define route in route-eth0:x file for virtual network

Issues related to configuring your network
Post Reply
horsebeef
Posts: 3
Joined: 2014/01/14 21:56:54

define route in route-eth0:x file for virtual network

Post by horsebeef » 2020/06/18 19:42:44

The environment I'm testing this in is Azure, which may or may not contribute to the challenge I am experiencing.

I have a CentOS 7 vm with two NICs: eth0 and eth1. The second NIC will eventually host seven static IPs defined as: eth1:202..eth1:208.

I presently have eth1:202 up and running. Here's the address:

Code: Select all

# ip a | grep 202
    inet 10.0.0.202/24 brd 10.0.0.255 scope global secondary eth1:202
I cannot ping the gateway or another address in the subnet:

Code: Select all

# ping -I 10.0.0.202 10.0.0.4
PING 10.0.0.4 (10.0.0.4) from 10.0.0.202 : 56(84) bytes of data.
^C
--- 10.0.0.4 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

# ping -I 10.0.0.202 10.0.0.5
PING 10.0.0.5 (10.0.0.5) from 10.0.0.202 : 56(84) bytes of data.
^C
--- 10.0.0.5 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
Microsoft's documentation states:
For Linux VMs, when trying to validate outbound connectivity from a secondary NIC, you may need to add appropriate routes.
The route-eth1:202 file contains one line:

Code: Select all

10.0.0.0/32 via 10.0.0.202 dev eth1:202 src 10.0.0.202
The route displays as:

Code: Select all

# route -n                                                                                                                                                                                   
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        10.0.0.202      255.255.255.255 UGH   0      0        0 eth1
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
168.63.129.16   10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1
169.254.169.254 10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
It's a little odd to me that the Iface is listed as eth1 rather than eth1:202.

Continuing, I am still unable to ping my gateway via this device:

Code: Select all

# ping -I 10.0.0.202 10.0.0.4
PING 10.0.0.4 (10.0.0.4) from 10.0.0.202 : 56(84) bytes of data.
^C
--- 10.0.0.4 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
I can ping from the address defined by the eth0 device just fine:

Code: Select all

# ping -I 10.0.0.200 10.0.0.5
PING 10.0.0.5 (10.0.0.5) from 10.0.0.200 : 56(84) bytes of data.
64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=1.59 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=1.43 ms
64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=0.865 ms
^C
--- 10.0.0.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.865/1.299/1.597/0.313 ms
Do these syntaxes appear correct?
Thanks for any help!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: define route in route-eth0:x file for virtual network

Post by TrevorH » 2020/06/18 22:38:42

I am not sure that aliases work like that. I'm pretty sure that they do not use route-$interface files or if they do, it'll be the one for the base interface not the alias of it.

It might be easier to describe what you're trying to do rather than looking at the method of execution of it so forget aliases and interfaces and tell us what you actually want to achieve (the end goal not the way you think you need to use to get there).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: define route in route-eth0:x file for virtual network

Post by jlehtone » 2020/06/19 09:19:11

Furthermore, alias interfaces have been obsolete since introduction of iproute2 two decades ago. https://www.kernel.org/doc/html/latest/ ... alias.html

One interface (NetworkManager connection) can have multiple addresses on it directly, without aliases.

Multiple addresses on same subnet is problematic.
When your processes send something out, which address should they use? You can set it for ping, but what about other programs?
(There is a concept of network namespaces, but frankly I have no idea how to use them.)
When your processes reply to something, does the system know the destination that was in the packet that is replied to?

I do agree: please tell the end goal.

horsebeef
Posts: 3
Joined: 2014/01/14 21:56:54

Re: define route in route-eth0:x file for virtual network

Post by horsebeef » 2020/06/19 14:58:11

Thanks for the responses. This VM is behind a firewall to which we're adding IPSec connections to a client's firewall. My understanding is that we need to set routes for each "phase two" path to direct traffic to the correct end-point, such as:

Code: Select all

10.0.0.202 --> 10.42.5.107
10.0.0.203 --> 10.42.5.108
10.0.0.204 --> 10.42.5.109
10.0.0.205 --> 10.42.5.110
This is the second IPSec we're standing up. The original one has routes set such as:

Code: Select all

$ cat route-eth0\:220
145.17.87.77 via 192.168.2.1 src 192.168.2.220
so I was just trying to replicate what is working.
I do notice that the routes do not mention the virtual interface as Trevor pointed out:

Code: Select all

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.2.1     0.0.0.0         UG    100    0        0 eth0
10.6.115.240    192.168.2.1     255.255.255.255 UGH   0      0        0 eth0
10.6.115.107    192.168.2.1     255.255.255.255 UGH   0      0        0 eth0
10.6.115.108    192.168.2.1     255.255.255.255 UGH   0      0        0 eth0
10.6.115.109    192.168.2.1     255.255.255.255 UGH   0      0        0 eth0
10.6.115.110    192.168.2.1     255.255.255.255 UGH   0      0        0 eth0
10.6.115.115    192.168.2.1     255.255.255.255 UGH   0      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0
145.17.87.77   192.168.2.1     255.255.255.255 UGH   0      0        0 eth0
145.17.114.241 192.168.2.1     255.255.255.255 UGH   0      0        0 eth0
Maybe this is more of an IPSec question than an IP routing question...

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: define route in route-eth0:x file for virtual network

Post by jlehtone » 2020/06/19 15:42:26

IPSec. A VPN. VPN tunnel is between host and host, host and site, or site and site. Not clear, which scenario you have.

I had a IPSec based VPN some 15 years ago. Can't remember any details.
There are multiple IPSec implementations, aren't there? https://wiki.gnome.org/Projects/NetworkManager/VPN

I've recently used openvpn and with it routing is relatively trivial.
Apparently, that does not hold with IPSec: https://www.servercentral.com/blog/brin ... ver-ipsec/

https://www.juniper.net/documentation/e ... nding.html
mentions "tunnel mode" and "transport mode", and both policy-based and route-based setups.


PS. The route -n is "old command". The iproute2 has ip ro, which IMHO has more readable output.

neutronsnowball
Posts: 16
Joined: 2016/10/27 18:09:29

Re: define route in route-eth0:x file for virtual network

Post by neutronsnowball » 2020/06/19 21:10:53

Yes, it's an IPSec VPN providing IP to port communications. For example, I use ncat to test if the connection is alive:

Code: Select all

nc -w 3 -zs ${LOCAL_IP} ${REMOTE_IP} ${REMOTE_PORT} ; SUCCESS=$?
Route print from the working example using the newer tool:

Code: Select all

$ ip ro
default via 192.168.2.1 dev eth0 proto static metric 100 
10.76.48.240 via 192.168.2.1 dev eth0 src 192.168.2.221 
10.6.115.107 via 192.168.2.1 dev eth0 src 192.168.2.57 
10.6.115.108 via 192.168.2.1 dev eth0 src 192.168.2.61 
10.6.115.109 via 192.168.2.1 dev eth0 src 192.168.2.101 
10.6.115.110 via 192.168.2.1 dev eth0 src 192.168.2.45 
10.6.115.115 via 192.168.2.1 dev eth0 src 192.168.2.51 
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.222 metric 100 
145.17.87.77 via 192.168.2.1 dev eth0 src 192.168.2.220 
145.17.114.241 via 192.168.2.1 dev eth0 src 192.168.2.46

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: define route in route-eth0:x file for virtual network

Post by jlehtone » 2020/06/20 10:04:31

Aren't there essentially two approaches to VPN?

1. Tunnel has subnet and is represented by separate interface. Routes to subnets as usual.

Code: Select all

       /--wan--\
A--rtr1         rtr2--B
       \==vpn==/
Both routers have three subnets. (Open)vpn processes in the routers communicate with each other over wan. Other traffic between routers is not encrypted.
rtr1 is configured to route traffic destined to subnet B via subnet vpn.
rtr2 is configured to route traffic destined to subnet A via subnet vpn.
When member of A sends to member of B, it hands the packet to gateway, rtr1.
Rtr1 sends it to vpn. (Open)vpn in rtr1 sends encrypted packets to rtr2 via wan.
(Open)vpn in rtr2 receives encrypted packets from rtr1 via wan. Packet arrives to rtr2 from vpn. Rtr2 forwards it to B.

2. Some traffic is encrypted.

Code: Select all

A--rtr1--wan--rtr2--B
rtr1 has simple route: to subnet B via rtr2
rtr2 has simple route: to subnet A via rtr1
rtr1 and rtr2 encrypt everything that passes between them.


It is not clear what are the endpoints of your VPN tunnels.
It is not clear why you should have more than just the address 192.168.2.222 on this host.

Post Reply