centos 6 gateway setup

Issues related to configuring your network
roberto26
Posts: 7
Joined: 2019/09/30 09:15:05

centos 6 gateway setup

Post by roberto26 » 2019/09/30 09:53:41

Good morning,

I have a problem with configuring a centos 6 machine as a gateway for a private LAN. I apologize if the following description is confused, I'll do my best.

The Centos 6 machine has three nework cards:

eth0 inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
eth1 inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
eth2 inet addr:10.1.6.99 Bcast:10.1.255.255 Mask:255.255.0.0

the routing table is as follows:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
10.1.0.0 * 255.255.0.0 U 0 0 0 eth2
link-local * 255.255.0.0 U 1002 0 0 eth0
link-local * 255.255.0.0 U 1003 0 0 eth1
link-local * 255.255.0.0 U 1004 0 0 eth2
default 10.1.1.1 0.0.0.0 UG 0 0 0 eth2

Moreover, net.ipv4.ip_forward=1

I would like to use this machine as a gateway for the nodes in the 192.168.1.0/24 network

I am testing the setup on a Centos5 machine with a network card (actually it has two network cards but I have disabled eth0 to make things simpler)

eth1 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0

with this routing table

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1 (note: 192.168.1.254 is the eth1 card of the gateway)


I CAN:

ping to 192.168.1.254
ping to whatever machine on the 192.168.1.0/24 network
ping to whatever machine on the 192.168.0.0/24 network (hence, the gateway works at least between 192.168.0.0/24 and 192.168.1.0/24 networks)
ping to 10.1.6.99 (the IP address of the eth2 card on the gateway)

I CANNOT

ping to 10.1.1.1 or whatsoever address beyond 10.1.6.99


I understand that this is only part of the relevant information.
Files /etc/sysconfig/network or /etc/sysconfig/networking-scripts/ifcfg-eth? both of the gateway and of the node could be useful, but before sending about tons of unnecessary information I would prefer that someone expert would ask me for what is really necessary.

Thank you all very much in advance.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: centos 6 gateway setup

Post by aks » 2019/09/30 19:26:53

This (at least on the surface) does not make sense!

I seem to think the default route should be this routers interface (rather than something else). So something like default via 10.1.6.99/32 rather than the default via 10.1.1.1/32. So "squirt this down this interface in the face no better path".

Re-reading, I'm a little confused.
ping to 10.1.1.1 or whatsoever address beyond 10.1.6.99
Does that mean I can ping (or whatever) from 192.168.x.x/24 to 10.1.6.99 ONLY, or I can ping from 192.168.x.x/24 to the range 10.1.1.2 to 10.1.6.98?

Logically, it *should* work, but it doesn't (and why only up to 10.1.6.99 which seems an arbitrary cut off it's not even "bit aligned"?)

From *this* routers viewpoint it *should* know that all of 10.1.0.0/16 goes via eth2, perhaps you have to do it at a higher level as in all this stuff should go down via the interface using the address 10.1.6.99?

But it's a bit of a guess.

Can't you traceroute/path?

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: centos 6 gateway setup

Post by Whoever » 2019/10/01 03:02:19

I don't understand what is going on here:

Code: Select all

default 10.1.1.1 0.0.0.0 UG 0 0 0 eth2
and this:

Code: Select all

0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
They seem to conflict.

roberto26
Posts: 7
Joined: 2019/09/30 09:15:05

Re: centos 6 gateway setup

Post by roberto26 » 2019/10/01 05:48:06

I fear I am not been clear.

Computer "A" is the server, the machine with three ethernet cards. The routing table of "A" (CentOS 6.10) is:

[root@usvc ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 eth2
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth2

It means that:

local network 192.168.0.0/24 is accessed through eth0 (ip address 192.168.0.254)
local network 192.168.1.0/24 is accessed through eth1 (ip address 192.168.1.254)
local network 10.1.0.0/16 is accessed through eth2 (ip address 10.1.6.99)
all other adresses are accessed by eth2 via the gateway 10.1.1.1

If I ping to google dns 8.8.8.8 I have:

[root@usvc ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=12.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=12.4 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=12.4 ms
.......

Morever:

[root@usvc ~]# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.1.1.1 (10.1.1.1) 0.674 ms 0.921 ms 1.147 ms
2 ............

hence, "A" can actually reach internet servers via the gateway 10.1.1.1

Now, I have a second computer "B" in the local network 192.168.1.0/24. The routing table of "B" (CentOS 5.2) is:

[root@usv2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1

It means that it can communicate with local network 192.168.1.0/24 through eth1 (ip address 192.168.1.2) and with the rest of the world via the gateway 192.168.1.254 (THAT IS, THE eth1 card ON "A")

If I ping from "B" to eth1 on "A" I obtain:

[root@usv2 ~]# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.096 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.103 ms
.......

that's ok

If I ping from "B" to a machine in the local network 192.168.0.0/24 I obtain:

[root@usv2 ~]# ping 192.168.0.7
PING 192.168.0.7 (192.168.0.7) 56(84) bytes of data.
64 bytes from 192.168.0.7: icmp_seq=1 ttl=64 time=1.52 ms
64 bytes from 192.168.0.7: icmp_seq=2 ttl=64 time=0.145 ms
.......

that's ok, "B" goes through eth1 card of "A" which acts as gateway to local network 192.168.0.0/24 on eth0 card. In fact:

[root@usv2 ~]# traceroute -n 192.168.0.7
traceroute to 192.168.0.7 (192.168.0.7), 30 hops max, 40 byte packets
1 192.168.1.254 0.088 ms 0.064 ms 0.094 ms
2 192.168.0.7 0.138 ms 0.132 ms 0.125 ms

Moreover, I can ping from "B" to the eth2 card on "A":

[root@usv2 ~]# ping 10.1.6.99
PING 10.1.6.99 (10.1.6.99) 56(84) bytes of data.
64 bytes from 10.1.6.99: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 10.1.6.99: icmp_seq=2 ttl=64 time=0.136 ms
64 bytes from 10.1.6.99: icmp_seq=3 ttl=64 time=0.081 ms
....

but I CANNOT ping to 10.1.1.1 (that is, the gateway for machine "A"):

[root@usv2 ~]# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.

--- 10.1.1.1 ping statistics ---
118 packets transmitted, 0 received, 100% packet loss, time 116999ms


It seems that "A" is forwarding network traffic from eth1 to eth0, but refuses to forward traffic from eth1 to eth2 (or better, beyond eth2).

Finally, I have disabled firewalls both on "A" and on "B" so this should not be an issue.

I don't think this post is clearer than the previous one, I trust much more in your experience and understanding than on my english :-)

Thank you again for your support.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: centos 6 gateway setup

Post by Whoever » 2019/10/01 15:46:01

Have you set up NAT/MASQ on computer "A"?

What are the IPTABLES rules? Do they allow forwarding?

roberto26
Posts: 7
Joined: 2019/09/30 09:15:05

Re: centos 6 gateway setup

Post by roberto26 » 2019/10/03 05:34:28

> Have you set up NAT/MASQ on computer "A"?
>
> What are the IPTABLES rules? Do they allow forwarding?

I have disabled iptables both on "A" and on "B":

[root@usvc ~]# chkconfig --list | grep iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off

and:

[root@usvc ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


and the same on "B"

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: centos 6 gateway setup

Post by Whoever » 2019/10/03 15:32:45

but I CANNOT ping to 10.1.1.1 (that is, the gateway for machine "A"):

[root@usv2 ~]# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.

--- 10.1.1.1 ping statistics ---
118 packets transmitted, 0 received, 100% packet loss, time 116999ms
Does 10.1.1.1 know that machine B is behind machine A? You either need to configure the routes on the network, or configure NAT or MASQ on machine A.

roberto26
Posts: 7
Joined: 2019/09/30 09:15:05

Re: centos 6 gateway setup

Post by roberto26 » 2019/10/06 17:27:53

Dear Whoever,


> Does 10.1.1.1 know that machine B is behind machine A? You either need to configure the routes on the network, or configure NAT > or MASQ on machine A.

No, it doesn't. This is the problem.
Thank you very much for your help in understanding the problem.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: centos 6 gateway setup

Post by Whoever » 2019/10/06 18:42:13

Then you need to configure NAT or MASQ using iptables for outgoing packets on eth2 of server A.

roberto26
Posts: 7
Joined: 2019/09/30 09:15:05

Re: centos 6 gateway setup

Post by roberto26 » 2019/10/07 07:28:10

Dear Whoever and all,

> Then you need to configure NAT or MASQ using iptables for outgoing packets on eth2 of server A.

it was as easy as issue:

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

on machine "A" and now it is all working fine. Thanks again :-)

Post Reply