6

I've got this network topology:

network 192.168.100.0/24 vlan 100
network 192.168.200.0/24 vlan 200

one ubuntu server(2 vlans on 1 ether) eth0.100 (ip:192.168.100.10/24) eth0.200 (ip: 192.168.200.20/24 def gw 192.168.200.254)

Situation is next:

  1. eth0.200 is up
  2. eth0.100 us down.
  3. connection from subnet 192.168.100.0/24 is ok to 192.168.200.20.

When i make eth0.100 up:

  • cannot access 192.168.200.20 from 192.168.100.0/24 network. (wrong interface responce. when package arrives to 192.168.200.20 from 192.168.100.0/24 it is responsed back by 192.168.100.10)

how to fix this?

tried with rp_filter=0/rp_filter=1

#cat /etc/network/interfaces
iface eth0.200 inet static
    address 192.168.200.20
    netmask 255.255.255.0
    vlan-raw-device eth0
    gateway 192.168.200.254
    post-up ip r a 192.168.200.6 via 192.168.200.250 #one ip behind wifi

iface eth0.100 inet static
    address 192.168.100.10
    netmask 255.255.255.0
    vlan-raw-device eth0

Looking to work with:

iptables -A PREROUTING -t mangle -i eth0.100 -j MARK --set-mark 100
iptables -A PREROUTING -t mangle -i eth0.200 -j MARK --set-mark 200
making some route tables like t100 and t200
and then ading rule like:
ip rule add from all fwmark 100 table t100
ip rule add from all fwmark 200 table t200

IT WAS RP_FILTER

net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0/100.rp_filter = 0
net.ipv4.conf.eth0/200.rp_filter = 0
MealstroM
  • 1,517
  • 1
  • 16
  • 31
  • How you have defined ip configuration in /etc/networking/interfaces? – Jan Marek Mar 15 '12 at 09:37
  • yes, i've added info. Im looking to lacr to add routing tables per vlan itnerface. – MealstroM Mar 15 '12 at 09:43
  • Do you have a router somewhere to route between these two subnets? How is 192.168.200.20 supposed to be accessed from the 192.168.100.0/24 nework? You say it doesn't work, but don't explain how/why it should work. Does 192.168.200.254 know how to reach 192.168.100.0/24 and 192.168.100.10/24 know how to reach 192.168.200.0/24? – David Schwartz Mar 15 '12 at 10:47
  • 2
    This sounds **EXACTLY** like an `rp_filter` issue. What interface did you set `rp_filter` on (must be set to 0)? Set it explicitly on on the individual interfaces, not on `net.ipv4.conf.all`. – phemmer Mar 15 '12 at 12:27
  • 1
    @Patrick . Yes it was rp_filter issue. 6 hours just to find it out.I've just set all_rp.filter all forget about eth0.rp_filter or vise versa. – MealstroM Mar 15 '12 at 21:21

3 Answers3

6

Issues like this are caused by net.ipv4.conf.*.rp_filter.

When rp_filter is enabled, the kernel will reject traffic coming in on an interface where the source address of the traffic matches the subnet of another interface on that server.

Many times problems can arise if the setting is enabled on net.ipv4.conf.all.rp_filter, but not on the specific interfaces like net.ipv4.conf.eth0.rp_filter.
The default setting for rp_filter is 0, however many distros override this setting. Because its being manually set by the distro on boot, setting it under net.ipv4.conf.all.rp_filter no longer works, it must be set on the specific interface (such as net.ipv4.conf.eth0.rp_filter).

mama
  • 103
  • 3
phemmer
  • 5,789
  • 2
  • 26
  • 35
2

I think, that there is a problem with bad segmetation of network, if you need ip r a 192.168.200.6 via 192.168.200.250 line in the configuration... If you declare, that on the eth0.200 is network 192.168.200.0/24, why you want to go to PC with IP address 192.168.200.6 via some other PC? It is not very systematic.

Every network have to be routed only by one router. If you have on the net somewhere router, which is routing traffic between 192.168.100.0/24 and 192.168.200.0/24 network, you can have this config on this machine, but you must disable routing on this PC! Your PC will be on both network, but traffic will come through router, which is what PC on the network are expecting.

When PC want to communicate with other, in the clear case they will see on the network address and netmask, which method it will chose. If it have, for example, IP address 192.168.200.20 and netmask is 255.255.255.0, it is this situation (ipcalc is used):

# ipcalc 192.168.200.20/24
Address:   192.168.200.20       11000000.10101000.11001000. 00010100
Netmask:   255.255.255.0 = 24   11111111.11111111.11111111. 00000000
Wildcard:  0.0.0.255            00000000.00000000.00000000. 11111111
=>
Network:   192.168.200.0/24     11000000.10101000.11001000. 00000000
HostMin:   192.168.200.1        11000000.10101000.11001000. 00000001
HostMax:   192.168.200.254      11000000.10101000.11001000. 11111110
Broadcast: 192.168.200.255      11000000.10101000.11001000. 11111111
Hosts/Net: 254                   Class C, Private Internet

In the normal case this computer can contact every PC in the range 192.168.200.1-192.168.200.254 directly - they will send arp request with destination IP to the broadcast address, destination PC will answer it, and PC will have link address (MAC) and IP address of destination PC and can send it packet directly.

If they want to contact PC from another subnet, they will compute (using IP address and netmask), that it cannot contact it directly and will send packet with IP address of destination PC, but with MAC address of gateway (usually default gateway). Gateway have this net directly connected, or will send packet via another gateway... And answer to our computer will go from it's own gateway, not from another computer on the network.

In the normal case every PC on the network need only 3 specification:

  1. IP address
  2. Netmask
  3. Default gateway

Exception from this rules are gateways (or routers), which know about more that one networks and they have default gateway too...

Sometimes you want to have 'multihomed PC', which have on it's interfaces more than one network, but they want to have disabled routing - they didn't routers (or gateways) at all. If PC are expecting packet from gateway and it will come from another PC, it will drop this packet as fake.

There is a way to say to PC on the network, that packets for address 192.168.100.10 will have to have to send via another PC, but it's:

  • not systematic (see above)
  • it's uncomfortable for administrator, because every PC in the 192.168.200.0/24 network must know about it and opposite - every PC in the network 192.168.100.0/24 network must contact 192.168.200.20 via 192.168.100.10 gateway. Isn't it a mess?

Then I can advise you strongly to don't do it. Keep networking as simple as you can and you will have no problems.

Jan Marek
  • 2,120
  • 1
  • 13
  • 14
  • route via 2.250 is one ip that is behind wifi. default gw is 254 for 200.0/24 subnet – MealstroM Mar 15 '12 at 10:38
  • just imagine that server has 2 vlans from 2 countries. and it has internal network with such number. and i want the package go back the inerface it has arrived. nothing more. – MealstroM Mar 15 '12 at 10:43
  • OK, disable routing on this PC and I think, that everythink will go smoothly. If you need IP 192.168.200.6 for this PC, you can do bridge on the 192.168.200.250 machine and you will not to need additional route. But in this case you can do routing, this PC can have IP (for example) 192.168.400.40 and you have to have on the 192.168.200.254 this route `ip r a 192.168.400.40 via 192.168.200.250`. Everythink should works. – Jan Marek Mar 15 '12 at 10:48
  • @MealstroM As I wrote, if PC are sending packet via gateway, it expect, that the same gateway will send an answer... – Jan Marek Mar 15 '12 at 11:32
0

Your switch must support 802.1q and have a correct vlan configuration. Maybe you define only one vlan, or the port is in access mode (and it should be trunk). Check your Linux and switch logs : do you see something ?

Dom
  • 6,628
  • 1
  • 19
  • 24