Traffic via static route on router does not find its way backCisco PIX 515 doesn't seem to be passing traffic...

Is xar preinstalled on macOS?

Air travel with refrigerated insulin

Error in master's thesis, I do not know what to do

Why is "la Gestapo" feminine?

Help with identifying unique aircraft over NE Pennsylvania

How to test the sharpness of a knife?

What are the consequences of changing the number of hours in a day?

Was World War I a war of liberals against authoritarians?

Determine voltage drop over 10G resistors with cheap multimeter

Which partition to make active?

Weird lines in Microsoft Word

Why didn’t Eve recognize the little cockroach as a living organism?

Friend wants my recommendation but I don't want to

Why is this tree refusing to shed its dead leaves?

Does the Shadow Magic sorcerer's Eyes of the Dark feature work on all Darkness spells or just his/her own?

If I cast the Enlarge/Reduce spell on an arrow, what weapon could it count as?

Emojional cryptic crossword

What will the Frenchman say?

Hot air balloons as primitive bombers

Why does Surtur say that Thor is Asgard's doom?

PTIJ: Why do we make a Lulav holder?

How to balance a monster modification (zombie)?

"Marked down as someone wanting to sell shares." What does that mean?

Imaginary part of expression too difficult to calculate

Traffic via static route on router does not find its way back

Cisco PIX 515 doesn't seem to be passing traffic through according to static routeset static default route in a router, in linuxWhat is the simplest way to route web traffic via separate (dedicated) interface?Linux route does not persistLinux static route configuration via DHCPOpenVpn & KVM: can't access LAN behind serverRoute traffic through private IP for only certain hosts - CentOS 6.6How to add an static route on google compute enginepfSense - Traffic to subnet not being routed by static routeSimple router with two ethernet interface no static route needed?

this one bugs me for a couple of days now and I cannot find a solution.
Sorry for the strange title. This isn't my main field of work and I currently cannot think of a better title.

Some facts:

I'm a user on a shared openstack environment

I cannot see or change the configuration of the underlaying openstack setup

The VMs are configured via cloud-init which installs python-minimal, creates a user and does an apt-get dist-upgrade. Apart from that they are configured via DHCP with a static IP.

I configured no iptables rules on the nodes.

So, let me describe the setup:

I created a network+subnet (10.0.30.10/24). The network is attached to a router which holds two static routes. I also created two VMs (both ubuntu 16.04.2 LTS) which got their "main" IP (node0: 10.0.30.10/24 and node1: 10.0.30.11/24) and also a second IP in a different subnet (node0: 10.10.10.2/24 and node1: 10.10.20.2/24).

I also configured two static routes on the router which forward everything for 10.10.10.0/24 to node0 and everything for 10.10.20.0/24 to node1.

+----------------------------------------+

|  test-router                           |

|  IP: 10.0.30.1/24                      |

|                                        |

|  Static routes:                        |

|  - destination_cidr = "10.10.10.0/24"  |

|    next_hop         = "10.0.30.10"     |

|  - destination_cidr = "10.10.20.0/24"  |

|    next_hop         = "10.0.30.11"     |

+----------------------------------------+

        |

        |

  +------------------------+

  |  test-network          |

  |  Subnet: 10.0.30.0/24  |

  |  Router: 10.0.30.1     |

  +------------------------+

        |

        |

        |       +---------------------+

        |       |  node0              |

        +-------+  IP: 10.0.30.10/24  |

        |       |      10.10.10.2/24  |

        |       +---------------------+

        |

        |       +---------------------+

        |       |  node1              |

        +-------+  IP: 10.0.30.11/24  |

                |      10.10.20.2/24  |

                +---------------------+

After both VMs are bootet I can observe the following:

Node0

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.30.1       0.0.0.0         UG    0      0        0 ens3

10.0.30.0       *               255.255.255.0   U     0      0        0 ens3

169.254.169.254 10.0.30.100     255.255.255.255 UGH   0      0        0 ens3

$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UP group default qlen 1000

    link/ether fa:16:3e:31:67:52 brd ff:ff:ff:ff:ff:ff

    inet 10.0.30.10/24 brd 10.0.30.255 scope global ens3

       valid_lft forever preferred_lft forever

    inet 10.10.10.2/24 scope global ens3

       valid_lft forever preferred_lft forever

    inet6 fe80::f816:3eff:fe31:6752/64 scope link

       valid_lft forever preferred_lft forever

$ ping -c10 10.10.20.2

PING 10.10.20.2 (10.10.20.2) 56(84) bytes of data.

From 10.0.30.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.30.11)

From 10.0.30.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.30.11)



--- 10.10.20.2 ping statistics ---

10 packets transmitted, 0 received, 100% packet loss, time 8999ms



$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.30.1       0.0.0.0         UG    0      0        0 ens3

10.0.30.0       *               255.255.255.0   U     0      0        0 ens3

10.10.10.0      *               255.255.255.0   U     0      0        0 ens3

169.254.169.254 10.0.30.100     255.255.255.255 UGH   0      0        0 ens3

Meanwhile on node1

# tcpdump icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

09:25:55.451876 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 1, length 64

09:25:55.451928 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 1, length 64

09:25:56.451467 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 2, length 64

09:25:56.451503 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 2, length 64

09:25:57.451185 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 3, length 64

09:25:57.451218 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 3, length 64

[..]

09:26:03.450910 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 9, length 64

09:26:03.450943 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 9, length 64

09:26:04.450988 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 10, length 64

09:26:04.451022 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 10, length 64

So, my conclusion is: node1 receives the traffic but the reply doesn't make its way to node0.

The same happens if I start a webserver on node1 and try to curl it via the statically routed IP. I see traffic coming in on node1 but the response never makes it to node0.

On the other hand: arping from node0 to node1 works:

# arping -c3 -i ens3 10.10.20.2

ARPING 10.10.20.2

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=0 time=7.933 msec

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=1 time=2.797 msec

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=2 time=9.703 msec



--- 10.10.20.2 statistics ---

3 packets transmitted, 3 packets received,   0% unanswered (0 extra)

rtt min/avg/max/std-dev = 2.797/6.811/9.703/2.929 ms

If I use the "main" IP, everything works fine.

Things I tried (on both nodes):

Setting /proc/sys/net/ipv4/conf/ens3/rp_filter to 2 and 0 (because I'm desperate). Nothing changed.

Setting /proc/sys/net/ipv4/ip_forward to 1. Nothing changed.

Setting /proc/sys/net/ipv4/conf/ens3/log_martians to 1 on both nodes. No output via journalctl -f whatsoever.

EDIT: There is output on node0 if I ping node1 via the static IP:

May 03 11:16:01 node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                                Advised path = 10.0.30.10 -> 10.10.20.2

And since I'm running out of ideas, I need your help. Thanks for taking the time looking into my problem!

edited May 3 '17 at 11:35

asked May 3 '17 at 10:01

malte

18416

Are you forwarding internally inside the ubuntu nodes? what do you have if you cat /proc/sys/net/ipv4/ip_forward ?

– NickW
May 3 '17 at 10:12

That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything. cat /proc/sys/net/ipv4/ip_forward shows 1 which is also something I tried, I guess.

– malte
May 3 '17 at 10:51

Well, since the traffic has to go through the .30 addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from 10.10.30.11 or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…

– NickW
May 3 '17 at 11:04

add a comment |

this one bugs me for a couple of days now and I cannot find a solution.
Sorry for the strange title. This isn't my main field of work and I currently cannot think of a better title.

Some facts:

I'm a user on a shared openstack environment

I cannot see or change the configuration of the underlaying openstack setup

The VMs are configured via cloud-init which installs python-minimal, creates a user and does an apt-get dist-upgrade. Apart from that they are configured via DHCP with a static IP.

I configured no iptables rules on the nodes.

So, let me describe the setup:

I also configured two static routes on the router which forward everything for 10.10.10.0/24 to node0 and everything for 10.10.20.0/24 to node1.

+----------------------------------------+

|  test-router                           |

|  IP: 10.0.30.1/24                      |

|                                        |

|  Static routes:                        |

|  - destination_cidr = "10.10.10.0/24"  |

|    next_hop         = "10.0.30.10"     |

|  - destination_cidr = "10.10.20.0/24"  |

|    next_hop         = "10.0.30.11"     |

+----------------------------------------+

        |

        |

  +------------------------+

  |  test-network          |

  |  Subnet: 10.0.30.0/24  |

  |  Router: 10.0.30.1     |

  +------------------------+

        |

        |

        |       +---------------------+

        |       |  node0              |

        +-------+  IP: 10.0.30.10/24  |

        |       |      10.10.10.2/24  |

        |       +---------------------+

        |

        |       +---------------------+

        |       |  node1              |

        +-------+  IP: 10.0.30.11/24  |

                |      10.10.20.2/24  |

                +---------------------+

After both VMs are bootet I can observe the following:

Node0

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.30.1       0.0.0.0         UG    0      0        0 ens3

10.0.30.0       *               255.255.255.0   U     0      0        0 ens3

169.254.169.254 10.0.30.100     255.255.255.255 UGH   0      0        0 ens3

$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UP group default qlen 1000

    link/ether fa:16:3e:31:67:52 brd ff:ff:ff:ff:ff:ff

    inet 10.0.30.10/24 brd 10.0.30.255 scope global ens3

       valid_lft forever preferred_lft forever

    inet 10.10.10.2/24 scope global ens3

       valid_lft forever preferred_lft forever

    inet6 fe80::f816:3eff:fe31:6752/64 scope link

       valid_lft forever preferred_lft forever

$ ping -c10 10.10.20.2

PING 10.10.20.2 (10.10.20.2) 56(84) bytes of data.

From 10.0.30.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.30.11)

From 10.0.30.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.30.11)



--- 10.10.20.2 ping statistics ---

10 packets transmitted, 0 received, 100% packet loss, time 8999ms



$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.30.1       0.0.0.0         UG    0      0        0 ens3

10.0.30.0       *               255.255.255.0   U     0      0        0 ens3

10.10.10.0      *               255.255.255.0   U     0      0        0 ens3

169.254.169.254 10.0.30.100     255.255.255.255 UGH   0      0        0 ens3

Meanwhile on node1

# tcpdump icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

09:25:55.451876 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 1, length 64

09:25:55.451928 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 1, length 64

09:25:56.451467 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 2, length 64

09:25:56.451503 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 2, length 64

09:25:57.451185 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 3, length 64

09:25:57.451218 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 3, length 64

[..]

09:26:03.450910 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 9, length 64

09:26:03.450943 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 9, length 64

09:26:04.450988 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 10, length 64

09:26:04.451022 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 10, length 64

So, my conclusion is: node1 receives the traffic but the reply doesn't make its way to node0.

The same happens if I start a webserver on node1 and try to curl it via the statically routed IP. I see traffic coming in on node1 but the response never makes it to node0.

On the other hand: arping from node0 to node1 works:

# arping -c3 -i ens3 10.10.20.2

ARPING 10.10.20.2

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=0 time=7.933 msec

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=1 time=2.797 msec

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=2 time=9.703 msec



--- 10.10.20.2 statistics ---

3 packets transmitted, 3 packets received,   0% unanswered (0 extra)

rtt min/avg/max/std-dev = 2.797/6.811/9.703/2.929 ms

If I use the "main" IP, everything works fine.

Things I tried (on both nodes):

Setting /proc/sys/net/ipv4/conf/ens3/rp_filter to 2 and 0 (because I'm desperate). Nothing changed.

Setting /proc/sys/net/ipv4/ip_forward to 1. Nothing changed.

Setting /proc/sys/net/ipv4/conf/ens3/log_martians to 1 on both nodes. No output via journalctl -f whatsoever.

EDIT: There is output on node0 if I ping node1 via the static IP:

May 03 11:16:01 node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                                Advised path = 10.0.30.10 -> 10.10.20.2

And since I'm running out of ideas, I need your help. Thanks for taking the time looking into my problem!

edited May 3 '17 at 11:35

asked May 3 '17 at 10:01

malte

18416

Are you forwarding internally inside the ubuntu nodes? what do you have if you cat /proc/sys/net/ipv4/ip_forward ?

– NickW
May 3 '17 at 10:12

That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything. cat /proc/sys/net/ipv4/ip_forward shows 1 which is also something I tried, I guess.

– malte
May 3 '17 at 10:51

Well, since the traffic has to go through the .30 addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from 10.10.30.11 or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…

– NickW
May 3 '17 at 11:04

add a comment |

this one bugs me for a couple of days now and I cannot find a solution.
Sorry for the strange title. This isn't my main field of work and I currently cannot think of a better title.

Some facts:

I'm a user on a shared openstack environment

I cannot see or change the configuration of the underlaying openstack setup

The VMs are configured via cloud-init which installs python-minimal, creates a user and does an apt-get dist-upgrade. Apart from that they are configured via DHCP with a static IP.

I configured no iptables rules on the nodes.

So, let me describe the setup:

I also configured two static routes on the router which forward everything for 10.10.10.0/24 to node0 and everything for 10.10.20.0/24 to node1.

+----------------------------------------+

|  test-router                           |

|  IP: 10.0.30.1/24                      |

|                                        |

|  Static routes:                        |

|  - destination_cidr = "10.10.10.0/24"  |

|    next_hop         = "10.0.30.10"     |

|  - destination_cidr = "10.10.20.0/24"  |

|    next_hop         = "10.0.30.11"     |

+----------------------------------------+

        |

        |

  +------------------------+

  |  test-network          |

  |  Subnet: 10.0.30.0/24  |

  |  Router: 10.0.30.1     |

  +------------------------+

        |

        |

        |       +---------------------+

        |       |  node0              |

        +-------+  IP: 10.0.30.10/24  |

        |       |      10.10.10.2/24  |

        |       +---------------------+

        |

        |       +---------------------+

        |       |  node1              |

        +-------+  IP: 10.0.30.11/24  |

                |      10.10.20.2/24  |

                +---------------------+

After both VMs are bootet I can observe the following:

Node0

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.30.1       0.0.0.0         UG    0      0        0 ens3

10.0.30.0       *               255.255.255.0   U     0      0        0 ens3

169.254.169.254 10.0.30.100     255.255.255.255 UGH   0      0        0 ens3

$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UP group default qlen 1000

    link/ether fa:16:3e:31:67:52 brd ff:ff:ff:ff:ff:ff

    inet 10.0.30.10/24 brd 10.0.30.255 scope global ens3

       valid_lft forever preferred_lft forever

    inet 10.10.10.2/24 scope global ens3

       valid_lft forever preferred_lft forever

    inet6 fe80::f816:3eff:fe31:6752/64 scope link

       valid_lft forever preferred_lft forever

$ ping -c10 10.10.20.2

PING 10.10.20.2 (10.10.20.2) 56(84) bytes of data.

From 10.0.30.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.30.11)

From 10.0.30.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.30.11)



--- 10.10.20.2 ping statistics ---

10 packets transmitted, 0 received, 100% packet loss, time 8999ms



$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.30.1       0.0.0.0         UG    0      0        0 ens3

10.0.30.0       *               255.255.255.0   U     0      0        0 ens3

10.10.10.0      *               255.255.255.0   U     0      0        0 ens3

169.254.169.254 10.0.30.100     255.255.255.255 UGH   0      0        0 ens3

Meanwhile on node1

# tcpdump icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

09:25:55.451876 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 1, length 64

09:25:55.451928 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 1, length 64

09:25:56.451467 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 2, length 64

09:25:56.451503 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 2, length 64

09:25:57.451185 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 3, length 64

09:25:57.451218 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 3, length 64

[..]

09:26:03.450910 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 9, length 64

09:26:03.450943 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 9, length 64

09:26:04.450988 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 10, length 64

09:26:04.451022 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 10, length 64

So, my conclusion is: node1 receives the traffic but the reply doesn't make its way to node0.

The same happens if I start a webserver on node1 and try to curl it via the statically routed IP. I see traffic coming in on node1 but the response never makes it to node0.

On the other hand: arping from node0 to node1 works:

# arping -c3 -i ens3 10.10.20.2

ARPING 10.10.20.2

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=0 time=7.933 msec

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=1 time=2.797 msec

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=2 time=9.703 msec



--- 10.10.20.2 statistics ---

3 packets transmitted, 3 packets received,   0% unanswered (0 extra)

rtt min/avg/max/std-dev = 2.797/6.811/9.703/2.929 ms

If I use the "main" IP, everything works fine.

Things I tried (on both nodes):

Setting /proc/sys/net/ipv4/conf/ens3/rp_filter to 2 and 0 (because I'm desperate). Nothing changed.

Setting /proc/sys/net/ipv4/ip_forward to 1. Nothing changed.

Setting /proc/sys/net/ipv4/conf/ens3/log_martians to 1 on both nodes. No output via journalctl -f whatsoever.

EDIT: There is output on node0 if I ping node1 via the static IP:

May 03 11:16:01 node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                                Advised path = 10.0.30.10 -> 10.10.20.2

And since I'm running out of ideas, I need your help. Thanks for taking the time looking into my problem!

edited May 3 '17 at 11:35

asked May 3 '17 at 10:01

malte

18416

this one bugs me for a couple of days now and I cannot find a solution.
Sorry for the strange title. This isn't my main field of work and I currently cannot think of a better title.

Some facts:

I'm a user on a shared openstack environment

I cannot see or change the configuration of the underlaying openstack setup

The VMs are configured via cloud-init which installs python-minimal, creates a user and does an apt-get dist-upgrade. Apart from that they are configured via DHCP with a static IP.

I configured no iptables rules on the nodes.

So, let me describe the setup:

I also configured two static routes on the router which forward everything for 10.10.10.0/24 to node0 and everything for 10.10.20.0/24 to node1.

+----------------------------------------+

|  test-router                           |

|  IP: 10.0.30.1/24                      |

|                                        |

|  Static routes:                        |

|  - destination_cidr = "10.10.10.0/24"  |

|    next_hop         = "10.0.30.10"     |

|  - destination_cidr = "10.10.20.0/24"  |

|    next_hop         = "10.0.30.11"     |

+----------------------------------------+

        |

        |

  +------------------------+

  |  test-network          |

  |  Subnet: 10.0.30.0/24  |

  |  Router: 10.0.30.1     |

  +------------------------+

        |

        |

        |       +---------------------+

        |       |  node0              |

        +-------+  IP: 10.0.30.10/24  |

        |       |      10.10.10.2/24  |

        |       +---------------------+

        |

        |       +---------------------+

        |       |  node1              |

        +-------+  IP: 10.0.30.11/24  |

                |      10.10.20.2/24  |

                +---------------------+

After both VMs are bootet I can observe the following:

Node0

$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.30.1       0.0.0.0         UG    0      0        0 ens3

10.0.30.0       *               255.255.255.0   U     0      0        0 ens3

169.254.169.254 10.0.30.100     255.255.255.255 UGH   0      0        0 ens3

$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UP group default qlen 1000

    link/ether fa:16:3e:31:67:52 brd ff:ff:ff:ff:ff:ff

    inet 10.0.30.10/24 brd 10.0.30.255 scope global ens3

       valid_lft forever preferred_lft forever

    inet 10.10.10.2/24 scope global ens3

       valid_lft forever preferred_lft forever

    inet6 fe80::f816:3eff:fe31:6752/64 scope link

       valid_lft forever preferred_lft forever

$ ping -c10 10.10.20.2

PING 10.10.20.2 (10.10.20.2) 56(84) bytes of data.

From 10.0.30.1: icmp_seq=2 Redirect Host(New nexthop: 10.0.30.11)

From 10.0.30.1: icmp_seq=3 Redirect Host(New nexthop: 10.0.30.11)



--- 10.10.20.2 ping statistics ---

10 packets transmitted, 0 received, 100% packet loss, time 8999ms



$ route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.30.1       0.0.0.0         UG    0      0        0 ens3

10.0.30.0       *               255.255.255.0   U     0      0        0 ens3

10.10.10.0      *               255.255.255.0   U     0      0        0 ens3

169.254.169.254 10.0.30.100     255.255.255.255 UGH   0      0        0 ens3

Meanwhile on node1

# tcpdump icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

09:25:55.451876 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 1, length 64

09:25:55.451928 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 1, length 64

09:25:56.451467 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 2, length 64

09:25:56.451503 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 2, length 64

09:25:57.451185 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 3, length 64

09:25:57.451218 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 3, length 64

[..]

09:26:03.450910 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 9, length 64

09:26:03.450943 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 9, length 64

09:26:04.450988 IP 10.0.30.10 > 10.10.20.2: ICMP echo request, id 1271, seq 10, length 64

09:26:04.451022 IP 10.10.20.2 > 10.0.30.10: ICMP echo reply, id 1271, seq 10, length 64

So, my conclusion is: node1 receives the traffic but the reply doesn't make its way to node0.

The same happens if I start a webserver on node1 and try to curl it via the statically routed IP. I see traffic coming in on node1 but the response never makes it to node0.

On the other hand: arping from node0 to node1 works:

# arping -c3 -i ens3 10.10.20.2

ARPING 10.10.20.2

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=0 time=7.933 msec

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=1 time=2.797 msec

42 bytes from fa:16:3e:a9:b4:bc (10.10.20.2): index=2 time=9.703 msec



--- 10.10.20.2 statistics ---

3 packets transmitted, 3 packets received,   0% unanswered (0 extra)

rtt min/avg/max/std-dev = 2.797/6.811/9.703/2.929 ms

If I use the "main" IP, everything works fine.

Things I tried (on both nodes):

Setting /proc/sys/net/ipv4/conf/ens3/rp_filter to 2 and 0 (because I'm desperate). Nothing changed.

Setting /proc/sys/net/ipv4/ip_forward to 1. Nothing changed.

Setting /proc/sys/net/ipv4/conf/ens3/log_martians to 1 on both nodes. No output via journalctl -f whatsoever.

EDIT: There is output on node0 if I ping node1 via the static IP:

May 03 11:16:01 node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                                Advised path = 10.0.30.10 -> 10.10.20.2

And since I'm running out of ideas, I need your help. Thanks for taking the time looking into my problem!

ubuntu linux-networking subnet openstack static-routes

edited May 3 '17 at 11:35

asked May 3 '17 at 10:01

malte

18416

edited May 3 '17 at 11:35

asked May 3 '17 at 10:01

malte

18416

edited May 3 '17 at 11:35

asked May 3 '17 at 10:01

malte

18416

asked May 3 '17 at 10:01

malte

18416

asked May 3 '17 at 10:01

malte

18416

Are you forwarding internally inside the ubuntu nodes? what do you have if you cat /proc/sys/net/ipv4/ip_forward ?

– NickW
May 3 '17 at 10:12

That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything. cat /proc/sys/net/ipv4/ip_forward shows 1 which is also something I tried, I guess.

– malte
May 3 '17 at 10:51

Well, since the traffic has to go through the .30 addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from 10.10.30.11 or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…

– NickW
May 3 '17 at 11:04

add a comment |

Are you forwarding internally inside the ubuntu nodes? what do you have if you cat /proc/sys/net/ipv4/ip_forward ?

– NickW
May 3 '17 at 10:12

That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything. cat /proc/sys/net/ipv4/ip_forward shows 1 which is also something I tried, I guess.

– malte
May 3 '17 at 10:51

Well, since the traffic has to go through the .30 addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from 10.10.30.11 or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…

– NickW
May 3 '17 at 11:04

Are you forwarding internally inside the ubuntu nodes? what do you have if you cat /proc/sys/net/ipv4/ip_forward ?

– NickW
May 3 '17 at 10:12

That would be the next step, but since even this simple setup isn't working, I'm not forwarding anything. cat /proc/sys/net/ipv4/ip_forward shows 1 which is also something I tried, I guess.

– malte
May 3 '17 at 10:51

Well, since the traffic has to go through the .30 addresses to get to the ones you're trying to ping, I'd imagine that node0 might be dropping the ICMP replies because they're coming from 10.10.30.11 or maybe it's just ignoring it... you might want to ensure you're using policy routing : blog.scottlowe.org/2013/05/29/…

– NickW
May 3 '17 at 11:04

add a comment |

1 Answer
1

active

oldest

votes

Challenges:

You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:

10.0.30.0/24 - A

10.10.10.0/24 - B

10.10.20.0/24 - C

Now, you have three devices also, each on a subset of the logical networks:

router - A only

node0 - A and B

node1 - A and C

To make things fun, you've told router that node0 is in charge of network B, and that node1 is in charge of network C, but you didn't tell node0 that node1 was in charge of C, nor node1 that node0 was in charge of B.

This is a recipe for the kind of excitement that you are experiencing.

When router gets a message from node0 destined for an IP on network C, its response is: "Silly node0, you're going the wrong direction; you should know that you need to go to node1 that you also share a network with to get there":

node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                            Advised path = 10.0.30.10 -> 10.10.20.2

If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.

If you are trying to accomplish something specific by having the separate networks, you probably want to configure the router to be directly connected to each separate network (A-C), and you probably want each network to be a separate broadcast domain.

If you just want the computers to be able to talk to each other with the IP addresses configured, you can:

Add 10.10.10.3/24 to node1, and

Add 10.10.20.3/24 to node0

As a general rule, for any network used by routers to communicate with each other (and when you made node0 and node1 responsible for their own networks (B and C), you made them routers), you almost certainly want to make sure that all of those routers are fully informed about the correct route for all neighboring networks. Routing protocols can work for this, but this sample is small enough to do manually.

I hope this is helpful for you / others, despite being a bit out of date.

answered 4 mins ago

Slartibartfast

2,8621315

add a comment |

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f847961%2ftraffic-via-static-route-on-router-does-not-find-its-way-back%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

Challenges:

You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:

10.0.30.0/24 - A

10.10.10.0/24 - B

10.10.20.0/24 - C

Now, you have three devices also, each on a subset of the logical networks:

router - A only

node0 - A and B

node1 - A and C

This is a recipe for the kind of excitement that you are experiencing.

node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                            Advised path = 10.0.30.10 -> 10.10.20.2

If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.

If you just want the computers to be able to talk to each other with the IP addresses configured, you can:

Add 10.10.10.3/24 to node1, and

Add 10.10.20.3/24 to node0

I hope this is helpful for you / others, despite being a bit out of date.

answered 4 mins ago

Slartibartfast

2,8621315

add a comment |

Challenges:

You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:

10.0.30.0/24 - A

10.10.10.0/24 - B

10.10.20.0/24 - C

Now, you have three devices also, each on a subset of the logical networks:

router - A only

node0 - A and B

node1 - A and C

This is a recipe for the kind of excitement that you are experiencing.

node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                            Advised path = 10.0.30.10 -> 10.10.20.2

If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.

If you just want the computers to be able to talk to each other with the IP addresses configured, you can:

Add 10.10.10.3/24 to node1, and

Add 10.10.20.3/24 to node0

I hope this is helpful for you / others, despite being a bit out of date.

answered 4 mins ago

Slartibartfast

2,8621315

add a comment |

Challenges:

You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:

10.0.30.0/24 - A

10.10.10.0/24 - B

10.10.20.0/24 - C

Now, you have three devices also, each on a subset of the logical networks:

router - A only

node0 - A and B

node1 - A and C

This is a recipe for the kind of excitement that you are experiencing.

node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                            Advised path = 10.0.30.10 -> 10.10.20.2

If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.

If you just want the computers to be able to talk to each other with the IP addresses configured, you can:

Add 10.10.10.3/24 to node1, and

Add 10.10.20.3/24 to node0

I hope this is helpful for you / others, despite being a bit out of date.

answered 4 mins ago

Slartibartfast

2,8621315

Challenges:

You have only one broadcast domain (think physical / layer 2 network) that matters, and on that broadcast domain, you have three IP (logical) networks:

10.0.30.0/24 - A

10.10.10.0/24 - B

10.10.20.0/24 - C

Now, you have three devices also, each on a subset of the logical networks:

router - A only

node0 - A and B

node1 - A and C

This is a recipe for the kind of excitement that you are experiencing.

node0 kernel: IPv4: Redirect from 10.0.30.1 on ens3 about 10.0.30.11 ignored

                            Advised path = 10.0.30.10 -> 10.10.20.2

If you are playing with subnets and routing for fun, that's great. You've found a less-optimal approach, but you can keep playing.

If you just want the computers to be able to talk to each other with the IP addresses configured, you can:

Add 10.10.10.3/24 to node1, and

Add 10.10.20.3/24 to node0

I hope this is helpful for you / others, despite being a bit out of date.

answered 4 mins ago

Slartibartfast

2,8621315

answered 4 mins ago

Slartibartfast

2,8621315

answered 4 mins ago

Slartibartfast

2,8621315

answered 4 mins ago

Slartibartfast

2,8621315

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Server Fault!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Ryfujk

Traffic via static route on router does not find its way backCisco PIX 515 doesn't seem to be passing traffic...

Node0

Meanwhile on node1

Node0

Meanwhile on node1

Node0

Meanwhile on node1

Node0

Meanwhile on node1

1 Answer
1

Your Answer

Post as a guest

1 Answer
1

1 Answer
1

Post as a guest

Popular posts from this blog

Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

Список ссавців Італії Природоохоронні статуси | Список |...

Маріан Котлеба Зміст Життєпис | Політичні погляди |...

Traffic via static route on router does not find its way backCisco PIX 515 doesn't seem to be passing traffic...

Node0

Meanwhile on node1

Node0

Meanwhile on node1

Node0

Meanwhile on node1

Node0

Meanwhile on node1

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

1 Answer 1

1 Answer 1

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

Список ссавців Італії Природоохоронні статуси | Список |...

Маріан Котлеба Зміст Життєпис | Політичні погляди |...

1 Answer
1

1 Answer
1

1 Answer
1