Traffic via static route on router does not find its way backCisco PIX 515 doesn't seem to be passing traffic...
Is xar preinstalled on macOS?
Air travel with refrigerated insulin
Error in master's thesis, I do not know what to do
Why is "la Gestapo" feminine?
Help with identifying unique aircraft over NE Pennsylvania
How to test the sharpness of a knife?
What are the consequences of changing the number of hours in a day?
Was World War I a war of liberals against authoritarians?
Determine voltage drop over 10G resistors with cheap multimeter
Which partition to make active?
Weird lines in Microsoft Word
Why didn’t Eve recognize the little cockroach as a living organism?
Friend wants my recommendation but I don't want to
Why is this tree refusing to shed its dead leaves?
Does the Shadow Magic sorcerer's Eyes of the Dark feature work on all Darkness spells or just his/her own?
If I cast the Enlarge/Reduce spell on an arrow, what weapon could it count as?
Emojional cryptic crossword
What will the Frenchman say?
Hot air balloons as primitive bombers
Why does Surtur say that Thor is Asgard's doom?
PTIJ: Why do we make a Lulav holder?
How to balance a monster modification (zombie)?
"Marked down as someone wanting to sell shares." What does that mean?
Imaginary part of expression too difficult to calculate
Traffic via static route on router does not find its way back
Cisco PIX 515 doesn't seem to be passing traffic through according to static routeset static default route in a router, in linuxWhat is the simplest way to route web traffic via separate (dedicated) interface?Linux route does not persistLinux static route configuration via DHCPOpenVpn & KVM: can't access LAN behind serverRoute traffic through private IP for only certain hosts - CentOS 6.6How to add an static route on google compute enginepfSense - Traffic to subnet not being routed by static routeSimple router with two ethernet interface no static route needed?
this one bugs me for a couple of days now and I cannot find a solution.
Sorry for the strange title. This isn't my main field of work and I currently cannot think of a better title.
Some facts:
- I'm a user on a shared openstack environment
- I cannot see or change the configuration of the underlaying openstack setup
- The VMs are configured via cloud-init which installs python-minimal, creates a user and does an
apt-get dist-upgrade. Apart from that they are configured via DHCP with a static IP. - I configured no
iptablesrules on the nodes.
So, let me describe the setup:
I created a network+subnet (10.0.30.10/24). The network is attached to a router which holds two static routes. I also created two VMs (both ubuntu 16.04.2 LTS) which got their "main" IP (node0: 10.0.30.10/24 and node1: 10.0.30.11/24) and also a second IP in a different subnet (node0: 10.10.10.2/24 and node1: 10.10.20.2/24).
I also configured two static routes on the router which forward everything for 10.10.10.0/24 to node0 and everything for 10.10.20.0/24 to node1.
+----------------------------------------+
| test-router |
| IP: 10.0.30.1/24 |
| |
| Static routes: |
| - destination_cidr = "10.10.10.0/24" |
| next_hop = "10.0.30.10" |
| - destination_cidr = "10.10.20.0/24" |
| next_hop = "10.0.30.11" |
+----------------------------------------+
|
|
+------------------------+
| test-network |
| Subnet: 10.0.30.0/24 |
| Router: 10.0.30.1 |
+------------------------+
|
|
| +---------------------+
| | node0 |
+-------+ IP: 10.0.30.10/24 |
| | 10.10.10.2/24 |
| +---------------------+
|
| +---------------------+
| | node1 |
+-------+ IP: 10.0.30.11/24 |
| 10.10.20.2/24 |
+---------------------+
After both VMs are bootet I can observe the following:
Node0
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.30.1 0.0.0.0 UG 0 0 0 ens3
10.0.30.0 * 255.255.255.0 U 0 0 0 ens3
169.254.169.254 10.0.30.100 255.255.255.255 UGH 0 0 0 ens3
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:31:67:52 brd ff:ff:ff:ff:ff:ff
inet 10.0.30.10/24 brd 10.0.30.255 scope global ens3
valid_lft forever preferred_lft forever
inet 10.10.10.2/24 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe31:6752/64 scope link
valid_lft forever preferred_lft forever
$ ping -c10 10.10.20.2
PING 10.10.20.2 (10.10.20.2) 56(84) bytes of data.
From 10.0.30.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.30.11)
From 10.0.30.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.30.11)
--- 10.10.20.2 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.30.1 0.0.0.0 UG 0 0 0 ens3
10.0.30.0 * 255.255.255.0 U 0 0 0 ens3
10.10.10.0 * 255.255.255.0 U 0 0 0 ens3
169.254.169.254 10.0.30.100 255.255.255.255 UGH 0 0 0 ens3
Meanwhile on node1
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:55.451876 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 1, length 64
09:25:55.451928 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 1, length 64
09:25:56.451467 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 2, length 64
09:25:56.451503 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 2, length 64
09:25:57.451185 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 3, length 64
09:25:57.451218 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 3, length 64
[..]
09:26:03.450910 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 9, length 64
09:26:03.450943 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 9, length 64
09:26:04.450988 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 10, length 64
09:26:04.451022 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 10, length 64
So, my conclusion is: node1 receives the traffic but the reply doesn't make its way to node0.
The same happens if I start a webserver on node1 and try to curl it via the statically routed IP. I see traffic coming in on node1 but the response never makes it to node0.
On the other hand: arping from node0 to node1 works:
# arping -c3 -i ens3 10.10.20.2
ARPING 10.10.20.2
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=0 time=7.933 msec
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=1 time=2.797 msec
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=2 time=9.703 msec
--- 10.10.20.2 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 2.797/6.811/9.703/2.929 ms
If I use the "main" IP, everything works fine.
Things I tried (on both nodes):
- Setting
/proc/sys/net/ipv4/conf/ens3/rp_filterto2and0(because I'm desperate). Nothing changed. - Setting
/proc/sys/net/ipv4/ip_forwardto1. Nothing changed. - Setting
/proc/sys/net/ipv4/conf/ens3/log_martiansto1on both nodes. No output viajournalctl -fwhatsoever.
EDIT: There is output on node0 if I ping node1 via the static IP:
May 03 11:16:01 node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
And since I'm running out of ideas, I need your help. Thanks for taking the time looking into my problem!
ubuntu linux-networking subnet openstack static-routes
asked May 3 '17 at 10:01
maltemalte
18416
add a comment |
this one bugs me for a couple of days now and I cannot find a solution.
Sorry for the strange title. This isn't my main field of work and I currently cannot think of a better title.
Some facts:
- I'm a user on a shared openstack environment
- I cannot see or change the configuration of the underlaying openstack setup
- The VMs are configured via cloud-init which installs python-minimal, creates a user and does an
apt-get dist-upgrade. Apart from that they are configured via DHCP with a static IP. - I configured no
iptablesrules on the nodes.
So, let me describe the setup:
I created a network+subnet (10.0.30.10/24). The network is attached to a router which holds two static routes. I also created two VMs (both ubuntu 16.04.2 LTS) which got their "main" IP (node0: 10.0.30.10/24 and node1: 10.0.30.11/24) and also a second IP in a different subnet (node0: 10.10.10.2/24 and node1: 10.10.20.2/24).
I also configured two static routes on the router which forward everything for 10.10.10.0/24 to node0 and everything for 10.10.20.0/24 to node1.
+----------------------------------------+
| test-router |
| IP: 10.0.30.1/24 |
| |
| Static routes: |
| - destination_cidr = "10.10.10.0/24" |
| next_hop = "10.0.30.10" |
| - destination_cidr = "10.10.20.0/24" |
| next_hop = "10.0.30.11" |
+----------------------------------------+
|
|
+------------------------+
| test-network |
| Subnet: 10.0.30.0/24 |
| Router: 10.0.30.1 |
+------------------------+
|
|
| +---------------------+
| | node0 |
+-------+ IP: 10.0.30.10/24 |
| | 10.10.10.2/24 |
| +---------------------+
|
| +---------------------+
| | node1 |
+-------+ IP: 10.0.30.11/24 |
| 10.10.20.2/24 |
+---------------------+
After both VMs are bootet I can observe the following:
Node0
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.30.1 0.0.0.0 UG 0 0 0 ens3
10.0.30.0 * 255.255.255.0 U 0 0 0 ens3
169.254.169.254 10.0.30.100 255.255.255.255 UGH 0 0 0 ens3
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:31:67:52 brd ff:ff:ff:ff:ff:ff
inet 10.0.30.10/24 brd 10.0.30.255 scope global ens3
valid_lft forever preferred_lft forever
inet 10.10.10.2/24 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe31:6752/64 scope link
valid_lft forever preferred_lft forever
$ ping -c10 10.10.20.2
PING 10.10.20.2 (10.10.20.2) 56(84) bytes of data.
From 10.0.30.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.30.11)
From 10.0.30.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.30.11)
--- 10.10.20.2 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.30.1 0.0.0.0 UG 0 0 0 ens3
10.0.30.0 * 255.255.255.0 U 0 0 0 ens3
10.10.10.0 * 255.255.255.0 U 0 0 0 ens3
169.254.169.254 10.0.30.100 255.255.255.255 UGH 0 0 0 ens3
Meanwhile on node1
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:55.451876 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 1, length 64
09:25:55.451928 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 1, length 64
09:25:56.451467 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 2, length 64
09:25:56.451503 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 2, length 64
09:25:57.451185 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 3, length 64
09:25:57.451218 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 3, length 64
[..]
09:26:03.450910 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 9, length 64
09:26:03.450943 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 9, length 64
09:26:04.450988 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 10, length 64
09:26:04.451022 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 10, length 64
So, my conclusion is: node1 receives the traffic but the reply doesn't make its way to node0.
The same happens if I start a webserver on node1 and try to curl it via the statically routed IP. I see traffic coming in on node1 but the response never makes it to node0.
On the other hand: arping from node0 to node1 works:
# arping -c3 -i ens3 10.10.20.2
ARPING 10.10.20.2
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=0 time=7.933 msec
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=1 time=2.797 msec
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=2 time=9.703 msec
--- 10.10.20.2 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 2.797/6.811/9.703/2.929 ms
If I use the "main" IP, everything works fine.
Things I tried (on both nodes):
- Setting
/proc/sys/net/ipv4/conf/ens3/rp_filterto2and0(because I'm desperate). Nothing changed. - Setting
/proc/sys/net/ipv4/ip_forwardto1. Nothing changed. - Setting
/proc/sys/net/ipv4/conf/ens3/log_martiansto1on both nodes. No output viajournalctl -fwhatsoever.
EDIT: There is output on node0 if I ping node1 via the static IP:
May 03 11:16:01 node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
And since I'm running out of ideas, I need your help. Thanks for taking the time looking into my problem!
ubuntu linux-networking subnet openstack static-routes
asked May 3 '17 at 10:01
maltemalte
18416
Are you forwarding internally inside the ubuntu nodes? what do you have if youcat /proc/sys/net/ipv4/ip_forward?
– NickW
May 3 '17 at 10:12
That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything.cat /proc/sys/net/ipv4/ip_forwardshows1which is also something I tried, I guess.
– malte
May 3 '17 at 10:51
Well, since the traffic has to go through the.30addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from10.10.30.11or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…
– NickW
May 3 '17 at 11:04
add a comment |
this one bugs me for a couple of days now and I cannot find a solution.
Sorry for the strange title. This isn't my main field of work and I currently cannot think of a better title.
Some facts:
- I'm a user on a shared openstack environment
- I cannot see or change the configuration of the underlaying openstack setup
- The VMs are configured via cloud-init which installs python-minimal, creates a user and does an
apt-get dist-upgrade. Apart from that they are configured via DHCP with a static IP. - I configured no
iptablesrules on the nodes.
So, let me describe the setup:
I created a network+subnet (10.0.30.10/24). The network is attached to a router which holds two static routes. I also created two VMs (both ubuntu 16.04.2 LTS) which got their "main" IP (node0: 10.0.30.10/24 and node1: 10.0.30.11/24) and also a second IP in a different subnet (node0: 10.10.10.2/24 and node1: 10.10.20.2/24).
I also configured two static routes on the router which forward everything for 10.10.10.0/24 to node0 and everything for 10.10.20.0/24 to node1.
+----------------------------------------+
| test-router |
| IP: 10.0.30.1/24 |
| |
| Static routes: |
| - destination_cidr = "10.10.10.0/24" |
| next_hop = "10.0.30.10" |
| - destination_cidr = "10.10.20.0/24" |
| next_hop = "10.0.30.11" |
+----------------------------------------+
|
|
+------------------------+
| test-network |
| Subnet: 10.0.30.0/24 |
| Router: 10.0.30.1 |
+------------------------+
|
|
| +---------------------+
| | node0 |
+-------+ IP: 10.0.30.10/24 |
| | 10.10.10.2/24 |
| +---------------------+
|
| +---------------------+
| | node1 |
+-------+ IP: 10.0.30.11/24 |
| 10.10.20.2/24 |
+---------------------+
After both VMs are bootet I can observe the following:
Node0
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.30.1 0.0.0.0 UG 0 0 0 ens3
10.0.30.0 * 255.255.255.0 U 0 0 0 ens3
169.254.169.254 10.0.30.100 255.255.255.255 UGH 0 0 0 ens3
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:31:67:52 brd ff:ff:ff:ff:ff:ff
inet 10.0.30.10/24 brd 10.0.30.255 scope global ens3
valid_lft forever preferred_lft forever
inet 10.10.10.2/24 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe31:6752/64 scope link
valid_lft forever preferred_lft forever
$ ping -c10 10.10.20.2
PING 10.10.20.2 (10.10.20.2) 56(84) bytes of data.
From 10.0.30.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.30.11)
From 10.0.30.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.30.11)
--- 10.10.20.2 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.30.1 0.0.0.0 UG 0 0 0 ens3
10.0.30.0 * 255.255.255.0 U 0 0 0 ens3
10.10.10.0 * 255.255.255.0 U 0 0 0 ens3
169.254.169.254 10.0.30.100 255.255.255.255 UGH 0 0 0 ens3
Meanwhile on node1
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:55.451876 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 1, length 64
09:25:55.451928 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 1, length 64
09:25:56.451467 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 2, length 64
09:25:56.451503 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 2, length 64
09:25:57.451185 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 3, length 64
09:25:57.451218 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 3, length 64
[..]
09:26:03.450910 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 9, length 64
09:26:03.450943 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 9, length 64
09:26:04.450988 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 10, length 64
09:26:04.451022 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 10, length 64
So, my conclusion is: node1 receives the traffic but the reply doesn't make its way to node0.
The same happens if I start a webserver on node1 and try to curl it via the statically routed IP. I see traffic coming in on node1 but the response never makes it to node0.
On the other hand: arping from node0 to node1 works:
# arping -c3 -i ens3 10.10.20.2
ARPING 10.10.20.2
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=0 time=7.933 msec
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=1 time=2.797 msec
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=2 time=9.703 msec
--- 10.10.20.2 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 2.797/6.811/9.703/2.929 ms
If I use the "main" IP, everything works fine.
Things I tried (on both nodes):
- Setting
/proc/sys/net/ipv4/conf/ens3/rp_filterto2and0(because I'm desperate). Nothing changed. - Setting
/proc/sys/net/ipv4/ip_forwardto1. Nothing changed. - Setting
/proc/sys/net/ipv4/conf/ens3/log_martiansto1on both nodes. No output viajournalctl -fwhatsoever.
EDIT: There is output on node0 if I ping node1 via the static IP:
May 03 11:16:01 node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
And since I'm running out of ideas, I need your help. Thanks for taking the time looking into my problem!
ubuntu linux-networking subnet openstack static-routes
asked May 3 '17 at 10:01
maltemalte
18416
this one bugs me for a couple of days now and I cannot find a solution.
Sorry for the strange title. This isn't my main field of work and I currently cannot think of a better title.
Some facts:
- I'm a user on a shared openstack environment
- I cannot see or change the configuration of the underlaying openstack setup
- The VMs are configured via cloud-init which installs python-minimal, creates a user and does an
apt-get dist-upgrade. Apart from that they are configured via DHCP with a static IP. - I configured no
iptablesrules on the nodes.
So, let me describe the setup:
I created a network+subnet (10.0.30.10/24). The network is attached to a router which holds two static routes. I also created two VMs (both ubuntu 16.04.2 LTS) which got their "main" IP (node0: 10.0.30.10/24 and node1: 10.0.30.11/24) and also a second IP in a different subnet (node0: 10.10.10.2/24 and node1: 10.10.20.2/24).
I also configured two static routes on the router which forward everything for 10.10.10.0/24 to node0 and everything for 10.10.20.0/24 to node1.
+----------------------------------------+
| test-router |
| IP: 10.0.30.1/24 |
| |
| Static routes: |
| - destination_cidr = "10.10.10.0/24" |
| next_hop = "10.0.30.10" |
| - destination_cidr = "10.10.20.0/24" |
| next_hop = "10.0.30.11" |
+----------------------------------------+
|
|
+------------------------+
| test-network |
| Subnet: 10.0.30.0/24 |
| Router: 10.0.30.1 |
+------------------------+
|
|
| +---------------------+
| | node0 |
+-------+ IP: 10.0.30.10/24 |
| | 10.10.10.2/24 |
| +---------------------+
|
| +---------------------+
| | node1 |
+-------+ IP: 10.0.30.11/24 |
| 10.10.20.2/24 |
+---------------------+
After both VMs are bootet I can observe the following:
Node0
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.30.1 0.0.0.0 UG 0 0 0 ens3
10.0.30.0 * 255.255.255.0 U 0 0 0 ens3
169.254.169.254 10.0.30.100 255.255.255.255 UGH 0 0 0 ens3
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:31:67:52 brd ff:ff:ff:ff:ff:ff
inet 10.0.30.10/24 brd 10.0.30.255 scope global ens3
valid_lft forever preferred_lft forever
inet 10.10.10.2/24 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe31:6752/64 scope link
valid_lft forever preferred_lft forever
$ ping -c10 10.10.20.2
PING 10.10.20.2 (10.10.20.2) 56(84) bytes of data.
From 10.0.30.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.30.11)
From 10.0.30.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.30.11)
--- 10.10.20.2 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.30.1 0.0.0.0 UG 0 0 0 ens3
10.0.30.0 * 255.255.255.0 U 0 0 0 ens3
10.10.10.0 * 255.255.255.0 U 0 0 0 ens3
169.254.169.254 10.0.30.100 255.255.255.255 UGH 0 0 0 ens3
Meanwhile on node1
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:55.451876 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 1, length 64
09:25:55.451928 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 1, length 64
09:25:56.451467 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 2, length 64
09:25:56.451503 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 2, length 64
09:25:57.451185 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 3, length 64
09:25:57.451218 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 3, length 64
[..]
09:26:03.450910 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 9, length 64
09:26:03.450943 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 9, length 64
09:26:04.450988 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 10, length 64
09:26:04.451022 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 10, length 64
So, my conclusion is: node1 receives the traffic but the reply doesn't make its way to node0.
The same happens if I start a webserver on node1 and try to curl it via the statically routed IP. I see traffic coming in on node1 but the response never makes it to node0.
On the other hand: arping from node0 to node1 works:
# arping -c3 -i ens3 10.10.20.2
ARPING 10.10.20.2
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=0 time=7.933 msec
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=1 time=2.797 msec
42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=2 time=9.703 msec
--- 10.10.20.2 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 2.797/6.811/9.703/2.929 ms
If I use the "main" IP, everything works fine.
Things I tried (on both nodes):
- Setting
/proc/sys/net/ipv4/conf/ens3/rp_filterto2and0(because I'm desperate). Nothing changed. - Setting
/proc/sys/net/ipv4/ip_forwardto1. Nothing changed. - Setting
/proc/sys/net/ipv4/conf/ens3/log_martiansto1on both nodes. No output viajournalctl -fwhatsoever.
EDIT: There is output on node0 if I ping node1 via the static IP:
May 03 11:16:01 node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
And since I'm running out of ideas, I need your help. Thanks for taking the time looking into my problem!
ubuntu linux-networking subnet openstack static-routes
ubuntu linux-networking subnet openstack static-routes
asked May 3 '17 at 10:01
maltemalte
18416
asked May 3 '17 at 10:01
maltemalte
18416
edited May 3 '17 at 11:35
malte
asked May 3 '17 at 10:01
maltemalte
18416
asked May 3 '17 at 10:01
maltemalte
18416
asked May 3 '17 at 10:01
maltemalte
18416
18416
Are you forwarding internally inside the ubuntu nodes? what do you have if youcat /proc/sys/net/ipv4/ip_forward?
– NickW
May 3 '17 at 10:12
That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything.cat /proc/sys/net/ipv4/ip_forwardshows1which is also something I tried, I guess.
– malte
May 3 '17 at 10:51
Well, since the traffic has to go through the.30addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from10.10.30.11or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…
– NickW
May 3 '17 at 11:04
add a comment |
Are you forwarding internally inside the ubuntu nodes? what do you have if youcat /proc/sys/net/ipv4/ip_forward?
– NickW
May 3 '17 at 10:12
That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything.cat /proc/sys/net/ipv4/ip_forwardshows1which is also something I tried, I guess.
– malte
May 3 '17 at 10:51
Well, since the traffic has to go through the.30addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from10.10.30.11or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…
– NickW
May 3 '17 at 11:04
Are you forwarding internally inside the ubuntu nodes? what do you have if you
cat /proc/sys/net/ipv4/ip_forward ?– NickW
May 3 '17 at 10:12
Are you forwarding internally inside the ubuntu nodes? what do you have if you
cat /proc/sys/net/ipv4/ip_forward ?– NickW
May 3 '17 at 10:12
That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything.
cat /proc/sys/net/ipv4/ip_forward shows 1 which is also something I tried, I guess.– malte
May 3 '17 at 10:51
That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything.
cat /proc/sys/net/ipv4/ip_forward shows 1 which is also something I tried, I guess.– malte
May 3 '17 at 10:51
Well, since the traffic has to go through the
.30 addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from 10.10.30.11 or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…– NickW
May 3 '17 at 11:04
Well, since the traffic has to go through the
.30 addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from 10.10.30.11 or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…– NickW
May 3 '17 at 11:04
add a comment |
1 Answer
1
active
oldest
votes
Challenges:
You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:
- 10.0.30.0/24 - A
- 10.10.10.0/24 - B
- 10.10.20.0/24 - C
Now, you have three devices also, each on a subset of the logical networks:
- router - A only
- node0 - A and B
- node1 - A and C
To make things fun, you've told router that node0 is in charge of network B, and that node1 is in charge of network C, but you didn't tell node0 that node1 was in charge of C, nor node1 that node0 was in charge of B.
This is a recipe for the kind of excitement that you are experiencing.
When router gets a message from node0 destined for an IP on network C, its response is: "Silly node0, you're going the wrong direction; you should know that you need to go to node1 that you also share a network with to get there":
node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.
If you are trying to accomplish something specific by having the separate networks, you probably want to configure the router to be directly connected to each separate network (A-C), and you probably want each network to be a separate broadcast domain.
If you just want the computers to be able to talk to each other with the IP addresses configured, you can:
- Add 10.10.10.3/24 to node1, and
- Add 10.10.20.3/24 to node0
As a general rule, for any network used by routers to communicate with each other (and when you made node0 and node1 responsible for their own networks (B and C), you made them routers), you almost certainly want to make sure that all of those routers are fully informed about the correct route for all neighboring networks. Routing protocols can work for this, but this sample is small enough to do manually.
I hope this is helpful for you / others, despite being a bit out of date.
answered 4 mins ago
SlartibartfastSlartibartfast
2,8621315
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f847961%2ftraffic-via-static-route-on-router-does-not-find-its-way-back%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Challenges:
You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:
- 10.0.30.0/24 - A
- 10.10.10.0/24 - B
- 10.10.20.0/24 - C
Now, you have three devices also, each on a subset of the logical networks:
- router - A only
- node0 - A and B
- node1 - A and C
To make things fun, you've told router that node0 is in charge of network B, and that node1 is in charge of network C, but you didn't tell node0 that node1 was in charge of C, nor node1 that node0 was in charge of B.
This is a recipe for the kind of excitement that you are experiencing.
When router gets a message from node0 destined for an IP on network C, its response is: "Silly node0, you're going the wrong direction; you should know that you need to go to node1 that you also share a network with to get there":
node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.
If you are trying to accomplish something specific by having the separate networks, you probably want to configure the router to be directly connected to each separate network (A-C), and you probably want each network to be a separate broadcast domain.
If you just want the computers to be able to talk to each other with the IP addresses configured, you can:
- Add 10.10.10.3/24 to node1, and
- Add 10.10.20.3/24 to node0
As a general rule, for any network used by routers to communicate with each other (and when you made node0 and node1 responsible for their own networks (B and C), you made them routers), you almost certainly want to make sure that all of those routers are fully informed about the correct route for all neighboring networks. Routing protocols can work for this, but this sample is small enough to do manually.
I hope this is helpful for you / others, despite being a bit out of date.
answered 4 mins ago
SlartibartfastSlartibartfast
2,8621315
add a comment |
Challenges:
You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:
- 10.0.30.0/24 - A
- 10.10.10.0/24 - B
- 10.10.20.0/24 - C
Now, you have three devices also, each on a subset of the logical networks:
- router - A only
- node0 - A and B
- node1 - A and C
To make things fun, you've told router that node0 is in charge of network B, and that node1 is in charge of network C, but you didn't tell node0 that node1 was in charge of C, nor node1 that node0 was in charge of B.
This is a recipe for the kind of excitement that you are experiencing.
When router gets a message from node0 destined for an IP on network C, its response is: "Silly node0, you're going the wrong direction; you should know that you need to go to node1 that you also share a network with to get there":
node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.
If you are trying to accomplish something specific by having the separate networks, you probably want to configure the router to be directly connected to each separate network (A-C), and you probably want each network to be a separate broadcast domain.
If you just want the computers to be able to talk to each other with the IP addresses configured, you can:
- Add 10.10.10.3/24 to node1, and
- Add 10.10.20.3/24 to node0
As a general rule, for any network used by routers to communicate with each other (and when you made node0 and node1 responsible for their own networks (B and C), you made them routers), you almost certainly want to make sure that all of those routers are fully informed about the correct route for all neighboring networks. Routing protocols can work for this, but this sample is small enough to do manually.
I hope this is helpful for you / others, despite being a bit out of date.
answered 4 mins ago
SlartibartfastSlartibartfast
2,8621315
add a comment |
Challenges:
You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:
- 10.0.30.0/24 - A
- 10.10.10.0/24 - B
- 10.10.20.0/24 - C
Now, you have three devices also, each on a subset of the logical networks:
- router - A only
- node0 - A and B
- node1 - A and C
To make things fun, you've told router that node0 is in charge of network B, and that node1 is in charge of network C, but you didn't tell node0 that node1 was in charge of C, nor node1 that node0 was in charge of B.
This is a recipe for the kind of excitement that you are experiencing.
When router gets a message from node0 destined for an IP on network C, its response is: "Silly node0, you're going the wrong direction; you should know that you need to go to node1 that you also share a network with to get there":
node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.
If you are trying to accomplish something specific by having the separate networks, you probably want to configure the router to be directly connected to each separate network (A-C), and you probably want each network to be a separate broadcast domain.
If you just want the computers to be able to talk to each other with the IP addresses configured, you can:
- Add 10.10.10.3/24 to node1, and
- Add 10.10.20.3/24 to node0
As a general rule, for any network used by routers to communicate with each other (and when you made node0 and node1 responsible for their own networks (B and C), you made them routers), you almost certainly want to make sure that all of those routers are fully informed about the correct route for all neighboring networks. Routing protocols can work for this, but this sample is small enough to do manually.
I hope this is helpful for you / others, despite being a bit out of date.
answered 4 mins ago
SlartibartfastSlartibartfast
2,8621315
Challenges:
You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:
- 10.0.30.0/24 - A
- 10.10.10.0/24 - B
- 10.10.20.0/24 - C
Now, you have three devices also, each on a subset of the logical networks:
- router - A only
- node0 - A and B
- node1 - A and C
To make things fun, you've told router that node0 is in charge of network B, and that node1 is in charge of network C, but you didn't tell node0 that node1 was in charge of C, nor node1 that node0 was in charge of B.
This is a recipe for the kind of excitement that you are experiencing.
When router gets a message from node0 destined for an IP on network C, its response is: "Silly node0, you're going the wrong direction; you should know that you need to go to node1 that you also share a network with to get there":
node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored
Advised path = 10.0.30.10 -> 10.10.20.2
If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.
If you are trying to accomplish something specific by having the separate networks, you probably want to configure the router to be directly connected to each separate network (A-C), and you probably want each network to be a separate broadcast domain.
If you just want the computers to be able to talk to each other with the IP addresses configured, you can:
- Add 10.10.10.3/24 to node1, and
- Add 10.10.20.3/24 to node0
As a general rule, for any network used by routers to communicate with each other (and when you made node0 and node1 responsible for their own networks (B and C), you made them routers), you almost certainly want to make sure that all of those routers are fully informed about the correct route for all neighboring networks. Routing protocols can work for this, but this sample is small enough to do manually.
I hope this is helpful for you / others, despite being a bit out of date.
answered 4 mins ago
SlartibartfastSlartibartfast
2,8621315
answered 4 mins ago
SlartibartfastSlartibartfast
2,8621315
answered 4 mins ago
SlartibartfastSlartibartfast
2,8621315
answered 4 mins ago
SlartibartfastSlartibartfast
2,8621315
2,8621315
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f847961%2ftraffic-via-static-route-on-router-does-not-find-its-way-back%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you forwarding internally inside the ubuntu nodes? what do you have if you
cat /proc/sys/net/ipv4/ip_forward?– NickW
May 3 '17 at 10:12
That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything.
cat /proc/sys/net/ipv4/ip_forwardshows1which is also something I tried, I guess.– malte
May 3 '17 at 10:51
Well, since the traffic has to go through the
.30addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from10.10.30.11or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…– NickW
May 3 '17 at 11:04