CentOS - Sep 2012 - Simple routing question

We use a dual homed CentOS-6.3 host for our Internet gateway router. 
Its internal nic (eth1) is configured such that the address
192.168.0.1 is one of its aliases.

# cat /etc/sysconfig/network-scripts/ifcfg-eth1:192BOOTPROTO=none
BROADCAST=192.168.255.255
DEVICE=eth1:192
IPADDR=192.168.0.1
IPV6INIT=no
MTU=""
NAME="LAN - Non-routable"
NETMASK=255.255.0.0
NETWORK=192.168.0.0
ONBOOT=yes
ONPARENT=yes

Internal packets routed to 192.168.209.41 are passing through this
router out onto the network.  I am afraid that the reason is not
evident to me and I have been unable to locate an answer.

The primary address for eth1 has the following configuration:

# cat /etc/sysconfig/network-scripts/ifcfg-eth1
BOOTPROTO=none
BROADCAST=""
DEFROUTE=yes
DEVICE=eth1
DOMAIN="hamilton.harte-lyne.ca harte-lyne.ca"
GATEWAY=216.xxx.yyy.53
HWADDR=00:25:90:60:11:8D
IPADDR=216.xxx.xxx.1
IPV4_FAILURE_FATAL=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
MACADDR=""
MTU=""
NAME="LAN Link - eth1"
NETMASK=""
NETWORK=""
NM_CONTROLLED=no
ONBOOT=yes
PREFIX=24
TYPE=Ethernet
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04

What configuration setting am I missing that will cause packets to
192.168.ccc.ddd to stay on the LAN and not try and pass though the WAN
interface?

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

On Tue, Sep 4, 2012 at 1:34 PM, James B. Byrne <byrnejb at harte-lyne.ca>
wrote:
> We use a dual homed CentOS-6.3 host for our Internet gateway router.
> Its internal nic (eth1) is configured such that the address
> 192.168.0.1 is one of its aliases.
>
> # cat /etc/sysconfig/network-scripts/ifcfg-eth1:192BOOTPROTO=none
>> DEVICE=eth1:192
> IPADDR=192.168.0.1
> NETMASK=255.255.0.0
>
> Internal packets routed to 192.168.209.41 are passing through this
> router out onto the network.  I am afraid that the reason is not
> evident to me and I have been unable to locate an answer.
That netmask says the interface handles the range from
192.168.0.0-192.168.255.255.   Maybe you meant 255.255.255.0?

-- 
  Les Mikesell
    lesmikesell at gmail.com

On Tue, September 4, 2012 14:34, James B. Byrne wrote:
> We use a dual homed CentOS-6.3 host for our Internet gateway router.
> Its internal nic (eth1) is configured such that the address
> 192.168.0.1 is one of its aliases.
>
per: Les Mikesell lesmikesell at gmail.com
Tue Sep 4 15:01:18 EDT 2012
>> # cat /etc/sysconfig/network-scripts/ifcfg-eth1:192BOOTPROTO=none
>> DEVICE=eth1:192
>> IPADDR=192.168.0.1
>> NETMASK=255.255.0.0
>>
>> Internal packets routed to 192.168.209.41 are passing through this
>> router out onto the network.  I am afraid that the reason is not
>> evident to me and I have been unable to locate an answer.
>
> That netmask says the interface handles the range from
> 192.168.0.0-192.168.255.255.   Maybe you meant 255.255.255.0?
There are presently two subnets on the lan, 192.168.209.0 and
192.168.209.0.  I believe that the present netmask is correct in these
circumstances.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Am 04.09.2012 um 20:34 schrieb James B. Byrne:
> We use a dual homed CentOS-6.3 host for our Internet gateway router. 
> Its internal nic (eth1) is configured such that the address
> 192.168.0.1 is one of its aliases.
> 
> # cat /etc/sysconfig/network-scripts/ifcfg-eth1:192BOOTPROTO=none
> BROADCAST=192.168.255.255
> DEVICE=eth1:192
^^^^^^^^
> IPADDR=192.168.0.1
> IPV6INIT=no
> MTU=""
> NAME="LAN - Non-routable"
> NETMASK=255.255.0.0
> NETWORK=192.168.0.0
> ONBOOT=yes
> ONPARENT=yes
> 
> Internal packets routed to 192.168.209.41 are passing through this
> router out onto the network.  I am afraid that the reason is not
> evident to me and I have been unable to locate an answer.
> 
> The primary address for eth1 has the following configuration:
> 
> # cat /etc/sysconfig/network-scripts/ifcfg-eth1
> BOOTPROTO=none
> BROADCAST=""
> DEFROUTE=yes
> DEVICE=eth1
^^^^^^^^^
> DOMAIN="hamilton.harte-lyne.ca harte-lyne.ca"
> GATEWAY=216.xxx.yyy.53
> HWADDR=00:25:90:60:11:8D
> IPADDR=216.xxx.xxx.1
> IPV4_FAILURE_FATAL=yes
> IPV6_AUTOCONF=yes
> IPV6_DEFROUTE=yes
> IPV6_FAILURE_FATAL=no
> IPV6INIT=yes
> IPV6_PEERDNS=yes
> IPV6_PEERROUTES=yes
> MACADDR=""
> MTU=""
> NAME="LAN Link - eth1"
> NETMASK=""
> NETWORK=""
> NM_CONTROLLED=no
> ONBOOT=yes
> PREFIX=24
> TYPE=Ethernet
> UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
> 
> What configuration setting am I missing that will cause packets to
> 192.168.ccc.ddd to stay on the LAN and not try and pass though the WAN
> interface?

Is it correct to set the internal net as alias on the public 
interface (216.xxx.xxx.1) - both via eth1?  This is for sure 
not your intention. Maybe a typo ...

--
LF

Per: Les Mikesell lesmikesell at gmail.com
Thu Sep 6 13:55:05 EDT 2012
> A 'route -n' should show you where any destination will head
> on the next hop.  On host C, what is the line with the
> smallest matching destination/mask?  Likewise, on the gateway
> host where you think it is being forwarded the wrong way?

$ /sbin/route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref   
Use Iface
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0       
0 virbr0
aaa.bbb.ccc.0    0.0.0.0        255.255.255.0   U     0      0       
0 bridge0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0       
0 bridge0
0.0.0.0         aaa.1bbb.ccc.1  0.0.0.0         UG    0      0       
0 bridge0


$ traceroute 192.168.209.43
traceroute to 192.168.209.43 (192.168.209.43), 30 hops max, 40 byte
packets
 1  gway01 (aaa.bbb.ccc.1)  0.321 ms  0.298 ms  0.283 ms
 2  ISPlink (aaa.bbb.ddd.53)  1.000 ms  0.993 ms  1.450 ms
 3  * * *
 4  * * *
 5  * * *
. . .

This seems to say that 192.168.209.43 is being routed out to the
Internet as aaa.bbb.ddd.53 is our external gateway address on the
router.

This is the routing table on the router:

[root at gway01 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref   
Use Iface
aaa.bbb.ddd.52  0.0.0.0         255.255.255.252 U     0      0       
0 eth0
aaa.bbb.ccc.0   0.0.0.0         255.255.255.0   U     0      0       
0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0       
0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0       
0 eth1
0.0.0.0         aaa.bbb.ddd.53  0.0.0.0         UG    0      0       
0 eth0


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Per: Les Mikesell lesmikesell at gmail.com
Thu Sep 6 14:20:43 EDT 2012

--->
On Thu, Sep 6, 2012 at 1:09 PM, James B. Byrne <byrnejb at
harte-lyne.ca> wrote:

> OK, there is no better match than the default in the route table
> above, so it goes to the default gateway.  I assume that's what you
> want if you don't make the netmask span the 192.168.x.x range, but a
> side effect is that it will source from the aaa.bbb.ccc.x interface
> address.
> This seems to say that 192.168.209.43 is being routed out to the
> Internet as aaa.bbb.ddd.53 is our external gateway address on the
> router.
>
> This is the routing table on the router:
>
> [root at gway01 ~]# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref
> Use Iface
> aaa.bbb.ddd.52  0.0.0.0         255.255.255.252 U     0      0
> 0 eth0
> aaa.bbb.ccc.0   0.0.0.0         255.255.255.0   U     0      0
> 0 eth1
> 169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0
> 0 eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0
> 0 eth1
> 0.0.0.0         aaa.bbb.ddd.53  0.0.0.0         UG    0      0
> 0 eth0
I don't see any 192.168.x.x interface/mask there.   Where else could
it go?   Or is that 2nd 169.254.0.0 a typo?
<---

You see, this is the question I am trying to fathom.  Once upon a
time, 2 days ago, the interface on the gateway system included
ifcfg-eth1:192 which had the address 192.168.0.1 and the netmask
255.255.255.0.  At that point I was not aware of any underlying
problems and virtual interfaces on other hosts which had addresses
like 192.168.216.ddd could be found and connected to from internal
host addresses of the form aaa.bbb.ccc.0 where aaa.bbb.ccc is our
publicly routable C class assigned address block.

The difficulties started when I began testing a new virtual host which
eventually will be moved off-site to our DR facility (which is a lot
less impressive in fact than it appears when I write that, but at
least we have one).  On that machine, for no particular reason, I
decided to use a different sub-net for the 192.168 IP on the VM guests
eth1 i/f.

When I did that the kvm host could connect to those i/f, presumably
because its own eth1 was set to an address on the same netblock
(192.168.209.43) but no other host could connect to either the host's
eth1 or any of the running guests' eth1.  This is what prompted the
question which has turned into this thread.

When I set this network up many ages ago I added 192.168.0.1 to the
internal i/f of the gateway router in the apparently unfounded belief
that if the router knew that the internal i/d had an address in the
192.168 address space then it would not try to route traffic destined
for those addresses through the router.  As I say, my knowledge of
this is very limited. Although, to be fair, everything has worked as I
expected up to now and this situation is simply an experiment of my
own devising.  So, I am hardly a walking accident waiting to happen.

What I wanted to have happen was for all traffic destined for
192.168.anything to stay inside the LAN and attached to the specified
address, while any traffic that originated from 192.168.anything
destined to anywhere else would route through the gateway; where it is
NAT mangled.

I just want to understand what is going on in this specific case
without delving deeply into the subject of routing, for which I do not
have the luxury of time.  This not impacting anything of significance
so I take it up on a time available basis.  On the other hand, I am
definitely gaining an education in the process.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Well, I seem to be getting somewhere, although where exactly is open
to question.

I did this.  I put the virtual interface address 192.168.0.1 back onto
eth1 of the gateway host and restarted the network services.  The
ifcfg file looked like this:

BOOTPROTO=none
BROADCAST=192.168.255.255
DEVICE=eth1:192
IPADDR=192.168.0.1
IPV6INIT=no
MTU=""
NAME="LAN - Non-routable"
NETMASK=255.255.0.0
NETWORK=192.168.0.0
ONBOOT=yes
ONPARENT=yes

After the restart ip addr showed this:

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:25:90:60:11:8d brd ff:ff:ff:ff:ff:ff
    inet aaa.bbb.ccc.1/24 brd aaa.bbb.ccc.255 scope global eth1
    inet 192.168.0.1/24 brd 192.168.255.255 scope global eth1:192
    inet6 fe80::225:90ff:fe60:118d/64 scope link
       valid_lft forever preferred_lft forever

Note the cidr suffix on 192.168.0.1 = 24

That is not what I expected.  Restarting with the same config did not
change the initially observed outcome.

SO, I edited ifcfg-eth1:192 and added exactly one line:

PREFIX="16"

and restarted the network.  ip addr now shows this:

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    link/ether 00:25:90:60:11:8d brd ff:ff:ff:ff:ff:ff
    inet aaa.bbb.ccc.1/24 brd aaa.bbb.ccc.255 scope global eth1
    inet 192.168.0.1/16 brd 192.168.255.255 scope global eth1:192
    inet6 fe80::225:90ff:fe60:118d/64 scope link
       valid_lft forever preferred_lft forever


Note that the cidr suffix is now 16.

Now, when I try and ping an address on the 192.168 netblock from host
C I see this:

# ping 192.168.209.43
PING 192.168.209.43 (192.168.209.43) 56(84) bytes of
data.
>From 216.185.71.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.209.43)
>From 216.185.71.1: icmp_seq=3 Redirect Host(New nexthop: 192.168.209.43)
>From 216.185.71.1: icmp_seq=4 Redirect Host(New nexthop: 192.168.209.43)
>From 216.185.71.1: icmp_seq=5 Redirect Host(New nexthop: 192.168.209.43)
>From 216.185.71.1: icmp_seq=6 Redirect Host(New nexthop: 192.168.209.43)

My question now is how do I get to 192.168.209.43?


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3