0

Ethernet Network:

ServerA; IP=192.168.255.254; Mask=255.255.0.0; Bcast=192.168.255.255
   |
   |
  eth1 IP=192.168.1.254; Mask=255.255.0.0; Bcast=192.168.255.255
ServerB DHCP: 192.168.1.1 - 192.168.1.252
  eth0 IP=192.168.1.253; Mask 255.255.255.0; Bcast=192.168.1.255
   |
   |
Client1..252 IP over DHCP (192.168.1.1 - 192.168.1.252)

How can I connect/route to communicate between a ClientX and ServerA?

_

Ping between ClientX and ServerB works.

Ping between ServerA and ServerB works.

_

I tried Routing between two networks on linux? to route between eth0 and eth1 but didn't worked.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 192.168.1.253
    netmask 255.255.255.0
    broadcast 192.168.1.255

auto eth1
iface eth1 inet static
    address 192.168.1.254
    netmask 255.255.0.0
    broadcast 192.168.255.255

/etc/network/interfaces

interface=eth0
no-dhcp-interface=eth1
dhcp-range=interface:eth0,192.168.1.1,192.168.1.252,1

/etc/dnsmasq.conf

----------------------------------UPDATE 1------------------------------------

ServerA; IP=192.168.255.254; Mask=255.255.255.0; Bcast=192.168.255.255
   |
   |
  eth1 IP=192.168.255.1; Mask=255.255.255.0; Bcast=192.168.255.255
ServerB DHCP: 192.168.1.1 - 192.168.1.253
  eth0 IP=192.168.1.254; Mask 255.255.255.0; Bcast=192.168.1.255
   |
   |
Client1..253 IP over DHCP (192.168.1.1 - 192.168.1.253)

Routing:

 sysctl -w net.ipv4.ip_forward=1
 iptables -A INPUT -i lo -j ACCEPT       # Always accept loopback traffic
 iptables -A INPUT -i eth0 -j ACCEPT     # We allow traffic from the LAN side
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT        # Allow established connections
 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE    # Masquerade
 iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT      # fowarding
 iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT   # Allow outgoing connections from the LAN side.

Result:

Ping from ClientX to ServerA works, but not from ServerA to ClientX:

 $ ping 192.168.1.119
 PING 192.168.1.119 (192.168.1.119) 56(84) bytes of data.
 From 192.168.255.254 icmp_seq=1 Destination Host Unreachable
 From 192.168.255.254 icmp_seq=2 Destination Host Unreachable
 …

----------------------------------UPDATE 2 without iptables (Solution)------------------------------------

Network according to UPDATE 1:

                     ServerA
                        |
     |------------------|------------------|-------------…
   eth1               eth1                eth1
 ServerB             ServerC            ServerD
   eth0               eth0               eth0
     |                  |                  |
     |                  |                  …
  ClientX network     ClientY network

Routing on ServerA:

 route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.255.1
 route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.255.2
 …
 route add -net 192.168.N.0 netmask 255.255.255.0 gw 192.168.255.N

Forwarting on ServerB:

 sysctl -w net.ipv4.ip_forward=1

Ping between all network participant are working without iptables.

stahlstngel
  • 3
  • 1
  • 3

4 Answers4

2

I cant comment on the Linux setup (I don't know anything about linux) but if I were you id take a look at the IP Addressing scheme you have used.

ServerA is on the 192.168.0.0/16 network, it is trying to access a client1 on another subnet with the IP Address 192.168.1.252/24.

The problem is that ServerA will use its Subnetmask when working out whether Client1 is on the same subnet as it or not. if it thinks Client1 is on the same subnet then ServerA will try and communicate directly with CLient1 and not send traffic to the router.

Using the IP addressing scheme in the question. ServerA will see its network as 192.168.0.0/16 and using its own Subnetmask will think Client1 is also on the 192.168.0.0/16 network as well.

do all the things you need to do in Linux to enable routing but then try changing the network ID on the client side to a different network address perhaps:

172.16.0.0/16 or 10.0.0.0/8

Or anything that does start 192.168

alternatively you could change the Network ID of the network that serverA is on to 192.168.0.0/24 that would work too,

Michael Brown
  • 3,254
  • 2
  • 11
  • 11
  • eth0 inet addr:192.168.1.253 Bcast:192.168.1.255 Mask:255.255.0.0___ eth1 inet addr:192.168.1.254 Bcast:192.168.255.255 Mask:255.255.0.0_ When I change the subnetmask to the same network and "sysctl -w net.ipv4.ip_forward=1": ServerA is no longer reachable on the network. – stahlstngel Jun 29 '17 at 11:17
  • i think that's the problem, its addressing scheme is overlapping with the other Interface – Michael Brown Jun 29 '17 at 11:23
  • The same happens when I additional change the Broadcast to 192.168.255.255 for eth1 and eth0. – stahlstngel Jun 29 '17 at 11:25
  • Hi don't change both, I would just change one of them, maybe change the Subnet that the serverA is on to 192.168.0.0/24 and make a sure that ServerA and int eth0 have addresses between 192.168.0.1/24 and 192.168.0.254/24 t – Michael Brown Jun 29 '17 at 11:51
0

By default the routing is not activated. To activate routing on a linux you must add this line: net.ipv4.ip_forward = 1

In this file: /etc/sysctl.conf

If you want to test you can activate the routing with this command: sysctl -w net.ipv4.ip_forward=1

Sorcha
  • 1,325
  • 8
  • 11
  • Is this not the same as "echo 1 >> /proc/sys/net/ipv4/ip_forward" from the link? But also with the forward option there is no communication. – stahlstngel Jun 29 '17 at 10:57
0

Your 192.168.0.0/16 (192.168.0.0 - 255.255) contains 192.168.1.0/24 (192.168.1.0-255). Therefore, you can't have route from ServerA to ClientX via ServerB.

Let's keep as much of the variables as is and only modify the necessary:

Keep:

  • ClientX configuration as is.
  • ServerB eth0 as is.
  • ServerA IP address 192.168.255.254 and Bcast=192.168.255.255.

Change:

  • ServerA netmask to 255.255.255.0.

  • ServerB eth1:

    auto eth1
iface eth1 inet static
address 192.168.255.253
netmask 255.255.255.0
broadcast 192.168.255.255

Of course you can use wider netmask between ServerA and ServerB, as long as it doesn't overlap with 192.168.1.0/24; the /17 i.e. netmask 255.255.128.0 i.e. 192.168.128.0 - 192.168.255.255 being the widest range possible.

This being just a quick solution to the exact problem, please introduce yourself with CIDR.

Now, based on comments. Let's say you have many servers and would like to use every single one as a router from it's own subnet to 192.168.255.0/24, ServerA being 192.168.255.254. You could use a simple pattern in your configuration, where the 192.168.255.254/24 works as the network between servers, the other being client-server networks. 

           eth0            eth1
ServerB    192.168.1.253   192.168.255.1
ServerC    192.168.2.253   192.168.255.2
ServerD    192.168.3.253   192.168.255.3
...
Server<N>  192.168.N.253   192.168.255.N

Assuming eth0 works as a default gateway to clients behind that particular server, every client is able to connect to ServerA via the intermediate servers. However, ServerA has default route 0.0.0.0 via its own default gateway (unknown to us). That includes everything but its own subnet. You'll need to add one route per every subnet behind other servers, i.e.

route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.255.1
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.255.2
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.255.3
...
route add -net 192.168.N.0 netmask 255.255.255.0 gw 192.168.255.N

You could make this persistent through the /etc/network/interfaces on ServerA, e.g.

auto eth0
iface eth0 inet static
    address 192.168.255.254
    netmask 255.255.255.0
    broadcast 192.168.255.255
    up route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.255.1
    up route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.255.2
    up route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.255.3
    down route del -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.255.1
    down route del -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.255.2
    down route del -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.255.3
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • ServerB is the only the first Server under ServerA. Beside ServerB (192.168.1.XXX) comes ServerC (192.168.2.XXX) and ServerD (192.168.3.XXX)....and so on. Therefore I need a /16 network between ServerA and ServerB. – stahlstngel Jun 29 '17 at 11:54
  • No, you don't. Simply, because this configuration wouldn't work. Let's say you have 40 servers and would like to use every single one as a router from it's own subnet to `192.168.255.0/24`, server A being `192.168.255.254`. You could use a simple pattern between `eth0`/`eth1` configuration: `192.168.1.253`/`192.168.255.1`; `192.168.2.253`/`192.168.255.2`; ... `192.168.N.253`/`192.168.255.N`; Now, the `192.168.255.254/24` works as the network between servers, the other being client-server networks. – Esa Jokinen Jun 29 '17 at 12:13
  • Okay...I understand. Nice idea. I configured everything as mentioned. But still ping from ServerA to ClientX says "Destination Host Unreachable". I also did "sysctl -w net.ipv4.ip_forward=1". What did I miss??? – stahlstngel Jun 29 '17 at 14:10
  • Via iptables I am now able to ping ServerA from ClientX. But ServerA can not reach the Clients network. What did I miss? – stahlstngel Jun 30 '17 at 07:43
  • I completed my answer by adding information on how to set all routes from ServerA to clients. – Esa Jokinen Jun 30 '17 at 08:09
  • Thanks so much. The network is working correct. Even without iptables what keeps the kernel small and the configuration simple over the _route_ command – stahlstngel Jul 03 '17 at 06:48
0

You can't ping from server to client because you're allowing only RELATED and ESTABLISHED connection in this way. 

iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

When you pinging in the other way, it's working because you have different rule for that:

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
mrc02_kr
  • 164
  • 7