CentOS - Feb 2015 - Help with routing question.

CentOS-6.6

We have a host that has multiple IPv4 addresses aliased to eth0.   The
primary address is 216.185.71.x and the alias is 192.168.6.x.

This host connects to devices on both netblocks without problems. 
Only default routing is used and it looks like this:

#ip route
192.168.6.0/24 dev eth0  proto kernel  scope link  src 192.168.6.x
216.185.71.0/24 dev eth0  proto kernel  scope link  src 216.185.71.x
169.254.0.0/16 dev eth0  scope link  metric 1002
default via 192.168.6.1 dev eth0  src 192.168.6.x
default via 216.185.71.1 dev eth0


When the system connects to internal systems via ssh it uses the src
216.185.71.x for devices on that netblock and 192.168.6.x for devices
on the other.

The problem is that when we try to establish an ssh connection
off-site to another netblock altogether the host uses 192.168.6.x as
the source and the destination gets the public side IP address of our
gateway router as the point of origin due to masquerading.

I have solved this by explicitly binding ssh to the public ipv4 when
connecting using the --bind=216.185.71.x parameter.  But I have two
questions I would like to find answers for

1. Why is ssh using the private IP in preference to the public IP when
connecting to off-site addresses?

2. How does one configure the routing table on network startup to
specifically detail the route particular addresses are supposed to
take?


For diagnosis here are the ifcfg scripts used for both interfaces:

DEVICE="eth0"
BOOTPROTO="static"
BROADCAST="216.185.71.255"
DNS1="216.185.71.33"
GATEWAY="216.185.71.1"
HWADDR="38:60:77:D5:AC:D8"
IPADDR="216.185.71.x"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
NETMASK="255.255.255.0"
NM_CONTROLLED="no"
ONBOOT="yes"
TYPE="Ethernet"
UUID="0202e615-ce93-4fe1-833a-c11259afb850"


DEVICE="eth0:192"
BOOTPROTO="static"
BROADCAST="192.168.6.255"
GATEWAY="192.168.6.1"
IPADDR="192.168.6.x"
NETMASK="255.255.255.0"
NM_CONTROLLED="no"
ONPARENT="yes"
TYPE="Ethernet"


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Hi James,

   Simply remove the GATEWAY line from the eth0:192 interface config :D

   Then you'll had only one default gateway. And the source IP to all
unknown address
will be the routeable one.

   Att.,

       Antonio.

----- "James B. Byrne" <byrnejb at harte-lyne.ca> escreveu:
> De: "James B. Byrne" <byrnejb at harte-lyne.ca>
> Para: centos at centos.org
> Enviadas: Quarta-feira, 18 de Fevereiro de 2015 15:39:16 (GMT-0300)
Auto-Detected
> Assunto: [CentOS] Help with routing question.
>
> CentOS-6.6
> 
> We have a host that has multiple IPv4 addresses aliased to eth0.  
> The
> primary address is 216.185.71.x and the alias is 192.168.6.x.
> 
> This host connects to devices on both netblocks without problems. 
> Only default routing is used and it looks like this:
> 
> #ip route
> 192.168.6.0/24 dev eth0  proto kernel  scope link  src 192.168.6.x
> 216.185.71.0/24 dev eth0  proto kernel  scope link  src 216.185.71.x
> 169.254.0.0/16 dev eth0  scope link  metric 1002
> default via 192.168.6.1 dev eth0  src 192.168.6.x
> default via 216.185.71.1 dev eth0
> 
> 
> When the system connects to internal systems via ssh it uses the src
> 216.185.71.x for devices on that netblock and 192.168.6.x for devices
> on the other.
> 
> The problem is that when we try to establish an ssh connection
> off-site to another netblock altogether the host uses 192.168.6.x as
> the source and the destination gets the public side IP address of our
> gateway router as the point of origin due to masquerading.
> 
> I have solved this by explicitly binding ssh to the public ipv4 when
> connecting using the --bind=216.185.71.x parameter.  But I have two
> questions I would like to find answers for
> 
> 1. Why is ssh using the private IP in preference to the public IP
> when
> connecting to off-site addresses?
> 
> 2. How does one configure the routing table on network startup to
> specifically detail the route particular addresses are supposed to
> take?
> 
> 
> For diagnosis here are the ifcfg scripts used for both interfaces:
> 
> DEVICE="eth0"
> BOOTPROTO="static"
> BROADCAST="216.185.71.255"
> DNS1="216.185.71.33"
> GATEWAY="216.185.71.1"
> HWADDR="38:60:77:D5:AC:D8"
> IPADDR="216.185.71.x"
> IPV6INIT="yes"
> IPV6_AUTOCONF="yes"
> NETMASK="255.255.255.0"
> NM_CONTROLLED="no"
> ONBOOT="yes"
> TYPE="Ethernet"
> UUID="0202e615-ce93-4fe1-833a-c11259afb850"
> 
> 
> DEVICE="eth0:192"
> BOOTPROTO="static"
> BROADCAST="192.168.6.255"
> GATEWAY="192.168.6.1"
> IPADDR="192.168.6.x"
> NETMASK="255.255.255.0"
> NM_CONTROLLED="no"
> ONPARENT="yes"
> TYPE="Ethernet"
> 
> 
> -- 
> ***          E-Mail is NOT a SECURE channel          ***
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> -- 
> Esta mensagem foi verificada pelo sistema de antivirus e
>  acredita-se estar livre de perigo.
-- 
Antonio da Silva Martins Jr. 
Analista de Suporte
NPD - N?cleo de Processamento de Dados
UEM - Universidade Estadual de Maring?
email: asmartins at uem.br 
fone: +55 (44) 3011-4015 / 3011-4411
inoc-dba: 263076*100                     

     "Real Programmers don?t need comments ? the code is obvious."

-- 
Esta mensagem foi verificada pelo sistema de antivirus e
 acredita-se estar livre de perigo.

On Wed, Feb 18, 2015 at 11:39 AM, James B. Byrne <byrnejb at
harte-lyne.ca> wrote:
>
> We have a host that has multiple IPv4 addresses aliased to eth0.   The
> primary address is 216.185.71.x and the alias is 192.168.6.x.
>
> This host connects to devices on both netblocks without problems.
> Only default routing is used and it looks like this:
>
> #ip route
> 192.168.6.0/24 dev eth0  proto kernel  scope link  src 192.168.6.x
> 216.185.71.0/24 dev eth0  proto kernel  scope link  src 216.185.71.x
> 169.254.0.0/16 dev eth0  scope link  metric 1002
> default via 192.168.6.1 dev eth0  src 192.168.6.x
> default via 216.185.71.1 dev eth0
>
> 1. Why is ssh using the private IP in preference to the public IP when
> connecting to off-site addresses?
Because you have a default route for it.
> 2. How does one configure the routing table on network startup to
> specifically detail the route particular addresses are supposed to
> take?
>
Not exactly sure how routing works with aliases on the same interface
but the first thing I would try is the same as you would use on
different interfaces.  That is, leave the 'GATEWAY=' on your
internet-facing etho, but remove the entry from the private eth0:192.
  Then add a route-eth0:192  file containing the network(s) and
gateway for the private side.   The source address it picks should be
the one appropriate to reach the next-hop router specified in your
routes.

-- 
   Les Mikesell
     lesmikesell at gmail.com

Hi James,

Antonio is correct. The default address is used when the destination address
is not on a subnet that is on one of your local interfaces.

Any packet destined for an address on the 192.168.6.0/24 subnet will
automatically be sent with a source
address of 192.168.6.1

Same with any packet destined for an address on the 216.185.71.0/24 subnet will
be sent with a source
address of 216.185.71.1.

  The kernel uses the first address on an interface as the primary address. You
can see this if you just
do ifconfig ifname, you will only see the first address you assign to the
interface.

Hope this helps,
Steve

On 02/18/2015 12:51 PM, Antonio S. Martins Jr. wrote:
> Hi James,
>
>     Simply remove the GATEWAY line from the eth0:192 interface config :D
>
>     Then you'll had only one default gateway. And the source IP to all
unknown address
> will be the routeable one.
>
>     Att.,
>
>         Antonio.
>
> ----- "James B. Byrne" <byrnejb at harte-lyne.ca> escreveu:
>
>> De: "James B. Byrne" <byrnejb at harte-lyne.ca>
>> Para: centos at centos.org
>> Enviadas: Quarta-feira, 18 de Fevereiro de 2015 15:39:16 (GMT-0300)
Auto-Detected
>> Assunto: [CentOS] Help with routing question.
>>
>> CentOS-6.6
>>
>> We have a host that has multiple IPv4 addresses aliased to eth0.
>> The
>> primary address is 216.185.71.x and the alias is 192.168.6.x.
>>
>> This host connects to devices on both netblocks without problems.
>> Only default routing is used and it looks like this:
>>
>> #ip route
>> 192.168.6.0/24 dev eth0  proto kernel  scope link  src 192.168.6.x
>> 216.185.71.0/24 dev eth0  proto kernel  scope link  src 216.185.71.x
>> 169.254.0.0/16 dev eth0  scope link  metric 1002
>> default via 192.168.6.1 dev eth0  src 192.168.6.x
>> default via 216.185.71.1 dev eth0
>>
>>
>> When the system connects to internal systems via ssh it uses the src
>> 216.185.71.x for devices on that netblock and 192.168.6.x for devices
>> on the other.
>>
>> The problem is that when we try to establish an ssh connection
>> off-site to another netblock altogether the host uses 192.168.6.x as
>> the source and the destination gets the public side IP address of our
>> gateway router as the point of origin due to masquerading.
>>
>> I have solved this by explicitly binding ssh to the public ipv4 when
>> connecting using the --bind=216.185.71.x parameter.  But I have two
>> questions I would like to find answers for
>>
>> 1. Why is ssh using the private IP in preference to the public IP
>> when
>> connecting to off-site addresses?
>>
>> 2. How does one configure the routing table on network startup to
>> specifically detail the route particular addresses are supposed to
>> take?
>>
>>
>> For diagnosis here are the ifcfg scripts used for both interfaces:
>>
>> DEVICE="eth0"
>> BOOTPROTO="static"
>> BROADCAST="216.185.71.255"
>> DNS1="216.185.71.33"
>> GATEWAY="216.185.71.1"
>> HWADDR="38:60:77:D5:AC:D8"
>> IPADDR="216.185.71.x"
>> IPV6INIT="yes"
>> IPV6_AUTOCONF="yes"
>> NETMASK="255.255.255.0"
>> NM_CONTROLLED="no"
>> ONBOOT="yes"
>> TYPE="Ethernet"
>> UUID="0202e615-ce93-4fe1-833a-c11259afb850"
>>
>>
>> DEVICE="eth0:192"
>> BOOTPROTO="static"
>> BROADCAST="192.168.6.255"
>> GATEWAY="192.168.6.1"
>> IPADDR="192.168.6.x"
>> NETMASK="255.255.255.0"
>> NM_CONTROLLED="no"
>> ONPARENT="yes"
>> TYPE="Ethernet"
>>
>>
>> -- 
>> ***          E-Mail is NOT a SECURE channel          ***
>> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
>> Harte & Lyne Limited          http://www.harte-lyne.ca
>> 9 Brockley Drive              vox: +1 905 561 1241
>> Hamilton, Ontario             fax: +1 905 561 0757
>> Canada  L8E 3C3
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>> -- 
>> Esta mensagem foi verificada pelo sistema de antivirus e
>>   acredita-se estar livre de perigo.

-- 
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com