Find the answer to your Linux question:
Results 1 to 6 of 6
Hi. I've been assigned a task to configure a Fedora box (release 14 with 2.6.35.6-45.fc14.i686) to provide routing in a lab environment. To that end I started reading man pages ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2011
    Posts
    3

    Route/forward to identical LANs


    Hi.

    I've been assigned a task to configure a Fedora box (release 14 with 2.6.35.6-45.fc14.i686) to provide routing in a lab environment.
    To that end I started reading man pages for iptables, googled a great deal and did some testing.
    But, I've not been successful.
    The task is that the users from their office LAN (LAN-1) should to be able to connect to all the 16 nodes (transceivers) that exist in every rack (two racks for now).
    These racks are completely separate to each other and are configured as LANs (LAN-2a, LAN-2b, ...) in a lab environment.
    Unfortunately, all the racks/LANs are identical regarding the IP addresses for nodes, which means that for example 169.254.167.102 exists in all racks/LANs.
    The idea is that to define an IP address range (10.128.116.0/24) that are used in a cross reference table, which assists the users to access their desired node and rack.

    Attached (Layout2a.pdf) you'll find an illustration for the task.

    Following is done:

    1- The network admin has configured a rule that all calls to 10.128.116.0/24 goes to eth0.

    2- The Fedora NICs are configured as:

    ::::::::::::::
    ifcfg-eth0
    ::::::::::::::
    DEVICE=eth0
    BOOTPROTO=none
    HWADDR=00:22:64:1C:22:AC
    IPADDR=10.128.61.68
    NETMASK=255.255.255.0
    ONBOOT=yes
    TYPE=Ethernet
    IPV6INIT=no
    USERCTL=no
    PREFIX=24
    GATEWAY=10.128.61.254
    ::::::::::::::
    ifcfg-eth1
    ::::::::::::::
    DEVICE=eth1
    BOOTPROTO=none
    NETMASK=255.255.255.0
    HWADDR=00:1b:21:33:04:fc
    IPADDR=169.254.167.1
    ONBOOT=yes
    TYPE=Ethernet
    IPV6INIT=no
    USERCTL=no
    PREFIX=24
    ::::::::::::::
    ifcfg-eth2
    ::::::::::::::
    DEVICE=eth2
    BOOTPROTO=none
    NETMASK=255.255.255.0
    IPADDR=169.254.167.2
    ONBOOT=yes
    TYPE=Ethernet
    HWADDR=00:07:e9:1f:fc:bf
    IPV6INIT=no
    USERCTL=no
    PREFIX=24

    3- # echo 1 > /proc/sys/net/ipv4/ip_forward

    4- # ifdown eth2 ; ifup eth1

    5- # iptables -t nat -A PREROUTING -i eth0 -d 10.128.116.2 -j DNAT --to-destination 169.254.167.100

    6- # iptables -t nat -A POSTROUTING -d 169.254.167.100 -j MASQUERADE

    7- Here I could from a node in LAN-1 connect to 10.128.116.2 and actually login to 169.254.167.100 in rack-1 (LAN-2a).

    8- Just as a test, knowing that 10.128.116.2 is not aimed for rack-2 (LAN-2b), started testing the same as above with eth2 instead of eth1.

    9- # ifdown eth1 ; ifup eth2

    10- Repeated the steps 5 and 6.

    11- Here I couldn't from a node in LAN-1 connect to 10.128.116.2 and login to 169.254.167.100 in rack-2 (LAN-2b).

    So, am I on the right track at all?
    If not, what is the recommendation?
    If yes, I would appreciate a lot for any help that I can get.

    Kindest regards.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,439
    Honestly, you should consider to rework that setup.
    The NATing will cause a lot of overhead, I am not even sure if it can work like you intend it to work.
    Also, the machines in LAN2* will not be able to connect to LAN1

    My recommendation would be:
    Choose a big enough private network for all LAN2* hosts
    or -if the LAN2*s shall be separated- choose one dedicated network per LAN"* rack.

    Then you can use simple static routing, and later on firewalling (if neccessary)
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Jul 2011
    Posts
    3
    Irithori:

    Thanks for your feedback.

    I seem to have done a mistake bay having a box labeled ".0". Sorry for that! That box is just a "dummy" hub.
    Furthermore, all the nodes in the racks are just telecommunication devices (transceivers), i.e. they are not traditional computers. In other words, there is no requirement for any connection from LAN-2* to LAN-1.
    By the way, the reason behind the whole thing is that to make it more practical for users when they want to do some tests on the transceivers. As for now they have to go to the lab and manually connect their laptops to each rack.
    So if we provide them with this feature, they can sit on their office and connect to the desired transceiver/rack by just using the cross reference table and telnet to the appropriate IP address.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by unixrb View Post
    ::::::::::::::
    ifcfg-eth0
    ::::::::::::::
    DEVICE=eth0
    BOOTPROTO=none
    HWADDR=00:22:64:1C:22:AC
    IPADDR=10.128.61.68
    NETMASK=255.255.255.0
    ONBOOT=yes
    TYPE=Ethernet
    IPV6INIT=no
    USERCTL=no
    PREFIX=24
    GATEWAY=10.128.61.254
    ::::::::::::::
    ifcfg-eth1
    ::::::::::::::
    DEVICE=eth1
    BOOTPROTO=none
    NETMASK=255.255.255.0
    HWADDR=00:1b:21:33:04:fc
    IPADDR=169.254.167.1
    ONBOOT=yes
    TYPE=Ethernet
    IPV6INIT=no
    USERCTL=no
    PREFIX=24
    ::::::::::::::
    ifcfg-eth2
    ::::::::::::::
    DEVICE=eth2
    BOOTPROTO=none
    NETMASK=255.255.255.0
    IPADDR=169.254.167.2
    ONBOOT=yes
    TYPE=Ethernet
    HWADDR=00:07:e9:1f:fc:bf
    IPV6INIT=no
    USERCTL=no
    PREFIX=24
    You first issue is the netmasks in bold above. You cannot split out your network this way, and I do not understand why the network admin didn't see this.

    You might want to look at cutting the network size down.

    5- # iptables -t nat -A PREROUTING -i eth0 -d 10.128.116.2 -j DNAT --to-destination 169.254.167.100

    6- # iptables -t nat -A POSTROUTING -d 169.254.167.100 -j MASQUERADE
    This is most likely your next issue and maybe you shouldn't be doing it this way. In fact on an internal LAN there is really no need to do this at all. You can route 169.254.0.0.

    I would do the following:

    1. Cut the mask down to cover what I have in the rack plus 2. In your case 8 or 16 hosts. 16 will allow you to add to the rack.

    2. Router the network 169.254.0.0 and remove all iptables rules that do any MASQ, SNAT or DNAT.

    3. Configure DNS so the client only ned to know the host name of the device they want to get to. Will save the confusion later in life.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined!
    Join Date
    Jul 2011
    Posts
    3
    Sorry for the long delay in getting back to you.
    I've been testing a great deal, and finally made it work.

    For those of you that wonder why there have to be identical LANs:

    - Each rack has a control panel (with a NIC) that is configured (hard-coded) to offer the "slots" as 169.254.167.100-115, i.e. they cannot be changed.
    - The racks are identical.

    Now the solution (Please refer to TRX-Layout2.pdf):

    Code:
    01. # more /etc/sysconfig/network-scripts/ifcfg-eth*
        ::::::::::::::
        ifcfg-eth0
        ::::::::::::::
        DEVICE=eth0
        BOOTPROTO=none
        HWADDR=00:22:64:1C:22:AC
        IPADDR=10.128.61.68
        NETMASK=255.255.255.0
        ONBOOT=yes
        TYPE=Ethernet
        IPV6INIT=no
        USERCTL=no
        PREFIX=24
        GATEWAY=10.128.61.254
        ::::::::::::::
        ifcfg-eth1
        ::::::::::::::
        DEVICE=eth1
        BOOTPROTO=none
        NETMASK=255.255.255.0
        HWADDR=00:1b:21:33:04:fc
        IPADDR=169.254.167.1
        ONBOOT=yes
        TYPE=Ethernet
        IPV6INIT=no
        USERCTL=no
        PREFIX=24
        ::::::::::::::
        ifcfg-eth2
        ::::::::::::::
        DEVICE=eth2
        BOOTPROTO=none
        NETMASK=255.255.255.0
        IPADDR=169.254.167.2
        ONBOOT=yes
        TYPE=Ethernet
        HWADDR=00:07:e9:1f:fc:bf
        IPV6INIT=no
        USERCTL=no
        PREFIX=24
    02. On the router in LAN-1:
        ml_router#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        ml_router(config)#ip route 10.128.116.0 255.255.255.0 10.128.61.68
        ml_router(config)#end
    03. # echo 1 > /proc/sys/net/ipv4/ip_forward
    04. # vi /etc/iproute2/rt_tables
        . . .
        2       eth1
        3       eth2
    05. # vi /etc/rc.d/rc.local
        . . .
        ip rule add fwmark 1 table eth1
        ip rule add fwmark 2 table eth2
        ip route add 169.254.167.0/24 dev eth2  scope link table eth2 src 169.254.167.2
        ip route add 169.254.167.0/24 dev eth1  scope link table eth1 src 169.254.167.1
    06. # ip rule add fwmark 1 table eth1
    07. # ip rule add fwmark 2 table eth2
    08. # ip route add 169.254.167.0/24 dev eth2  scope link table eth2 src 169.254.167.2
    09. # ip route add 169.254.167.0/24 dev eth1  scope link table eth1 src 169.254.167.1
    10. # rule ls
        0:      from all lookup local 
        32764:  from all fwmark 0x2 lookup eth2 
        32765:  from all fwmark 0x1 lookup eth1 
        32766:  from all lookup main 
        32767:  from all lookup default 
    11. # echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 
    12. # echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter 
    13. # echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter 
    14. # echo 0 > /proc/sys/net/ipv4/conf/all/arp_filter         
    15. # echo 0 > /proc/sys/net/ipv4/conf/eth1/arp_filter         
    16. # echo 0 > /proc/sys/net/ipv4/conf/eth2/arp_filter
    17. # vi /root/iptables.sh
        service iptables stop
        service iptables save
        service iptables start
        iptables -t mangle -A PREROUTING -d 10.128.116.0/27 -j MARK --set-mark 0x1
        iptables -t mangle -A PREROUTING -d 10.128.116.32/27 -j MARK --set-mark 0x2
        m=2
        n=100
        while [ "$m" -lt "18" ]; do
          # eth1
          iptables -t nat -A PREROUTING -d 10.128.116.$m -j DNAT --to-destination 169.254.167.$n
          iptables -t nat -A POSTROUTING -s 169.254.167.$n -m mark --mark 0xa -j SNAT --to-source 10.128.116.$m
          # eth2
          t=$(($m+32))
          iptables -t nat -A PREROUTING -d 10.128.116.$t -j DNAT --to-destination 169.254.167.$n
          iptables -t nat -A POSTROUTING -s 169.254.167.$n -m mark --mark 0x14 -j SNAT --to-source 10.128.116.$t
          m=$(($m+1))
          n=$(($n+1))
        done
        iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
        iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
        iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 0xa
        iptables -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 0x14
        iptables -t mangle -A OUTPUT -s 169.254.167.1 -j MARK --set-mark 0x1
        iptables -t mangle -A OUTPUT -s 169.254.167.2 -j MARK --set-mark 0x2
        service iptables save
    18. # /root/iptables.sh
    19. # vi /etc/sysctl.conf
        . . .
        net.ipv4.ip_forward = 1
        . . .
    20. # vi /etc/sysconfig/iptables-config 
        . . .
        IPTABLES_MODULES_UNLOAD="yes"
        . . .
        IPTABLES_SAVE_ON_STOP="yes"
        . . .
        IPTABLES_SAVE_ON_RESTART="yes"
        . . .
    21. The cross reference table (eth3-8 are for future use!):
    
        Telnet to             Via Interface          Final Destination
        -----------------------------------------------------------------------
        10.128.116.2-17       169.254.167.1/eth1     rack-1/169.254.167.100-115
        10.128.116.34-49      169.254.167.2/eth2     rack-2/169.254.167.100-115
        10.128.116.66-81      169.254.167.3/eth3     rack-3/169.254.167.100-115
        10.128.116.98-113     169.254.167.4/eth4     rack-4/169.254.167.100-115
        10.128.116.130-145    169.254.167.5/eth5     rack-5/169.254.167.100-115
        10.128.116.162-177    169.254.167.6/eth6     rack-6/169.254.167.100-115
        10.128.116.194-209    169.254.167.7/eth7     rack-7/169.254.167.100-115
        10.128.116.226-241    169.254.167.8/eth8     rack-8/169.254.167.100-115
    As mentioned, this was tested and verified by following the packets with tcpdump.

    I would like to thank everybody that took time to help me on this.
    Kind regards.

  7. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    If it is true what you said about the rack cannot be changed then you need to goto the manufacture and let them know what a POS they have.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •