Can't reach network 192.168.100.0/24

Question

In one of our data-centre we've a Debian machine acting as a router. From this network we cannot reach any of the machines found on 192.168.100.0/24 network. E.g The gateway on the 192.168.100.0/24 network is the 192.168.100.10. This gateway is not reachable from this network 192.168.200.0/24.

The network configuration is as follow

/etc/network/interfaces

auto lo eth0 eth1
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 77.xx.xx.xx
        netmask 255.255.255.240
        gateway 77.xx.xx.xx

# The internal network interface
iface eth1 inet static
        address 192.168.200.20
        netmask 255.255.255.0

iface eth1.100 inet static
        address 192.168.100.1
        netmask 255.255.255.0

iface tun0 inet static
      address 10.254.254.1
      netmask 255.255.255.252
      pointopoint 10.254.254.2

The ifconfig shows the following

eth0      Link encap:Ethernet  HWaddr 00:13:21:ae:d7:23  
          inet addr:77.xx.xx.xx  Bcast:77.xx.xx.xx  Mask:255.255.255.240
          inet6 addr: fe80::213:21ff:feae:d723/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:136897619 errors:7 dropped:0 overruns:0 frame:56
          TX packets:35219565 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:106904749360 (99.5 GiB)  TX bytes:4700046351 (4.3 GiB)
          Interrupt:25 

eth1      Link encap:Ethernet  HWaddr 00:13:21:ae:d7:22  
          inet addr:192.168.200.20  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::213:21ff:feae:d722/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:25456278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51273676 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2910299307 (2.7 GiB)  TX bytes:71434605655 (66.5 GiB)
          Interrupt:26 

eth1.100  Link encap:Ethernet  HWaddr 00:13:21:ae:d7:22  
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::213:21ff:feae:d722/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:1350 (1.3 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8057 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8057 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:678439 (662.5 KiB)  TX bytes:678439 (662.5 KiB)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.200.200  P-t-P:192.168.0.201  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1486  Metric:1
          RX packets:16438 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31312 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:1281863 (1.2 MiB)  TX bytes:14955384 (14.2 MiB)

I've tried to add one of the following routes manually but without success.

route add -net 192.168.100.0 netmask 255.255.255.0 dev eth1

route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.20 dev eth1

ip route add 192.168.100.0/24 via 192.168.200.20 dev eth1

The route is being added but does not do much. The network 192.168.100.0/24 remains unreachable.

What ip route show and route -n shows

root@dc-dc:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.201   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
77.xx.xx.xx     0.0.0.0         255.255.255.240 U     0      0        0 eth0
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         77.xx.xx.xx    0.0.0.0         UG    0      0        0 eth0

root@dc-dc:~# ip route show
192.168.0.201 dev ppp0  proto kernel  scope link  src 192.168.200.200 
77.xx.xx.xx/28 dev eth0  proto kernel  scope link  src 77.xx.xx.xx 
192.168.200.0/24 dev eth1  proto kernel  scope link  src 192.168.200.20 
default via 77.xx.xx.xx dev eth0

Port forwarding is enabled

root@dc-dc:~# cat /proc/sys/net/ipv4/ip_forward 
1

Output of iptables

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  eth0   *       220.xx.xx.2         0.0.0.0/0           
   57  2964 ACCEPT     tcp  --  eth0   *       194.xx.xx.0/24       0.0.0.0/0           tcp dpt:22 
 108K 6495K ACCEPT     tcp  --  eth0   *       194.xx.xx.0/24       0.0.0.0/0           tcp dpt:1723 
  52M   71G ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  14M  724M ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
 4407  427K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  26M   38G ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
  415 19592 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
  249 11776 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    5   180 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 0 
14351 1193K ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
14092  845K ACCEPT     all  --  eth0   *       194.xx.xx.0/24       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.0/8         
    0     0 ACCEPT     112  --  *      *       0.0.0.0/0            0.0.0.0/0           
16173 1376K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   616 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0           
  21M   31G ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
  10M 1573M ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
 138K   20M ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
 146K  202M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       89.xx.xx.xx          127.0.0.1           udp spt:53 
    0     0 ACCEPT     udp  --  *      *       83.xx.xx.xx        127.0.0.1           udp spt:53 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  43M   41G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     112  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0 

root@dc-dc:~# iptables -t nat -L -v 
Chain PREROUTING (policy ACCEPT 121K packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1715 packets, 112K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    any     10.254.254.0/24      anywhere            
    0     0 MASQUERADE  all  --  any    ppp0    anywhere             anywhere            
    0     0 SNAT       all  --  any    eth0    anywhere             212.159.203.234     to:194.50.96.11 
58671 3659K MASQUERADE  all  --  any    eth0    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 28351 packets, 1945K bytes)
 pkts bytes target     prot opt in     out     source               destination

Any idea what I could try? Thanks in advance

Please show us output from cat /proc/sys/net/ipv4/ip_forward and your iptables configuration. — B14D3, Feb 20 '13 at 10:50
And I dont know for sure but u are trying add route for network 192.168.100.0 on card eth1 while you had configure it on eth1.100 (its blind shot but u can try it :) ) — B14D3, Feb 20 '13 at 10:54
@B14D3 Post has been updated. Information you required has been added. — Valentin Bajrami, Feb 20 '13 at 10:58
There's no modems involved anywhere are there?? Like a DSL or Cable modem? 192.168.100.x is commonly configured as a quasi-private network on them, usually used for diagnostics and such. — Chris S, Feb 21 '13 at 00:12

score 1 · Answer 1 · answered Feb 20 '13 at 10:19

is the connection to other networks, so the router itself working?

Are you sure the route for the reply is set correctly as well? If you set the gateway only for one direction, this is not enough, you also have to make sure the route in the opposite direction works.

for example:

you have server A connected to router A and then connected to server B. Let's assume both servers have a default gateway which is not router A, but some other router. Now if you tell server A that it's route to server B is via router A, this is not enough. You also need to tell server B that it's router to server A is via router A. Otherwise the packets from server A might arrive on server B, but server B doesn't know howto reply or uses a wrong router for the reply.

From the other network, I am able to ping 192.168.200.20.. but not from 192.168.100.10 to 192.168.200.20. So the problem imho is still on the 192.168.200.20 side. — Valentin Bajrami, Feb 20 '13 at 10:38
if you are able to ping from any side, it means that at least the route is ok, because if one of the two routes wouldnt work you wouldn't get the ping reply. now if just one direction does work and the other doesn't, i would check all firewall settings on all 3 involved hosts. — replay, Feb 20 '13 at 11:04

score 1 · Answer 2 · answered Feb 20 '13 at 23:45

It looks like interface "eth1.100" was created with vconfig or similar. This means the interface will act as if it is tagged for VLAN 100, and any packets that are transmitted from it will have the 802.1Q VLAN tag added to it. The reason I suspect this is because the interface name is "eth1.100" rather than "eth1:100".

What you actually wanted was probably just multi-homing. Firstly get rid of the interface "eth1.100" with the command "vconfig rem eth1.100", then add 192.168.100.1 to eth1 simply by issuing the command "ifconfig eth1 add 192.168.100.1".

Hopefully this will resolve your issue.

Can't reach network 192.168.100.0/24

2 Answers2