Multi-homed system - Packets getting dropped [solved]

[k0n3z]

I have a gentoo server in our lab. The server have multiple physical NICs. Each NIC resides on a sperate VLAN.

+--------+
| Router |
+--------+
|
+--------------+--------------+
| | |
/--------\ /--------\ /---------\
| VLAN A | | VLAN B | | VLAN C |
\--------/ \--------/ \---------/
| | |
| | |
| | |
| +---+----+ |
| | | |
+---------+ Server +---------+
| |
+--------+

Users connect to the server through VLAN A. Users have workstations on VLANs B and C. The server offers services to VLANs A, B and C. I don't want the server to route traffic through it, and allow the router to route packets accordig to the approved security policy. There are no IP tables installed, and the router for the lab has not ACLs blocking any traffic.

All three interfaces have static addresss. I have the default gateway set for VLAN A's gateway. Network traffic going out of the machine is working fine. I am have an issue with inbound traffic.


When all 3 NICs on the server are active.....
* A workstation on VLAN B can ping the servers NIC on VLAN B.
* The same workstation can not ping the NICs on VLANs A or C.
* While workstaiton on VLAN B pings the NIC on the server on VLAN A, I have a sniffer running on the server.
* I see the echo request come into NIC on VLAN A.
* There is no echo reply to goes out on any of the interfaces.

If I shutdown the NIC on VLAN B, then the workstation on VLAN B can ping the NICs on VLANs A and C.

I have tried enabling routing on the system to see if that would fix the problem, and it has not.


The only thing left for me to try it to implement a simple ip tables firewall.

Are there any other suggestions or ideas?

[NeddySeagoon]

k0n3z,

Welcome to gentoo.
Please show us your /etc/conf.d/net file and the output of route -n.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[k0n3z]

conf.d/net

iface_eth0="192.168.200.10 broadcast 192.168.200.255 netmask 255.255.255.0"
iface_eth1="dhcp"
iface_eth2="192.168.204.10 broadcast 192.168.204.255 netmask 255.255.255.0"
iface_eth3="192.168.202.10 broadcast 192.168.202.255 netmask 255.255.255.0"
iface_eth4="dhcp"

routes_eth0=("default via 192.168.200.1")



route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.176.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
172.16.34.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
192.168.204.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
172.16.40.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet4
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 192.168.200.1 0.0.0.0 UG 0 0 0 eth0


This box is running vmware-server. During the troubleshooting, I did shut down all of the vmware services and virtual interfaces to eliminate them from the mix.

[NeddySeagoon]

k0n3z,

How do all the other machines on your network obtain their network setting ?
Are they entirely static or does this server run a DHCP server for the 192.168.200.0/24, 192.168.202.0/24 and 192.168.204.0/24 networks ?

It looks like you either need need IPTables on the server or static routes eveywhere else.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[k0n3z]

All the user machines get their addresses from DHCP. There default gateway is .1 on every network, which is the router.

[NeddySeagoon]

k0n3z,

Either modify the server to do routing or the DHCP server to add static routes to the information it provides to all the other PCs.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[k0n3z]

I tried making the server a router. That did not work. Without IP tables, the server is dropping the packet. From my bad ascii art previously. A workstation on VLAN B can ping the server on the NIC that is on VLAN B. The same workstation can not ping the server on the NIC on VLANs A or C. I was running ethereal on the server, watching all 3 NICs. The echo request came in on NIC A, and no echo reply went out on any of the interfaces. The issue is on ther server, not the workstations.

Would it help installing IP tables and a simple firewall ruleset?

[NeddySeagoon]

k0n3z,

Do you have packet forwarding on in the server?

[k0n3z]

I have tried it both ways. In either mode, I get the same result.

[k0n3z]

I have found the source of my problem.

I made sure rp_filter was set to 0 to disable the spoofing filters in the kernel. Routing is not turned on, as I want the core router for the lab to set the policy.