[TriLUG] traceroute works, ping and tcp services don't get through
Joseph Mack NA3T
jmack at wm7d.net
Fri May 18 08:59:48 EDT 2012
client (outside/internet)
\| def gw
-
router1 <----> router2
_
_ /|
def gw |\ |/_ route
server (inside)
I've just fixed this problem but don't have an explanation
for what I saw and was wondering if anyone understands it.
I have failover routers. Because I'm changing the internal
networks, one router at a time, the IPs on the inside or the
routers are different (router1=172.16.2.0/24,
router2=192.168.2.0/24). Normally router1 is the default
route for packets from the outside and inside, but to test
that I could still use both routers, I made router2 the
default gw for packets from the outside, while keeping
router1 the default gw for packets from the inside.
Although I didn't realise it, I now didn't have a route from
router1 to the client. What was also confusing was that I'd
just home brewed my own firewall rules and had assumed that
they were causing the problem (they weren't, but I spent
2hrs debugging them before finding the solution).
What I saw waa that I could not longer ping (icmp type 8)
the server from the client, or make any tcp connections.
However traceroute (icmp type 11) still worked, showing the
expected path client->router2->server. Looking at the
iptables logs, I found that tcp packets were being returned
from the server via router1 (the server's default gw) and
not by the reverse path via router2. Adding a route from
router1 to the client allowed ping and tcp packets to get
through.
So tcp and ping type 8 go around the loop clockwise, while
ping type 11 goes out and back client<->router2<->server
Anyone know why the different packets take a different
route?
Thanks Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
More information about the TriLUG
mailing list