[TriLUG] traceroute works, ping and tcp services don't get through

Joseph Mack NA3T jmack at wm7d.net
Fri May 18 08:59:48 EDT 2012


           client (outside/internet)

                   \| def gw
                   -
router1   <---->  router2
                    _
          _         /|
  def gw |\       |/_ route


           server (inside)

I've just fixed this problem but don't have an explanation 
for what I saw and was wondering if anyone understands it.

I have failover routers. Because I'm changing the internal 
networks, one router at a time, the IPs on the inside or the 
routers are different (router1=172.16.2.0/24, 
router2=192.168.2.0/24). Normally router1 is the default 
route for packets from the outside and inside, but to test 
that I could still use both routers, I made router2 the 
default gw for packets from the outside, while keeping 
router1 the default gw for packets from the inside.

Although I didn't realise it, I now didn't have a route from 
router1 to the client. What was also confusing was that I'd 
just home brewed my own firewall rules and had assumed that 
they were causing the problem (they weren't, but I spent 
2hrs debugging them before finding the solution).

What I saw waa that I could not longer ping (icmp type 8) 
the server from the client, or make any tcp connections. 
However traceroute (icmp type 11) still worked, showing the 
expected path client->router2->server. Looking at the 
iptables logs, I found that tcp packets were being returned 
from the server via router1 (the server's default gw) and 
not by the reverse path via router2. Adding a route from 
router1 to the client allowed ping and tcp packets to get 
through.

So tcp and ping type 8 go around the loop clockwise, while 
ping type 11 goes out and back client<->router2<->server

Anyone know why the different packets take a different 
route?

Thanks Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!



More information about the TriLUG mailing list