4

I'm trying my first attempts at routing and hitting the "Network is unreachable" message.

My goal is to successfully ping frome one machine (subnet 10.56.34.0) to a machine on a completely different network (10.1.201.0) even though my 10.56.34.0 subnet's gateway can't get there.

Here's what I have.

  • A business has created 3 subnets (don't know why): 10.56.33.0 / 10.56.34.0 /10.56.35.0.
  • I have a Linux box on the 10.56.34.0 subnet with a default gateway at 10.56.34.1.
  • That same Linux box can ping a gateway on the 10.56.35.0 subnet (at 10.56.35.253)
  • A Windows machine on the 10.56.35.0 subnet can successfully ping the server at 10.1.201.157 going through the gateway at 10.56.35.253 (I ran tracert).

In my first bumbling efforts I tried setting up a route directly from the 10.56.34.209 Linux box to the 10.1.201.0 network using the 10.53.35.253 gateway. That's when I first hit the "Network is unreachable" message. In the interim I've found out that you can't use a gateway on another subnet. (the .34 subnet can't use the .35 gateway). I tried adding a default gateway using the 10.56.35.253 gateway and got the same "Network is unreachable" message.

Okay. So then how DO i get my Linux box on the .34 subnet to send specific traffic (traffic to 10.1.201.0 subnet) through the 10.56.35.253 gateway?

Drew Mills
  • 65
  • 1
  • 1
  • 6
  • 5
    1. You can't configure your gateway to be a router on a different network (as you've discovered). 2. You can't create a static route through your DG on your machine to the remote network unless your DG has a route to that network, in which case the static route on your machine would be moot. So to clarify, the only way to get to the remote network from your local network is if your DG has a route to that remote network. No amount of diddling around with your DG settings or routing table will overcome that. – joeqwerty May 27 '14 at 21:51
  • Your DG at 10.56.34.1 needs a route to the 10.1.201.0 network. What that route is is completely dependent on the connectivity designed into the network. – joeqwerty May 27 '14 at 22:01
  • You haven't given us enough information on the best course of action. If the 10.56.35.253 box is supposed to be handling traffic for 10.56.34.0 through to 10.1.201.0, you can add a static route on your 10.56.34.0/24 gateway to route via 10.56.35.253 and the '253 box to route 10.56.34.0/24 back through your gateway, and add a route on the 10.1.201.0/24 box that which passes 10.56.34.0/24 through 10.56.35.253... then maybe you'll be able to get packets through. Odds are this solution is more complex than it needs to be, but there's no way to tell without knowing more about your network topology. – Andrew Domaszek May 28 '14 at 01:51
  • Thanks everybody! This exposes the primary hole in my thinking. I thought that my Linux box could contain all the routing info it needed. If I am understanding correctly I need to focus on teaching my Linux box's DG (10.56.34.1) the routing info needed to reach my target. Again, many thanks. – Drew Mills May 28 '14 at 13:26

3 Answers3

2

Assuming your subnet mask is 255.255.255.0, you shouldn't need to do anything. Your default gateway (10.56.34.1) should know the way to forward the packets to the destination host. You get the unreachable when you are setting 10.56.35.253 as gateway because your machine is not connected on the 10.56.35.0 network, so your tcp/ip stack can not reach the gateway through layer 2 communication.

Maybe there is some kind of firewall / access lists that prevents your machine from reaching the destination?

Leave your default gateway to 10.56.34.1, try to ping 10.1.201.157 while you run on a different window tcpdump -n icmp . Do you get icmp network unreachable or something like icmp 3/13 admin prohibited filter ? If you try to traceroute to the destination what do you get?

lacasitos
  • 346
  • 1
  • 4
  • Thanks. Yes, this is what I'm taking from the other comments as well. My DG does NOT know how to reach the destination and that's my problem. I was trying to teach my Linux box how to route there. Apparently I need to teach my Linux box's DG how to get there. – Drew Mills May 28 '14 at 13:28
0

Yes, you can do that, but it depends on your operating system.

On Windows this is most problematic.

Windows Server 2012 R2 and Windows 8.1 have the powershell cmdlets to enable direct access outside the subnet, the "Get-NetOffloadGlobalSetting" shows the current state, and "Set-NetOffloadGlobalSetting -NetworkDirectAcrossIPSubnets" allows you to configure the value.

Althought PowerShell understands the syntax of the "NetworkDirectAcrossIPSubnets" on client operating systems, this feature is available for servers only, setting it under a client OS will give an error.

If you have a server with Windows Virtual machines that need to access a gateway outside their own subnet, and you cannot use the NetworkDirectAcrossIPSubnets - you can install another virtual machine with a router running under unixlike OS, e.g. pfSense - it can have multiple addresses outside the subnet, provided that at least one address is in the same subnet as a gateway, and it can do 1:1 NAT for your Windows virtual machines.

Maxim Masiutin
  • 273
  • 1
  • 5
  • 15
-5

It has to do with the subnet mask used.

You know, its usually 255.255.255.0. Change that to 255.255.255.192. Your machine will now think that all three IP ranges are part of a single subnet instead of 3 subnets. You should then be able to pick the gateway that works for whatever you are plugged in to.

You might also want to check the router for VLAN's. You may not be plugged into the right port.

RecentCoin
  • 253
  • 1
  • 5
  • 5
    This is wrong, for more than one reason. 1. Changing his subnet mask isn't going to miraculously give him access to all three subnets. They are separate physical networks separated by routers. 2. The mask would need to be /22 not /26 to encompass all three subnets (255.255.252 not 255.255.255.192) (10.56.32.0 - 10.56.35.255). – joeqwerty May 27 '14 at 22:37