 192.168.1.253/NM 255.255.255.0]
|
|
[Windows XP]
[IP 192.168.1.1/NM 255.255.255.0/GW 192.168.1.253/DNS 10.0.1.1]

Please do note that you can only ever have one default route on the RHEL box and that it should point upstream to the university network (10.10.255.254 in this case). Also please note that the WRT54G router has two different networks on it's interfaces -- 192.168.0.x and 192.168.1.x. This is critical.

edit - I would love to send around some visio drawings, but unfortunately you guys are hardcore and are using visio 2k3 (I have visio 2k). Hackers.
 

backroger

Member
Mar 6, 2005
32
0
0
Originally posted by: randal

[RHEL(eth1) IP 192.168.0.254 /NM 255.255.255.0]

Hmmm....since the WRT54G's using the 192.168.0.253 to route....and taking the GW out in the eth1...it would require me to route my RH's 192.168.1.0/24 to GW 192.168.0.253.

If this is true then I need to invoke command:

[root@eapi root]#route add -net 192.168.1.0/24 gw 192.168.0.253

Anyway....I'll try the setup....sheesh.....I should had bought the Linksys WAP54G probably makes my life easier..

Thanks for the help...Randal & Theblaznee...
 

backroger

Member
Mar 6, 2005
32
0
0
Okay....thanks a bunch for this two guys Randal & theblaznee

This setting works okay now...I didn't even do the "route add -net" thing.

[Internet/University Firewall Server IP 10.10.255.254]
|
|
[3com Stack III 12-Port Fiber Switch HUB]
|
|
[RHEL AS 4.0 Server (eth0)]
[IP 10.10.1.2 /NM 255.255.0.0 /GW 10.10.255.254 /DNS 10.0.1.1]
[RHEL AS 4.0 Server (eth1)]
[IP 192.168.0.254 /NM 255.255.255.0 /GW 10.10.1.2 /DNS 10.0.1.1]
|
|
[D-Link 10/100 8-Port Switch Hub]
|
|
[WRT54G 4-Port Switch]
[Network Setup - Static]
[IP 192.168.0.253/NM 255.255.255.0/GW 192.168.0.254/1st DNS 10.0.1.1]
[Router IP]
[IP 192.168.1.254/NM 255.255.255.0]
[DHCP - Disabled]
|
|
[Windows XP]
[IP 192.168.1.1/NM 255.255.255.0/GW 192.168.1.254/DNS 10.0.1.1]

One thing I notice on the Windows XP Side is that it has 2 internet icons the new one has this...

Intenet ---------> Gateway ---------> My Computer

Is that normal? Is the WRT54G's become the 2nd Gateway?

Anyway....I'll try now the Wireless side....

Btw....can I hook up 7 more WRT54G or 7 WAP54G???

The reason for this is to provide tons of hot spot for about 80 users. So atleast each WRT54G/WAP54G can accomodate 8 users...per spot.

Example...if WRT54G-1 are now being used by #1-#8 then user #9 will have to go to WRT54G-2. If WRT54G-2 are now filled with #9-#16 then user #17 will have to go to WRT54G-3...and so on and so forth.

So probably each WRT54G's have a subnet mask of 255.255.255.248 with different 8 IP range and enabled DHCP this time.

As for the Authentication??....I've been reading about OpenVPN 2.0.

Any comments about this setup? Is it feasible?

Thank you for any suggestion & comment.
 

randal

Golden Member
Jun 3, 2001
1,890
0
71
Yes, you have two separate gateways -- actually, you have three. The first gateway is the university gateway. Then there's the RHEL gateway, then there's the WRT54G gateway. Multiple hops is how the internet works; follow the example below, assuming that your University uses Level3 as it's main internet provider.

WindowsXP -> WRT54G -> RHEL -> University -> Level3 -> Data102 Gateway -> Office Router -> My desktop

It goes from the desktop all the way upstream, aggregates, then goes back down from big to small. In this case, it would be 7 hops of pretty-damned-close-to what you're doing to get from end to end.

As for hooking up additional WRT54Gs or WAP54Gs or whatever, sure. As long as they get their own IP address (192.168.0.xxx in this case) for their WAN link and have a different network on their LAN link -- just like you have now -- you should be able to scale up quite a bit without issue.