[ale] Routing under kernel 4.9

Alex Carver agcarver+ale at acarver.net
Sat Oct 21 18:12:17 EDT 2017 

I don't mean advertise in that respect though I do already have the DHCP
server configured to try and push the route on.  Not all the devices I
have understand what to do with a route pushed via DHCP so I have to
rely on the main router to handle the redirection.

My old router (a Linksys running OpenWRT) runs iptables even though it
was kernel 2.4.  I duplicated all of the rules to my new router.  I also
duplicated the static route.  Forwarding is set according to sysctl.

The route is indeed present in the routing table.

The iptables forwarding rules have eth1-to-eth0 forwarded as per typical
NAT configuration (it's my primary router before traffic hits the
modem).  It also allows everything on just eth1 period.  I had even
added an explicit eth1-eth1 rule just in case though none was ever
required on the old router.  The extra gateway machine (10.0.0.200)
which is handling 10.100.0.0/24 is a separate machine from the router so
technically all traffic should remain local to my network and never exit
the main router's eth0.  There are no firewalls on the secondary gateway
(10.0.0.200, iptables is empty with all policies set to ACCEPT).

The odd thing is that an internal device on 10.0.0.0/24 can ping
outbound to a device 10.100.0.0/24 and get a reply.  It gets an ICMP
redirect after the first packet and then pings happily afterwards.
Going the other way, pings go all the way to the 10.0.0.0/24 client,
start making their way back but somehow land at the doorstep of the main
router and die instead of the redirect happening.

However, if I start a ping from 10.100.0.0/24 to 10.0.0.0/24 which
starts off not working then initiate a ping in the opposite direction
between the same two clients, the outbound pings start working.

Example:
Ping A from 10.100.0.10 to 10.0.0.5 -- this starts as failures first,
leave running
Ping B from 10.0.0.5 to 10.100.0.10 -- this works normally

Ping A starts working as soon as Ping B is running.

This is why I'm thoroughly confused because a known, working
configuration was duplicated but doesn't work.  The only difference is
the single main router having been replaced with something that ran a
newer kernel/OS.

The regular NAT forwarding to my ISP modem works fine, no issues.

On 2017-10-21 14:44, Jeff Jansen wrote:
> Dear Alex,
> 
> Routes are "advertised" by your DHCP server.  I assume that's on your router.  
> What software are you using?  I use 'dnsmasq'.  To send your route out to all 
> DHCP clients I would add:
> 
> dhcp-option=121,10.100.0.0/24,10.0.0.200 <http://10.100.0.0/24,10.0.0.200>
> 
> to my dnsmasq configuration file and reload dnsmasq.  Then all my clients would 
> have to re-query the DHCP server to get the new route.  But then all the clients 
> should be able to talk to the 10.100.0.0/24 <http://10.100.0.0/24> network 
> directly through the 10.0.0.200 gateway without involving your router at all.
> 
> That doesn't answer why your router won't send the packets destined for 
> 10.100.0.0/24 <http://10.100.0.0/24> network on to the 10.0.0.200 gateway 
> anyway.  I assume the router is working otherwise.  That the router has 
> '/proc/sys/net/ipv4/ip_forward' = 1 and it's not overridden in 
> '/proc/sys/net/ipv4/conf/DEV/forwarding'.  That iptables has a FORWARD rule 
> which allows traffic to traverse the router. (iptables was new in the 2.6 
> kernel.  It was ipchains in 2.4.)
> 
> I would run:
> 
> ip route list
> cat /proc/sys/net/ipv4/ip_forward
> cat /proc/sys/net/ipv4/conf/DEV/forwarding    #where 'DEV' is the internal 
> network interface
> iptables -vnL FORWARD
> 
> and make sure that the router knows the gateway for the 10.100.0.0/24 
> <http://10.100.0.0/24> network, that it's set to forward (and not overruled on 
> the internal network interface), and that iptables is allowing forwarding when a 
> packet comes in and goes back out the internal interface.
> 
> HTH
> 
> Jeff
> 
> 
> On Sat, Oct 21, 2017 at 2:05 PM, Alex Carver <agcarver+ale at acarver.net 
> <mailto:agcarver+ale at acarver.net>> wrote:
> 
>     Ok, I've tried every possible thing I could do to get routing to
>     alternate gateways working correctly and nothing is working short of
>     putting static routes on any machine that can handle them so I've got to
>     ask for help again.  Are there any security features in kernel 4.9 that
>     perhaps weren't present way back in kernel 2.4 that would prevent a
>     machine operating as the main gateway from issuing a reroute?
> 
>     If the primary gateway is 10.0.0.1/24 <http://10.0.0.1/24> and I add a
>     static route to send
>     another network to a different machine:
>     route -add net 10.100.0.0/24 <http://10.100.0.0/24> gw 10.0.0.200
> 
>     What in the kernel would prevent this route from being advertised or
>     otherwise handed to all clients on 10.0.0.0/24 <http://10.0.0.0/24> when
>     they attempt to
>     respond to a packet coming from 10.100.0.0/24 <http://10.100.0.0/24>?  I can
>     trace an incoming
>     packet from 10.100.0.0/24 <http://10.100.0.0/24>, through the 10.0.0.200
>     machine all the way to
>     the 10.0.0.0/24 <http://10.0.0.0/24> client, it replies and tries to send
>     back to 10.100.0.0
>     but the packet heads back towards 10.0.0.1 and never gets redirected
>     back to 10.0.0.200.
> 
>     If I add the static route directly to the clients, the connections work.
>       The problem is that I can't do that for every client, not all of them
>     know how to handle routes on their own (not that I really should, this
>     is the job of a router, no?)
> 
>     I'm certain it's some feature/setting of the kernel that's new in 4.9
>     because this worked fine when the router was using the old 2.4 kernel.
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
>     <http://mail.ale.org/mailman/listinfo/ale>
>     See JOBS, ANNOUNCE and SCHOOLS lists at
>     http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
> 
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list