hey linux networking peeps

Jun. 23rd, 2017 10:32 pm
solarbird: (molly-thats-not-good-green)
[personal profile] solarbird

I’m finally getting back to working on a new gateway/router server and I’m basically setting up this old-school sort of DMZ, with the rest of our servers hanging off one card, and our internal LAN/DHCP/NAT side hanging off the other. (Using ISC, which Debian seems to like.) And all of that seems to be right from the new server’s perspective, which is yay!

Except there’s no packet forwarding from the DHCP side even though it’s enabled and I’m sure I enabled it and yes the kernel thinks its enabled but it isn’t happening.

Any ideas where to start?

Mirrored from Crime and the Blog of Evil. Come check out our music at:
Bandcamp (full album streaming) | Videos | iTunes | Amazon | CD Baby

Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

HALLO IS IT PLUGGED IN

Date: 2017-06-24 01:05 pm (UTC)
rmd: (Default)
From: [personal profile] rmd
speaking from near ignorance about that particular debian setup, but with some clue about larger scale networks, is debian configured to act as a dhcp relay, here? I think dhcp-relay is a separate package, so I figured I'd ask the stupid question.

Re: HALLO IS IT PLUGGED IN

Date: 2017-06-25 04:39 am (UTC)
solarbird: (Default)
From: [personal profile] solarbird
The page on the DHCP server here kind of implied to me that nothing else needed to be specifically installed? But it doesn't say it isn't needed either. Hm.

Hmmmmm the package seems to be isc-dhcp-relay and the commonality of name prefix implies maybe so, though.

Re: HALLO IS IT PLUGGED IN

Date: 2017-06-25 09:39 am (UTC)
vatine: Generated with some CL code and a hand-designed blackletter font (Default)
From: [personal profile] vatine
If the problem is "thing tries to get DHCP from the other side of a router, but it fails", then, you would need something to relay the DHCP request, since it's sent to the ethernet broadcast MAC (and probably 255.255.255.255 as the IP destination) and isn't supposed to transit through routers.

Re: HALLO IS IT PLUGGED IN

Date: 2017-06-25 03:50 pm (UTC)
solarbird: (molly-thats-not-good-green)
From: [personal profile] solarbird
No, the new router box is the DHCP server. It's handing out addresses okay, too. Just packets from the DHCP world aren't getting past it. They get to it fine, just not past it.

Re: HALLO IS IT PLUGGED IN

Date: 2017-06-25 10:11 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
On further digging isc-dhcp-relay is meant to relay dhcp requests, which is not what is going on here. And I don't see a package about dhcp-relay that isn't this one. As far as I can tell, this should be just working.

(This server is the DHCP server.)

Date: 2017-06-25 09:15 pm (UTC)
deskitty: Angry pouncy siamese cat head (Default)
From: [personal profile] deskitty
So, it's been a long time since I've touched Linux routing (college, maybe?), but here's some tidbits from what I remember.

Quick checklist of "did you plug it in" things:

  1. Are routes/gateways configured correctly on all affected systems including the router?

  2. sysctl net.ipv4.ip_forward == 1

  3. iptables -t nat -L has proper entries (IPs and interfaces) for all your networks in POSTROUTING (and PREROUTING for anything in the DMZ with forwarded ports).

    • You may need to do something special for UPnP if you want to enable it for systems in your internal network; I'm not sure what that would entail since I've never had to do this myself.

  4. iptables -L has appropriate ACCEPT rules in the FORWARD chain.

  5. Make sure you don't have any other rules (in INPUT and OUTPUT) that would drop packets that would otherwise be routable.


More details would be helpful -- what exactly are you observing that suggests forwarding isn't happening? (Wireshark/tcpdump, missing TCP ACKs, etc.?)

If none of the above rings a bell, I suggest taking tcpdump traces on the router at your ingress and egress interfaces, and comparing what's coming in with what's going out. That would help narrow things down.

Date: 2017-06-25 10:18 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
Details are that exactly nothing is being passed from the local DHCP LAN card to the gateway card. It's acting like IP forwarding is not set, which, as I said, it is set, and the OS agrees that forwarding is set.

The DMZ article I linked above in the main post is exactly what I am trying to set up, but I am not seeing packets forwarded once I've gone through their steps. From that article, I used masquerading setup that results in:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.1.0/24      !192.168.1.0/24


...which I hope is correct, it seems to go along with the sort of thing they were describing.

iptables -L is currently set with no filtering on forwarding (ACCEPT for all).
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

solarbird: (Default)
solarbird
I'm on Mastodon!

Links

June 2025

S M T W T F S
1 234 5 67
891011121314
15161718192021
22232425262728
2930     

Most Popular Tags

Page Summary

Active Entries