centos 6 gateway setup
centos 6 gateway setup
Good morning,
I have a problem with configuring a centos 6 machine as a gateway for a private LAN. I apologize if the following description is confused, I'll do my best.
The Centos 6 machine has three nework cards:
eth0 inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
eth1 inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
eth2 inet addr:10.1.6.99 Bcast:10.1.255.255 Mask:255.255.0.0
the routing table is as follows:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
10.1.0.0 * 255.255.0.0 U 0 0 0 eth2
link-local * 255.255.0.0 U 1002 0 0 eth0
link-local * 255.255.0.0 U 1003 0 0 eth1
link-local * 255.255.0.0 U 1004 0 0 eth2
default 10.1.1.1 0.0.0.0 UG 0 0 0 eth2
Moreover, net.ipv4.ip_forward=1
I would like to use this machine as a gateway for the nodes in the 192.168.1.0/24 network
I am testing the setup on a Centos5 machine with a network card (actually it has two network cards but I have disabled eth0 to make things simpler)
eth1 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
with this routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1 (note: 192.168.1.254 is the eth1 card of the gateway)
I CAN:
ping to 192.168.1.254
ping to whatever machine on the 192.168.1.0/24 network
ping to whatever machine on the 192.168.0.0/24 network (hence, the gateway works at least between 192.168.0.0/24 and 192.168.1.0/24 networks)
ping to 10.1.6.99 (the IP address of the eth2 card on the gateway)
I CANNOT
ping to 10.1.1.1 or whatsoever address beyond 10.1.6.99
I understand that this is only part of the relevant information.
Files /etc/sysconfig/network or /etc/sysconfig/networking-scripts/ifcfg-eth? both of the gateway and of the node could be useful, but before sending about tons of unnecessary information I would prefer that someone expert would ask me for what is really necessary.
Thank you all very much in advance.
I have a problem with configuring a centos 6 machine as a gateway for a private LAN. I apologize if the following description is confused, I'll do my best.
The Centos 6 machine has three nework cards:
eth0 inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
eth1 inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
eth2 inet addr:10.1.6.99 Bcast:10.1.255.255 Mask:255.255.0.0
the routing table is as follows:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
10.1.0.0 * 255.255.0.0 U 0 0 0 eth2
link-local * 255.255.0.0 U 1002 0 0 eth0
link-local * 255.255.0.0 U 1003 0 0 eth1
link-local * 255.255.0.0 U 1004 0 0 eth2
default 10.1.1.1 0.0.0.0 UG 0 0 0 eth2
Moreover, net.ipv4.ip_forward=1
I would like to use this machine as a gateway for the nodes in the 192.168.1.0/24 network
I am testing the setup on a Centos5 machine with a network card (actually it has two network cards but I have disabled eth0 to make things simpler)
eth1 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
with this routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1 (note: 192.168.1.254 is the eth1 card of the gateway)
I CAN:
ping to 192.168.1.254
ping to whatever machine on the 192.168.1.0/24 network
ping to whatever machine on the 192.168.0.0/24 network (hence, the gateway works at least between 192.168.0.0/24 and 192.168.1.0/24 networks)
ping to 10.1.6.99 (the IP address of the eth2 card on the gateway)
I CANNOT
ping to 10.1.1.1 or whatsoever address beyond 10.1.6.99
I understand that this is only part of the relevant information.
Files /etc/sysconfig/network or /etc/sysconfig/networking-scripts/ifcfg-eth? both of the gateway and of the node could be useful, but before sending about tons of unnecessary information I would prefer that someone expert would ask me for what is really necessary.
Thank you all very much in advance.
Re: centos 6 gateway setup
This (at least on the surface) does not make sense!
I seem to think the default route should be this routers interface (rather than something else). So something like default via 10.1.6.99/32 rather than the default via 10.1.1.1/32. So "squirt this down this interface in the face no better path".
Re-reading, I'm a little confused.
Logically, it *should* work, but it doesn't (and why only up to 10.1.6.99 which seems an arbitrary cut off it's not even "bit aligned"?)
From *this* routers viewpoint it *should* know that all of 10.1.0.0/16 goes via eth2, perhaps you have to do it at a higher level as in all this stuff should go down via the interface using the address 10.1.6.99?
But it's a bit of a guess.
Can't you traceroute/path?
I seem to think the default route should be this routers interface (rather than something else). So something like default via 10.1.6.99/32 rather than the default via 10.1.1.1/32. So "squirt this down this interface in the face no better path".
Re-reading, I'm a little confused.
Does that mean I can ping (or whatever) from 192.168.x.x/24 to 10.1.6.99 ONLY, or I can ping from 192.168.x.x/24 to the range 10.1.1.2 to 10.1.6.98?ping to 10.1.1.1 or whatsoever address beyond 10.1.6.99
Logically, it *should* work, but it doesn't (and why only up to 10.1.6.99 which seems an arbitrary cut off it's not even "bit aligned"?)
From *this* routers viewpoint it *should* know that all of 10.1.0.0/16 goes via eth2, perhaps you have to do it at a higher level as in all this stuff should go down via the interface using the address 10.1.6.99?
But it's a bit of a guess.
Can't you traceroute/path?
Re: centos 6 gateway setup
I don't understand what is going on here:
and this:
They seem to conflict.
Code: Select all
default 10.1.1.1 0.0.0.0 UG 0 0 0 eth2
Code: Select all
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
Re: centos 6 gateway setup
I fear I am not been clear.
Computer "A" is the server, the machine with three ethernet cards. The routing table of "A" (CentOS 6.10) is:
[root@usvc ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 eth2
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth2
It means that:
local network 192.168.0.0/24 is accessed through eth0 (ip address 192.168.0.254)
local network 192.168.1.0/24 is accessed through eth1 (ip address 192.168.1.254)
local network 10.1.0.0/16 is accessed through eth2 (ip address 10.1.6.99)
all other adresses are accessed by eth2 via the gateway 10.1.1.1
If I ping to google dns 8.8.8.8 I have:
[root@usvc ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=12.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=12.4 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=12.4 ms
.......
Morever:
[root@usvc ~]# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.1.1.1 (10.1.1.1) 0.674 ms 0.921 ms 1.147 ms
2 ............
hence, "A" can actually reach internet servers via the gateway 10.1.1.1
Now, I have a second computer "B" in the local network 192.168.1.0/24. The routing table of "B" (CentOS 5.2) is:
[root@usv2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
It means that it can communicate with local network 192.168.1.0/24 through eth1 (ip address 192.168.1.2) and with the rest of the world via the gateway 192.168.1.254 (THAT IS, THE eth1 card ON "A")
If I ping from "B" to eth1 on "A" I obtain:
[root@usv2 ~]# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.096 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.103 ms
.......
that's ok
If I ping from "B" to a machine in the local network 192.168.0.0/24 I obtain:
[root@usv2 ~]# ping 192.168.0.7
PING 192.168.0.7 (192.168.0.7) 56(84) bytes of data.
64 bytes from 192.168.0.7: icmp_seq=1 ttl=64 time=1.52 ms
64 bytes from 192.168.0.7: icmp_seq=2 ttl=64 time=0.145 ms
.......
that's ok, "B" goes through eth1 card of "A" which acts as gateway to local network 192.168.0.0/24 on eth0 card. In fact:
[root@usv2 ~]# traceroute -n 192.168.0.7
traceroute to 192.168.0.7 (192.168.0.7), 30 hops max, 40 byte packets
1 192.168.1.254 0.088 ms 0.064 ms 0.094 ms
2 192.168.0.7 0.138 ms 0.132 ms 0.125 ms
Moreover, I can ping from "B" to the eth2 card on "A":
[root@usv2 ~]# ping 10.1.6.99
PING 10.1.6.99 (10.1.6.99) 56(84) bytes of data.
64 bytes from 10.1.6.99: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 10.1.6.99: icmp_seq=2 ttl=64 time=0.136 ms
64 bytes from 10.1.6.99: icmp_seq=3 ttl=64 time=0.081 ms
....
but I CANNOT ping to 10.1.1.1 (that is, the gateway for machine "A"):
[root@usv2 ~]# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
--- 10.1.1.1 ping statistics ---
118 packets transmitted, 0 received, 100% packet loss, time 116999ms
It seems that "A" is forwarding network traffic from eth1 to eth0, but refuses to forward traffic from eth1 to eth2 (or better, beyond eth2).
Finally, I have disabled firewalls both on "A" and on "B" so this should not be an issue.
I don't think this post is clearer than the previous one, I trust much more in your experience and understanding than on my english
Thank you again for your support.
Computer "A" is the server, the machine with three ethernet cards. The routing table of "A" (CentOS 6.10) is:
[root@usvc ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 eth2
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth2
It means that:
local network 192.168.0.0/24 is accessed through eth0 (ip address 192.168.0.254)
local network 192.168.1.0/24 is accessed through eth1 (ip address 192.168.1.254)
local network 10.1.0.0/16 is accessed through eth2 (ip address 10.1.6.99)
all other adresses are accessed by eth2 via the gateway 10.1.1.1
If I ping to google dns 8.8.8.8 I have:
[root@usvc ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=12.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=12.4 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=12.4 ms
.......
Morever:
[root@usvc ~]# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.1.1.1 (10.1.1.1) 0.674 ms 0.921 ms 1.147 ms
2 ............
hence, "A" can actually reach internet servers via the gateway 10.1.1.1
Now, I have a second computer "B" in the local network 192.168.1.0/24. The routing table of "B" (CentOS 5.2) is:
[root@usv2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
It means that it can communicate with local network 192.168.1.0/24 through eth1 (ip address 192.168.1.2) and with the rest of the world via the gateway 192.168.1.254 (THAT IS, THE eth1 card ON "A")
If I ping from "B" to eth1 on "A" I obtain:
[root@usv2 ~]# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.096 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.103 ms
.......
that's ok
If I ping from "B" to a machine in the local network 192.168.0.0/24 I obtain:
[root@usv2 ~]# ping 192.168.0.7
PING 192.168.0.7 (192.168.0.7) 56(84) bytes of data.
64 bytes from 192.168.0.7: icmp_seq=1 ttl=64 time=1.52 ms
64 bytes from 192.168.0.7: icmp_seq=2 ttl=64 time=0.145 ms
.......
that's ok, "B" goes through eth1 card of "A" which acts as gateway to local network 192.168.0.0/24 on eth0 card. In fact:
[root@usv2 ~]# traceroute -n 192.168.0.7
traceroute to 192.168.0.7 (192.168.0.7), 30 hops max, 40 byte packets
1 192.168.1.254 0.088 ms 0.064 ms 0.094 ms
2 192.168.0.7 0.138 ms 0.132 ms 0.125 ms
Moreover, I can ping from "B" to the eth2 card on "A":
[root@usv2 ~]# ping 10.1.6.99
PING 10.1.6.99 (10.1.6.99) 56(84) bytes of data.
64 bytes from 10.1.6.99: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 10.1.6.99: icmp_seq=2 ttl=64 time=0.136 ms
64 bytes from 10.1.6.99: icmp_seq=3 ttl=64 time=0.081 ms
....
but I CANNOT ping to 10.1.1.1 (that is, the gateway for machine "A"):
[root@usv2 ~]# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
--- 10.1.1.1 ping statistics ---
118 packets transmitted, 0 received, 100% packet loss, time 116999ms
It seems that "A" is forwarding network traffic from eth1 to eth0, but refuses to forward traffic from eth1 to eth2 (or better, beyond eth2).
Finally, I have disabled firewalls both on "A" and on "B" so this should not be an issue.
I don't think this post is clearer than the previous one, I trust much more in your experience and understanding than on my english
Thank you again for your support.
Re: centos 6 gateway setup
Have you set up NAT/MASQ on computer "A"?
What are the IPTABLES rules? Do they allow forwarding?
What are the IPTABLES rules? Do they allow forwarding?
Re: centos 6 gateway setup
> Have you set up NAT/MASQ on computer "A"?
>
> What are the IPTABLES rules? Do they allow forwarding?
I have disabled iptables both on "A" and on "B":
[root@usvc ~]# chkconfig --list | grep iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
and:
[root@usvc ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and the same on "B"
>
> What are the IPTABLES rules? Do they allow forwarding?
I have disabled iptables both on "A" and on "B":
[root@usvc ~]# chkconfig --list | grep iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
and:
[root@usvc ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and the same on "B"
Re: centos 6 gateway setup
Does 10.1.1.1 know that machine B is behind machine A? You either need to configure the routes on the network, or configure NAT or MASQ on machine A.but I CANNOT ping to 10.1.1.1 (that is, the gateway for machine "A"):
[root@usv2 ~]# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
--- 10.1.1.1 ping statistics ---
118 packets transmitted, 0 received, 100% packet loss, time 116999ms
Re: centos 6 gateway setup
Dear Whoever,
> Does 10.1.1.1 know that machine B is behind machine A? You either need to configure the routes on the network, or configure NAT > or MASQ on machine A.
No, it doesn't. This is the problem.
Thank you very much for your help in understanding the problem.
> Does 10.1.1.1 know that machine B is behind machine A? You either need to configure the routes on the network, or configure NAT > or MASQ on machine A.
No, it doesn't. This is the problem.
Thank you very much for your help in understanding the problem.
Re: centos 6 gateway setup
Then you need to configure NAT or MASQ using iptables for outgoing packets on eth2 of server A.
Re: centos 6 gateway setup
Dear Whoever and all,
> Then you need to configure NAT or MASQ using iptables for outgoing packets on eth2 of server A.
it was as easy as issue:
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
on machine "A" and now it is all working fine. Thanks again
> Then you need to configure NAT or MASQ using iptables for outgoing packets on eth2 of server A.
it was as easy as issue:
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
on machine "A" and now it is all working fine. Thanks again