routing on 2 network interfaces

[matonb]

It should work xandrei, how is your NAT'ing setup?

[Touchtecservers]

So, you have two Machines, on Local Network addresses (like 192.168.1.100, 192.168.2.100) - and want to be able to access them externally?

Keep in mind that your router will be using NAT to, and this means to the outside world - there is only ONE machine (your router) - and not however many there are behind the router.

Lets say your router's external IP is 91.1.2.3, that is the only address to which others can connect to you. Your 192.168.1.100 means nothing outside of your local network.

To solve this, you need to setup Port Forwarding on the router like so:

Forward Port 80 from the router to Port 80 on 192.168.1.100
Forward Port 81 from the router to Port 80 on 192.168.2.100

Then people can access 2. using the router's ip and port 81, and access 1. from the router's ip and port 80.

If you need more than this, then you need to think about maybe setting up a VPN.

[matonb]

If xandrei wants to direct incoming http requests to dedicated hosts there are a lot of ways that have absolutly no need what so ever for a VPN.

Using apache as a proxy would be just one of them.

So for now, let's just stay on topic and get the network working the way they want it to....

[xandrei]

I'm beginning to suspect a NAT issue on the router less and less while thinking of a problem on the network config on the server itself.

The reason for this is as follows: I've added another workstation on the the same LAN eth1 is connected to (behind the same router). This new workstation (IP addr: 192.168.0.100) has only 1 NIC configured and uses the router for internet connectivity. I've installed apache, and then set port forwarding on a high port number on the router. When tested on the public IP, the connection took the right path to the apache server on the new workstation displaying the correct webpage. I guess that means that NAT does work on the router

I then went back to the 2 NICs server and ran tcpdump on interface eth1 (IP addr: 192.168.0.110).
I first attempted a connection to the http server from the newly added workstation (192.168.0.100 to 192.168.0.110). The result was what appeared as a normal TCP transaction, and the web page displayed correctly on the requesting machine's web browser.
Then I attempted a connection on the public IP with the port number that the http server listens on eth1. What I got was only the SYN (S) part of the three-way TCP handshake repeated a number of times and eventually stopped with a "Network Timeout" message displayed on the requesting browser. Here is part of the dump:

Code:

22:50:45.648553 IP (tos 0x0, ttl 64, id 35319, offset 0, flags [DF], proto TCP (6), length 60) < originating public IP on eth0 >.59894 > 192.168.0.110.squid: S, cksum 0xe3f6 (correct), 2205318165:2205318165(0) win 5840 <mss 1460,sackOK,timestamp 23459298 0,nop,wscale 6>

What I believe might happen has to do with the route setup. Here's what I get when dialling "route -n" in the console:

Code:

192.168.0.0     192.168.0.1     255.255.255.0   UG    0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
80.xxx.xx.0     0.0.0.0         255.255.252.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         80.xxx.xx.1     0.0.0.0         UG    0      0        0 eth0

I have manually added this line:
192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth1
with route add -net, hoping that a gateway specification might help, but it didn't . The other line:
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
is added automatically when configuring eth1 via ifconfig

I suspect that the second SYN part of the TCP transaction is routed via eth0, since the IP making the request fits only the last pattern (0.0.0.0) in the routing table.

LE: fixed a badly edited tcp dump log

[matonb]

Just out of curiosity what address does your router NAT ( pretend to be ) to ?

It might be something to do with that and the default gateway as per your query earlier on....

[xandrei]

Router LAN address is 192.168.0.1 (I also tested connectivity with ping). External address is a public IP address similar to that assigned on eth0 (80.xxx.xx.xx)

[matonb]

Just to clarify, your http server is listening on 192.168.2.0/24 and your router has a 192.168.0.0/24 address?

Seem to have lost the plot regrading the default gateway...

[xandrei]

No, I'm sorry about the confusion. I used 192.168.2.0 and 192.168.1.0 network addresses in previous posts to make it easy when explaining the setup. My actual configuration, presently is:
eth0: static public IP address (80.xx.xx.xx)
eth1: static private IP address (192.168.0.110) and the workstation that I added for testing is 192.168.0.100 (I'll adjust these to .2 and .3 probably - I changed the IPs as I was running various tests to rule out any router issues). Gateway (router) ip is 192.168.0.1.
I also tested the setup pinging the gateway and workstations within the LAN. Had I assigned different addresses as in 192.168.2.0/24 and 192.168.0.0/24, the ping would have failed (hopefully ).

I will run more tests by trying a vanilla OS installation (possibly a live cd) on the server as it is possible for the issue to be OS related (using Fedora w/ firewall and SELinux): btw the firewall allows connections on the selected ports since I could establish a connection from the testing workstation I used (192.168.0.100).

[xandrei]

After testing on a LiveCD fedora distro I think I can rule out the possibility of the router being responsible for a faulty NAT. What I did was setup eth1 as the default interface and then bind httpd to listen on eth1 ip: it worked.
Actually, whenever the httpd server is tied to an interface that uses as the gateway the default route, the setup works, otherwise it doesn't: I only get the dropped packets I was able to record with tcpdump.