28 February 2012

83. Configuring route for multiple network interfaces on Debian Testing

In my previous post I got rid of network-manager.

On my main desktop, which serves as a gateway for two subnets and serves them with access to the internet and has three ifs (eth0 goes to outside world, eth1 serves 192.168.0-127 and provides inet passthrough, eth2 serves 192.168.128-255), I had issues getting the internet connection to work once network-manager was gone -- the issue was the routing table.

Here's what I did to diagnose and solve it:

When I got rid of network manager I set up my /etc/network/interfaces like this:
auto lo
iface lo inet loopback
auto eth0

iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
gateway 192.168.1.1

auto eth2
iface eth2 inet static
address 192.168.1.129
netmask 255.255.255.128
gateway 192.168.1.129
But it gives
sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.129   0.0.0.0         UG    0      0        0 eth2
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth1
0.0.0.0         XXX.XXX.XXX.254 0.0.0.0         UG    0      0        0 eth0
XXX.XXX.XXX.0   0.0.0.0         255.255.248.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.128   0.0.0.0         255.255.255.128 U     0      0        0 eth2
The problem is that I DON'T want all traffic via eth2 and eth1. I want the default gateway to be my eth0. Inverting the order of the ifs in /etc/network/interfaces doesn't fix it either.

A quick fix is to do
 sudo route add default dev eth0
 which adds this as the first line:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 eth0
It looks like we might want to manually configure route.

Turns out you can just add the route options to your /etc/network/interfaces file

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
gateway 192.168.1.1

auto eth2
iface eth2 inet static
address 192.168.1.129
netmask 255.255.255.128
gateway 192.168.1.129

auto wlan0
iface wlan0 inet static
address 192.168.2.1
netmask 255.255.255.0
gateway 192.168.2.1

post-up ip route flush all
post-up route add default dev eth0
post-up route add -net 169.254.0.0 netmask 255.255.0.0 dev eth0 metric 1000
post-up route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
post-up route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129 eth2
post-up route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1 wlan0

The script gives us a nice, compact routing table on doing
sudo service networking restart

sudo route -n
Kernel IP routing table Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0 192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0        0 eth1 192.168.1.128   192.168.1.129   255.255.255.128 UG    0      0        0 eth2

Edit::
An earlier version of this post used a separate script (see below). This works fine on boot. However, sudo service networking restart
does not invoke it -- so you may end up with a faulty route table. Thus, it is preferable to use the method above in which the route options are added to the end of /etc/network/interfaces

The following (below) is kept for posterity only:

We put the commands below into /etc/routing_table.sh:
#!/bin/sh
sudo ip route flush all
sudo route add default dev eth0
sudo route add -net 169.254.0.0 netmask 255.255.0.0 dev eth0 metric 1000
sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
sudo route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129 eth2
exit 0
We change the atttributes:
sudo chmod o-rwx /etc/routing_table.sh
sudo chmod g-rwx /etc/routing_table.sh
sudo chmod u+rwx /etc/routing_table.sh
Here user is root. This way only root can execute and edit the table. I guess the 'sudo' is a bit superfluous in our script.
To make it start on boot, add a line to your /etc/rc.local
My rc.local now looks like this:
#!/bin/sh -e echo "1" > /proc/sys/net/ipv4/ip_forward sh /etc/firewall-rules.sh sh /etc/routing_table.sh exit 0
The firewall-rules.sh script is described in another post on ip tables.

8 comments:

  1. Hi,
    i have school network 10.0.0.0/8
    i have debian running with static assigned IP 10.122.72.2 gateway 10.122.72.1 on eth0 and local network 10.122.2.0/24 on eth1
    The problem is i can access others network, eg. 10.122.1.0/24 but i can't access my local network from outside, eg. ping 10.122.2.1 from 10.122.1.1
    i didn't use ip route command, but sudo route -n give me this :
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 10.122.72.1 0.0.0.0 UG 0 0 0 eth0
    10.122.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    10.122.72.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    and here is my /etc/network/interfaces
    # The loopback network interface
    auto lo
    iface lo inet loopback
    # The primary network interface
    auto eth0
    iface eth0 inet static
    address 10.122.72.2
    netmask 255.255.255.0
    network 10.122.72.0
    broadcast 10.122.72.255
    gateway 10.122.72.1
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 202.46.129.2
    auto eth1
    iface eth1 inet static
    address 10.122.2.1
    netmask 255.255.255.0
    network 10.122.2.0
    broadcast 10.122.2.255
    How can i make my local network accessible from outside?
    Thanks in advance

    ReplyDelete
    Replies
    1. Have you confirmed what ports -- if any -- are open?

      Delete
    2. thanks for your reply
      i use this command from PC on 10.122.1.0/24 network running Windows 7

      nmap -T4 -A -v -Pn 10.122.2.1


      Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-24 17:33 SE Asia Standard Time

      NSE: Loaded 110 scripts for scanning.

      NSE: Script Pre-scanning.

      Initiating SYN Stealth Scan at 17:33

      Scanning 10.122.2.1 [1000 ports]

      SYN Stealth Scan Timing: About 30.50% done; ETC: 17:35 (0:01:11 remaining)

      SYN Stealth Scan Timing: About 60.50% done; ETC: 17:35 (0:00:40 remaining)

      Completed SYN Stealth Scan at 17:35, 101.43s elapsed (1000 total ports)

      Initiating Service scan at 17:35

      Initiating OS detection (try #1) against 10.122.2.1

      mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

      Retrying OS detection (try #2) against 10.122.2.1

      Initiating Traceroute at 17:35

      Completed Traceroute at 17:35, 9.08s elapsed

      NSE: Script scanning 10.122.2.1.

      Initiating NSE at 17:35

      Completed NSE at 17:35, 0.00s elapsed

      Nmap scan report for 10.122.2.1

      Host is up.

      All 1000 scanned ports on 10.122.2.1 are filtered

      Too many fingerprints match this host to give specific OS details



      TRACEROUTE (using proto 1/icmp)

      HOP RTT ADDRESS

      1 1.00 ms 10.122.1.1

      2 5.00 ms 10.122.254.9

      3 ... 30



      NSE: Script Post-scanning.

      Read data files from: D:\Program Files (x86)\Nmap

      OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

      Nmap done: 1 IP address (1 host up) scanned in 117.96 seconds

      Raw packets sent: 2134 (97.080KB) | Rcvd: 4 (216B)

      Delete
    3. This comment has been removed by a blog administrator.

      Delete
    4. I'm not sure you're describing your problem accurately enough that I understand what you're trying to achieve.

      First of all, if there are no ports open you cannot access the network without using reverse tunneling.

      Secondly, I'm not sure what the exact set up is: you have two cards and they are connected to two subnets via two routers? One has a static IP with 10.122.72.2 and the other has a static IP with 10.122.2.1 which would typically be the gateway IP. I presume that you've got the routing working so that you can ping other device on the 10.122.2.0/24 subnet as well as devices on the 10.122.72.0/24 subnet?

      So in what way is this related to " i can't access my local network from outside, eg. ping 10.122.2.1 from 10.122.1.1"?
      Or do you want your computer to relay traffic between networks?

      Delete
  2. The set up :
    - Both 10.122.2.0/24 and 10.122.1.0/24 are local networks
    - 10.122.2.0/24 network has something like public static IP 10.122.72.2 with gateway 10.122.72.1
    - 10.122.1.0/24 network also has something like public static IP 10.122.254.10 with gateway 10.122.254.9
    - 10.122.72.2 , 10.122.72.1 , 10.122.254.10 , 10.122.254.9 are all something like subnet of 10.122.0.0/16 network
    - 10.122.72.2 , 10.122.72.1 , 10.122.254.10 , 10.122.254.9 can be ping'ed from all of 10.0.0.0/8 subnet

    I don't know what is relay traffic actually is, but my goal is how i can access both inside to outside and outside to inside.

    ReplyDelete
  3. Similar to Jordan Coba, I have two network devices in two different subnets, one internal (eth0) and one is external (ethq). Both devices have a static IP configured in /etc/network/interfaces with the eth1 default gateway

    iface eth0 inet static
    address 10.155.249.2
    netmask 255.255.255.0
    broadcast 10.155.249.255

    auto eth1
    iface eth1 inet static
    address 129.187.255.169
    netmask 255.255.255.248
    broadcast 129.187.255.175
    gateway 129.187.255.174

    Routing table

    Destination Gateway Genmask Flags MSS Window irtt Iface
    0.0.0.0 129.187.255.174 0.0.0.0 UG 0 0 0 eth1
    10.155.249.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    129.187.255.168 0.0.0.0 255.255.255.248 U 0 0 0 eth1

    I can access eth1 from every external IP, and eth0 from inside subnet 0. However I cannot access the external IP (eth1) from inside subnet0

    Any suggestions?

    ReplyDelete
  4. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
    Networking Basics

    ReplyDelete