Subnet to subnet forwarding traffic

Question

I'am wondering how to forwarding traffic from a gateway to subnet.

I have this working setup, Host A behind tunnel can ping HOST B 10.151.0.1 but not HOST C 10.151.0.2.

If I TCPDUMP packet on HOST B 10.151.0.1 ( the subnet gateway ), I see the ping on the interface

tcpdump: listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
     (host A)10.0.1.18 > (host c)10.151.0.2: ICMP echo request, id 21863, seq 7, length 64

So the packet arrive on ( host b) 10.151.0.1 but no forwarding to 10.151.0.2 host C. I see nothing come on the host C interface.

I have enable ip forwarding and add this iptables rules ( Host B):

iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
iptables -A FORWARD -i eno1 -o eno2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eno2 -o eno1 -j ACCEPT

I also try to add this route to Host C:

ip route add 10.151.0.0/30 via 10.151.0.2 dev eno2

Maybe someone can help me ? thanks a lot

I try to avoid multiple host to host ipsec by adressing a whole subnet. By the way Host B 10.151.0.1 can ping 10.151.0.2 ;-)

UPDATE 1: I can now ping HOST A FROM HOST C with proxy ARP:

 echo 1 > /proc/sys/net/ipv4/conf/eno2/proxy_arp

Magic happen:

root@hostC:/home/administrateur# ping 10.0.1.21
PING 10.0.1.21 (10.0.1.21) 56(84) bytes of data.
64 bytes from 10.0.1.21: icmp_seq=1 ttl=62 time=16.0 ms
64 bytes from 10.0.1.21: icmp_seq=2 ttl=62 time=16.0 ms

BUT i always cant ping host C from From Host A, but ping between Host A and B is ok

UPDATE2: Remove this from HOST B and all works:

/sbin/route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.151.0.1
/sbin/iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE

All hosts can ping all host, subnet to subnet working :)

score 0 · Answer 1 · answered Apr 06 '20 at 12:17

0

Your route on the HOST C should be like this:

ip route add HOST-A-IP-RANGE via 10.151.0.2 dev eno2

E.G:

IP route add 10.0.1.0/24 via 10.151.0.2 dev eno2

Actually it might be wrong because I don't have your Host-A network address. And you should also add the same route on Host-A.

ip route add HOST-B-IP-RANGE via 10.151.0.2 dev eno2

answered Apr 06 '20 at 12:17

Pourya.M

1

Hello, thanks for your response. I have add the route on Host C, but I always cant ping host A to Host C and Host C to Host A – subafr Apr 06 '20 at 12:38
If i try to ping Host A from Host C and tcdump HostB i see ARP update tcpdump: listening on eno2, link-type EN10MB (Ethernet), capture size 262144 bytes 12:43:54.226218 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.1.21 tell 10.151.0.2, length 46 , but no ping packet.Host A routes is OK, if I ping Host C from Host A i see ping packet on Host B, but nothing come to Host C. – subafr Apr 06 '20 at 12:47
I'm wondering since Host A and Host B can ping each other? Since they are not in a same subnet, there should be a route between them right? – Pourya.M Apr 07 '20 at 13:07
This is my router/gateway, ipsec tunnel is set up in a fortigate. Forti know about the network route ;-) So the ping is routed in the default route and forti found the ipsec tunnel. – subafr Apr 09 '20 at 07:37

score 0 · Answer 2 · answered Apr 06 '20 at 14:13

I have add a route on Host C:

10.0.1.0/24 via 10.151.0.2 dev eno2

If I ping HOST A from Host C:

root@HostC:/home/administrateur# ping 10.0.1.21
PING 10.0.1.21 (10.0.1.21) 56(84) bytes of data.
From 10.151.0.2 icmp_seq=1 Destination Host Unreachable
From 10.151.0.2 icmp_seq=2 Destination Host Unreachable
From 10.151.0.2 icmp_seq=3 Destination Host Unreachable
From 10.151.0.2 icmp_seq=4 Destination Host Unreachable

This is the tcpdump from host B:

root@hostB:/home/administrateur# tcpdump -pni eno2 -vvv
tcpdump: listening on eno2, link-type EN10MB (Ethernet), capture size 262144 bytes
14:04:30.980083 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.1.21 tell 10.151.0.2, length 46
14:04:32.004601 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.1.21 tell 10.151.0.2, length 46
14:04:33.028100 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.1.21 tell 10.151.0.2, length 46
14:04:34.052188 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.1.21 tell 10.151.0.2, length 46

Host B receive ARP request but thats all, no ping trace ?

Another exercice ping Host C from host A:

administrateur@HostA:~$ ping 10.151.0.2
PING 10.151.0.2 (10.151.0.2) 56(84) bytes of data.
^C
--- 10.151.0.2 ping statistics ---
30 packets transmitted, 0 received, 100% packet loss, time 28999ms

TCPDUMP ENO1 HostB:

root@hostB:/home/administrateur# tcpdump -pni eno1 -vvv | grep 10.151.0.2
tcpdump: listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
    10.0.1.21 > 10.151.0.2: ICMP echo request, id 27436, seq 20, length 64
    10.0.1.21 > 10.151.0.2: ICMP echo request, id 27436, seq 21, length 64
    10.0.1.21 > 10.151.0.2: ICMP echo request, id 27436, seq 22, length 64

TCPDUMP eno2 HostB is empty: root@hostB:/home/administrateur# tcpdump -pni eno2 -vvv tcpdump: listening on eno2, link-type EN10MB (Ethernet), capture size 262144 bytes

TCPDUMP eno2 HostC is empty.

Ping between Host A and B is ok:

administrateur@hostA:~$ ping 10.151.0.1
PING 10.151.0.1 (10.151.0.1) 56(84) bytes of data.
64 bytes from 10.151.0.1: icmp_seq=1 ttl=63 time=14.2 ms
64 bytes from 10.151.0.1: icmp_seq=2 ttl=63 time=14.1 ms
64 bytes from 10.151.0.1: icmp_seq=3 ttl=63 time=14.1 ms

It seem Host B not forwarding to Host C.

Subnet to subnet forwarding traffic

2 Answers2