| View previous topic :: View next topic |
| Author |
Message |
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
 Posted: Tue Feb 28, 2006 1:45 pm Post subject: Very simple router, but with connection drops |
 |
|
Hello world,
I got this Gentoo system installed to function as a very simple router. Just forwarding from eth0 to eth1, I only got 1 problem...
This is the current situation:
eth0 (connected to big bad internet): IP = 199.xxx.224.xxx
eth1 (connected to local network): IP = 199.xxx.225.xxx
Routing works. But the question you should ask is: how does it work. Well it's a f***** nightmare! Normal browsing works, but RDP, SSH connections or stream bases connections drop every now and then... I'm possitive it's the configuration of the gentoo servers, this by the following PING results
When i ping from a machine in the local netwerk to eth1 it's like this:
| Code: |
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=3ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=3ms TTL=62
Reply from 199.xxx.225.xxx: bytes=32 time=2ms TTL=62
|
This goes on like forever. Nothing wrong here I would say.
How ever, when I ping from a machine in the local netwrok to eth0 it's like this:
| Code: |
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=54ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=47ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Request timed out
Reply from 199.xxx.224.xxx: bytes=32 time=12ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=3ms TTL=61
Reply from 199.xxx.224.xxx: bytes=32 time=75ms TTL=61
|
This is a bit how it goes, and the timeouts will couse my SSH connections to break!
Does anyone have any idea how this could be fixed?
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
 |
Prompty
Apprentice
Joined: 08 Feb 2004
Posts: 292
|
| Posted: Tue Feb 28, 2006 2:32 pm Post subject: |
|
|
Well if you KNOW it's a configuration issue why don't you give us some configuration :]
Don't you have any QoS, traffic control installed somewhere ?
Install this http://martybugs.net/linux/rrdtool/traffic.cgi to monitor usage of your network i-faces
_________________
<input stupid message here> |
|
| Back to top |
|
|
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
| Posted: Tue Feb 28, 2006 10:10 pm Post subject: |
|
|
| Prompty wrote: | Well if you KNOW it's a configuration issue why don't you give us some configuration :]
Don't you have any QoS, traffic control installed somewhere ?
|
Hardware configuration:
HP e800 server with a single P3 1ghz and 512MB memory, a simple IDE harddrive nothing important further...
Software:
Gentoo kernel 2.6.15 (r1) with following network configuration:
| Code: |
Networking options --->
[*] TCP/IP networking
[*] IP: advanced router
[*] Network packet filtering (replaces ipchains)
|
That's it! Yes, only the default most simple configuration.
Do you think i need QoS? that's for shaping only. According to the home-router guide I don't realy need it, do I? Please tell me about these features and if I need them or not...
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
|
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
| Posted: Wed Mar 01, 2006 10:13 am Post subject: |
|
|
QoS doensn't help  . Does anyone got any other idea to fix this? It is driving me and others crazy!
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
|
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
| Posted: Fri Mar 03, 2006 8:04 am Post subject: |
|
|
Does anyone got a idea how to fix it? The patern of Request timeouts and pings is very clear and won't stop. Even without any network trafic...
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
|
ervin.peters
Tux's lil' helper
Joined: 20 Aug 2003
Posts: 110
Location: Apolda, Germany
|
| Posted: Fri Mar 03, 2006 11:32 am Post subject: |
|
|
| Soef wrote: | | Does anyone got a idea how to fix it? The patern of Request timeouts and pings is very clear and won't stop. Even without any network trafic... |
What about some more detailed hints like net-hardware, and
# ifconfig -a
# route -a
# iptables -Ln
or
# ip link show
# ip addr show
# ip route show
# ip rule show
# iptables -Ln
if iproute2 is installed.
Additional: Hub, Switch resettet? leds blinking at that switch ?
Did watched with
# tcpdump -i eth0
and
# tcpdump -i eth1
the traffic on that interfaces?
ervin |
|
| Back to top |
|
|
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
| Posted: Fri Mar 03, 2006 12:06 pm Post subject: |
|
|
| ervin.peters wrote: | | Soef wrote: | | Does anyone got a idea how to fix it? The patern of Request timeouts and pings is very clear and won't stop. Even without any network trafic... |
What about some more detailed hints like net-hardware, and
# ifconfig -a
# route -a
# iptables -Ln
or
# ip link show
# ip addr show
# ip route show
# ip rule show
# iptables -Ln
if iproute2 is installed.
Additional: Hub, Switch resettet? leds blinking at that switch ?
Did watched with
# tcpdump -i eth0
and
# tcpdump -i eth1
the traffic on that interfaces?
ervin |
The only info I can give is that i got 2 ethernet cards, 3com 905C, I tested it on another machine with totaly different hardware and same software config. Same results.
ipconfig -a just shows the IP's and mac's. The shit is corrent. It works well on Smoothwall linux. But my gentoo config (just routing without firewall), doesn't do good.
iptables or that kind of mess I don't use. I just want to route. nothing more!! The most simple router ever... Why is the connection f***ed up. Whey is there a pattern of sucky ping to the router's second net device, and not at the first device? Becouse it goes wrong in the device. But why...
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
|
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
| Posted: Fri Mar 03, 2006 12:14 pm Post subject: |
|
|
From router to internet = OK
From local net to router = OK
From local net to internet is = !! (There is a connection, but it drops every now and then. Every 20 seconds i got a ping of 50 or no ping at all instead of 3)
That is basicly the problem. This shows there is no problem with the internet connection, no problem with the internal netwerk, no problem with any switch. Just a problem with gentoo ip forwarding. But why is this, and how can this be fixed...
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54829
Location: 56N 3W
|
| Posted: Fri Mar 03, 2006 12:36 pm Post subject: |
|
|
Soef,
Are you doing simple forwarding or Network Address Translation in your router?
eth0 (connected to big bad internet): IP = 199.xxx.224.xxx is your public IP address allocated by your ISP, or connection provider.
eth1 (connected to local network): IP = 199.xxx.225.xxx, is also a range of public IPs. Thats fine if they are yours, if not, you are using someone elses IP and all sorts of horrible things will happen.
It would be normal to use a private IP range and NAT for something like this. eg. 10.x.x.x or 192.168.x.x etc.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
NTT
Apprentice
Joined: 26 Dec 2002
Posts: 188
|
| Posted: Fri Mar 03, 2006 12:58 pm Post subject: |
|
|
| I agree with that last post; the ip adresses you've chosen for your LAN are...odd...to say the least. You're supposed to use private ip's if youre doing NAT. |
|
| Back to top |
|
|
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
| Posted: Fri Mar 03, 2006 1:02 pm Post subject: |
|
|
The network is a bit more confusing I think. At the local side of the gentoo box there is a HW-firewall, this firewall has got a local IP in the 192.169.20 range. The other, internet, side of the gentoo box is connected to a modem witch has 4 ip's to the outside world.
Like I said, the network can't have anything to do with the setup of the network. :
| Quote: |
From router to internet = OK
From local net to router = OK
From local net to internet is = !!
|
All the router has to do is have 1 IP on one side, and another at the otherside and do ip_forwarding. This is what it does, but the connection failes at some points...
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
|
NTT
Apprentice
Joined: 26 Dec 2002
Posts: 188
|
| Posted: Fri Mar 03, 2006 1:09 pm Post subject: |
|
|
So what you have is as such?
[INTERNET] -> [passive ROUTER] -> (internet IP)[GENTOO](internet IP) -> (internet IP)[FIREWALL](private IP)
in wich an "internet ip" is a 199.* IP.
Thats what I can make up from your story, and is a situation thats not supposed to work at all. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54829
Location: 56N 3W
|
| Posted: Fri Mar 03, 2006 1:13 pm Post subject: |
|
|
Soef,
Some ASCII, with IP numbers, (public ones obscured) would be good, or a link to a sketch of your network with the same info ...
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
| Posted: Fri Mar 03, 2006 1:26 pm Post subject: |
|
|
| NTT wrote: | So what you have is as such?
[INTERNET] -> [passive ROUTER] -> (internet IP)[GENTOO](internet IP) -> (internet IP)[FIREWALL](private IP)
in wich an "internet ip" is a 199.* IP.
Thats what I can make up from your story, and is a situation thats not supposed to work at all. |
The actual situation is something like this:
[INTERNET, 199.xxx.225.170] -> [Glass MODEM] -> (199.xxx.224.98)[GENTOO](199.xxx.225.169) -> (199.xxx.224.97)[FIREWALL](192.168.20.2)
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
|
Soef
n00b
Joined: 17 Mar 2005
Posts: 41
|
| Posted: Fri Mar 03, 2006 1:41 pm Post subject: |
|
|
I just got to the conclusion it isn't in the gentoo box at all! I'ts somewhere with my profider!! pfew, I almost got scared of gentoo, but hey! it can't be gentoo! Gentoo rox, If i know more i will let this know here...
Thanks for all your help, allthough it didn't help anything...
_________________
Bleeding edge is our downfall... |
|
| Back to top |
|
|
ervin.peters
Tux's lil' helper
Joined: 20 Aug 2003
Posts: 110
Location: Apolda, Germany
|
| Posted: Fri Mar 03, 2006 4:47 pm Post subject: |
|
|
[quote="Soef"] | NTT wrote: | So what you have is as such?
The actual situation is something like this:
[INTERNET, 199.xxx.225.170] -> [Glass MODEM] -> (199.xxx.224.98)[GENTOO](199.xxx.225.169) -> (199.xxx.224.97)[FIREWALL](192.168.20.2) |
You left the local network, which seems to be 192.168.20.2/24
- All local network computers have firewall(192.168.20.2) as Gateway,
- the Firewall is obviously doing SNAT.
- The Firewall uses the gentoo box as Gateway
- The gentoo box does not do any NAT and acts as router
- The other side of that gentoo-box is one of 4 official IPs, your Part of the Internet.
I would expect that your Provider drops traffic which is no originating to your netsegment - for severall reasons:
- Your non private Adresses used between firewall and gentoo are not reachable fraom the internet, because they are used elsewhere. The answers of your requests cannot be routed back, because theyare always route to the elsewhere network.
- Using Ips which are not yours has bad character: DDOS, SPAM and so one uses this to avoid the crackers, spammers to be identified.
The easiest Solution would be to use SNAT on the gentoo-box.
The better would be to place the Gentoo Box in the local net, give an Inet IP to the outgoing IF and forward the needed ports to that gentoo box.
ervin |
|
| Back to top |
|
|
|
Networking & Security
