LARTC - Jun 2006 - Not understanding network setup!!

Hi to all,

                 +-------+   eth1   +-------+
                 |       |==========|       |
 ''network 1'' ----|   A   |          |   B   |----
''network 2''
                 |       |==========|       |
                 +-------+   eth2   +-------+

A and B are routers

# tc qdisc add dev eth1 root teql0
# tc qdisc add dev eth2 root teql0
# ip link set dev teql0 up

On router A:

# ip addr add dev eth1 10.0.0.0/31
# ip addr add dev eth2 10.0.0.2/31
# ip addr add dev teql0 10.0.0.4/31

On router B:

# ip addr add dev eth1 10.0.0.1/31
# ip addr add dev eth2 10.0.0.3/31
# ip addr add dev teql0 10.0.0.5/31


The above has been quoted from LARTC HOWTO. I would like to know the
following things:

1) Are the 10.0.0.0/31, 10.0.0.2/31, 10.0.0.3/31...different networks? Are
the devices eth1, eth2 and teql0 on each router part of 3 different
networks?

2) What is the reason for doing the "/31" thing? CAn''t we use
network
addresses such as 192.168.0.0/24, 192.168.10.0/24 and so on for the
devices eth1, eth2 and teql0?

Warm regards,
Visham

-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of
ramsurrunv@mx.uom.ac.mu
Sent: Thursday, June 01, 2006 2:58 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Not understanding network setup!! 
> Hi to all,
> 
>                  +-------+   eth1   +-------+
>                  |       |==========|       |
>  ''network 1'' ----|   A   |          |   B   |----
''network 2''
>                  |       |==========|       |
>                  +-------+   eth2   +-------+
> 
> A and B are routers
> 
> # tc qdisc add dev eth1 root teql0
> # tc qdisc add dev eth2 root teql0
> # ip link set dev teql0 up
> 
> On router A:
>
> # ip addr add dev eth1 10.0.0.0/31
> # ip addr add dev eth2 10.0.0.2/31
> # ip addr add dev teql0 10.0.0.4/31
> 
> On router B:
> 
> # ip addr add dev eth1 10.0.0.1/31
> # ip addr add dev eth2 10.0.0.3/31
> # ip addr add dev teql0 10.0.0.5/31
> 
> 
> The above has been quoted from LARTC HOWTO. I would like to know the
> following things:
> 
> 1) Are the 10.0.0.0/31, 10.0.0.2/31, 10.0.0.3/31...different networks?
Are
> the devices eth1, eth2 and teql0 on each router part of 3 different
> networks?
I very much doubt the above was quoted on the LARTC HOWTO. Please point
us to where you saw this. It is completely wrong. 

First, 10.0.0.0/31 would be a network address. Second, a 31 bit subnet
is meaningless. It only offers two addresses, the network address at
10.0.0.0 and the broadcast address at 10.0.0.1. That leaves no available
addresses for host addresses. You probably mean /30 instead of /31. If
you were using a /30, then you would run:

ip addr add 10.0.0.1/30 dev eth1
ip addr add 10.0.0.5/30 dev eth2
ip addr add 10.0.0.9/30 dev teql0

The .1, .5, and .9 would be the first available addresses in their
respective subnets.

On router B, you would run:

ip addr add 10.0.0.2/30 dev eth1
ip addr add 10.0.0.6/30 dev eth2
ip addr add 10.0.0.10/30 dev teql0

The .2, .6, and .10 addresses would be the second and final available
host addresses on their respective subnets. 

And yes, each device sits on a different network when configured like
this. The teql0 device simply lets you load balance across the two eth
devices.
> 2) What is the reason for doing the "/31" thing? CAn''t
we use network
> addresses such as 192.168.0.0/24, 192.168.10.0/24 and so on for the
> devices eth1, eth2 and teql0?

You could use the 192.168.0.0/24 type addresses just as easily. The only
difference is in how many addresses are available for hosts on the
network block. By using a /30, you allow 2 host addresses and only 2
host addresses. Using the /24 network, you allow 254 host addresses.
That seems rather wasteful when all you need is 2, doesn''t it?

 
Eliot Gable
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and System Engineer
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324
 
Now offering Broadband Wireless Internet access in Croswell, Lexington,
Brown City, Yale, Worth Township, and Sandusky. Call for
details.http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Eliot, Wireless and Server Administrator, Great Lakes Internet
wrote:
> -----Original Message-----
> From: lartc-bounces@mailman.ds9a.nl
> [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of
> ramsurrunv@mx.uom.ac.mu
> Sent: Thursday, June 01, 2006 2:58 PM
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] Not understanding network setup!! 
> 
>> Hi to all,
...
> First, 10.0.0.0/31 would be a network address. Second, a 31 bit subnet
> is meaningless. It only offers two addresses, the network address at
> 10.0.0.0 and the broadcast address at 10.0.0.1. That leaves no available
> addresses for host addresses. You probably mean /30 instead of /31. If
> you were using a /30, then you would run:
> 
> ip addr add 10.0.0.1/30 dev eth1
> ip addr add 10.0.0.5/30 dev eth2
> ip addr add 10.0.0.9/30 dev teql0
> 
> The .1, .5, and .9 would be the first available addresses in their
> respective subnets.
You probably mean /28 instead of /30:

ip addr add 10.0.0.9/28 dev teql0

Jarek P.

Hi to all,
> I very much doubt the above was quoted on the LARTC HOWTO. Please point
us to where you saw this. It is completely wrong.
>
This is where I got it from:
http://www.lartc.org/lartc.html#LARTC.LOADSHARE - (Chapter 10. Load
sharing over multiple interfaces).

I actually implemented the setup blindly without understandig it and it
worked..When I tried to change the topology of the network and the ip
addresses, then I got problems.

This is what I''m trying to do:

       __________         _____________         _________
      |          |       |             |       |         |
      |      eth1|-------|eth0 FW1 eth1|-------|eth1     |
      |          |       |_____________|       |         |
PC_A--|eth0 PC_B |                             |PC_C eth0|--PC_D
      |          |        _____________        |         |
      |      eth2|-------|eth0 FW2 eth1|-------|eth2     |
      |__________|       |_____________|       |_________|


The configurations on the respective PCs are:
PC_A:
eth0 = 192.168.0.10/24
#ip route add default via 192.168.0.1

PC_B:
eth0 = 192.168.0.1/24
eth1 = 192.168.10.10/24
eth2 = 192.168.40.10/24

FW1:
eth0 = 192.168.10.11/24
eth1 = 192.168.20.11/24

FW2:
eth0 = 192.168.40.11/24
eth1 = 192.168.50.11/24

PC_C:
eth0 = 192.168.30.1/24
eth1 = 192.168.20.10/24
eth2 = 192.168.50.10/24

PC_D:
eth0 = 192.168.30.10/24
#ip route add default via 192.168.30.1

I''m trying to load balance the traffic from PC_A to PC_D over the two
PCs
FW1 and FW2, using teql. I tried to follow the steps in the LARTC HOWTO
but it''s not working. Actually I''m having problems setting up
the routing
on these PCs with regard to teql. I simply don''t know how to do it. I
have
enabled ip forwarding (ip_forward) and disabled reverse path filtering
(rp_filter) on PC_B, PC_C, FW1 & FW2 for all NICs. B & C have 2.6.16
kernels with kernel options like advanced routing
(CONFIG_IP_ADVANCED_ROUTER) and multipath route support selected.

When I ping from PC_A to PC_D, I''m getting "Destination host
Unreachable"
msg. What am I doing wrong?

I know you guys are really good at this kind of stuff..pls help me out.

Warm regards,
Visham

Eliot, Wireless and Server Administrator, Great Lakes Internet
wrote:
>> -----Original Message-----
>> From: Jarek Poplawski [mailto:jarkap@poczta.onet.pl]
>> Sent: Friday, June 02, 2006 9:57 AM
>> To: Eliot, Wireless and Server Administrator, Great Lakes Internet
>> Cc: lartc@mailman.ds9a.nl
>> Subject: Re: [LARTC] Re: Not understanding network setup!!
>>
...
>> Maybe we are thinking about something else but I don''t think:
>> "If you were using a /30, then" ... ".5, and .9 would be
the
>> first available addresses in their respective subnets" is all
>> correct.
> 
> 10.0.0.0/30:
> 
> 10.0.0.0 - NETWORK ADDRESS
> 10.0.0.1 - HOST
> 10.0.0.2 - HOST
> 10.0.0.3 - BROADCAST ADDRESS
> 
> First available address is .1
> 
> 10.0.0.4/30:
> 
> 10.0.0.4 - NETWORK ADDRESS
> 10.0.0.5 - HOST
> 10.0.0.6 - HOST
> 10.0.0.7 - BROADCAST ADDRESS
> 
> First available address is .5
> 
> 10.0.0.8/30:
> 
> 10.0.0.8  - NETWORK ADDRESS
> 10.0.0.9  - HOST
> 10.0.0.10 - HOST
> 10.0.0.11 - BROADCAST ADDRESS
> 
> First available address is .9
> 
> Thus:
> 
> "The .1, .5, and .9 would be the first available addresses in their
> respective subnets."
> 
> Is a true statement. 
> 
> How are you interpreting this?

OH! Now I understand! I''m sorry for bothering you and many thanks 
for this clare explaining.

Jarek P.

Dear Eliot,

Many thx for all the efforts you''re making to help me
out..I''ve been
battling with this for over two weeks now :(

I had a few questions to ask you:

1) Does bonding support per-packet loadbalancing like teql does?

2) Is it compulsory to assign eth1 & eth2 ip addresses in teql setups like
in the howto or can simply use them w/o ip addrs as in the bonding setup
example you gave?

3) In the setup you propose with the transparent firewall, I don''t
think
it''ll work because since different networks are involved, only a router
can forward packets between different networks. The bridge can only
perform packet switching on one network. It can actually extend a
particular network but it cannot join two different networks. That, I
believe, is the work of a router. Please correct if you feel I''m wrong.

4) Do you believe it is possible to implement teql for the topology I''m
working on, i.e using firewalls with ip addrs? I tried it many times but
no success. The main problem was that I didn''t know to what network to
have the teql0 device on PC_B & PC_C point to? In the example in the LARTC
HOWTO, the teql0 on Router A pointed to the teql0 device on the Router B.
However, in the topology I''m trying to set up, I didn''t know
to which
device to point to because of the intermediate networks that we have (for
FW1 & FW2). Do you think I should use a multipath route on PC_B & PC_C,
some thing like this:

ip route add default scope global nexthop via 192.168.10.11 dev eth1
weight 1 nexthop via 192.168.40.11 dev eth2 weight 1

I tried it but no success. The teql0 device won''t balanve traffic
between
the devices..don''t know if I made a mistake in the formulation of the
command!!

Can you suggest me anything..I have enough PCs to test things that you
might suggest me.

Warm regards,
Visham

Dear Eliot,

thx for the explanations..i''ll try the transparent firewall setup and
tell
you how it goes.

However, I would like to know how you would have set routing for a
topology like the one below using bonding, where S1, S2 and S3 are servers
(Layer 3 devices), and not firewalls.



       ______________         _____________
      |              |       |             |
      |          eth1|-------|eth0      S1 |
      |              |       |_____________|
PC_A--|              |
      |              |        _____________
      |eth0 PC_B eth2|-------|eth0      S2 |
      |              |       |_____________|
      |              |
      |              |        _____________
      |          eth3|-------|eth0      S3 |
      |______________|       |_____________|



Warm regards,
Visham

Understood..many thx for all the help..

By the way, do you know if there''s a way to distinguish between the ACK
packet sent during the connection establishment phase of a TCP connection
and subsequent ACK packets sent during the data transfer phase.

I now that the ACK number sent during the connection establishment will be
equal to the ''sequence number for the SYN in the SYN/ACK
packet'' + 1

Is there a way to distinguish between this 3rd packet and any other ACK
packet during data transfer w/o having to keep track of sequence numbers?
Are there other characteristics or options that are set in the former and
not in the latter?

Basically I want to capture the three packets sent during the connection
establishment phase of TCP. How can I do that?

Warm regards,
Visham

Visham,

 : By the way, do you know if there''s a way to distinguish between 
 : the ACK packet sent during the connection establishment phase of 
 : a TCP connection and subsequent ACK packets sent during the data 
 : transfer phase.
 : 
 : I now that the ACK number sent during the connection 
 : establishment will be equal to the ''sequence number for the SYN 
 : in the SYN/ACK packet'' + 1
 : 
 : Is there a way to distinguish between this 3rd packet and any 
 : other ACK packet during data transfer w/o having to keep track of 
 : sequence numbers? Are there other characteristics or options that 
 : are set in the former and not in the latter?
 : 
 : Basically I want to capture the three packets sent during the 
 : connection establishment phase of TCP. How can I do that?

How many times (or how quickly) do you need to do this?  I have a 
somewhat simple-minded solution for you, but it doesn''t scale, and 
may not actually solve you problem(s).

If you have anything more than a few connections on which you wish 
to snoop (to see that they have successfully completed the 
handshake) my solution will not work for you.  I have used this to 
capture the first three packets exchanged on a particular TCP 
connection:

  tcpdump -nni $INTERFACE -c 3 host $TARGET and port $DPORT and \
  ''(   tcp[tcpflags] & tcp-syn = tcp-syn 
    or tcp[tcpflags] & tcp-ack = tcp-ack )''

If you are looking at inbound traffic to one of your servers, that 
can be a bit trickier.  You could, however tcpdump the entire stream 
line-bufferered and write a filter (sed/perl) that prints out only 
lines showing SYN flag and lines containing ''ack 1 win''.


10:16:11.232505 IP xx.yy.zz.44.7284 > aa.bb.cc.130.25: S
2114067570:2114067570(0) win 5840 <mss 1460,sackOK,timestamp 906238871
0,nop,wscale 2>
10:16:11.257184 IP aa.bb.cc.130.25 > xx.yy.zz.44.7284: S
1756590593:1756590593(0) ack 2114067571 win 5792 <mss 1380,sackOK,timestamp
3428194314 906238871,nop,wscale 2>
10:16:11.257242 IP xx.yy.zz.44.7284 > aa.bb.cc.130.25: . ack 1 win 1460
<nop,nop,timestamp 906238896 3428194314>

Good luck,

-Martin

-- 
Martin A. Brown
http://linux-ip.net/

Hi Martin,
> How many times (or how quickly) do you need to do this?  I have a
> somewhat simple-minded solution for you, but it doesn''t scale, and
> may not actually solve you problem(s).
I actually need this for as long as the machine communicates with other PCs.
> If you are looking at inbound traffic to one of your servers, that
> can be a bit trickier.
I have to capture those three packets for each and every TCP stream that
is initiated. Also, I''m looking only for outbound communication, i.e
emanating from the PC on which I''m trying to catch the packets. So the
ACK
packet will be generated on the PC itself. But the problem how do I
capture that particular ACK packet and not the other ACK packets during
data transfer phase, w/o keeping track of IP address/port no. pairs.

Warm regards,
Visham

Visham,

 : I have to capture those three packets for each and every TCP 
 : stream that is initiated. Also, I''m looking only for outbound 
 : communication, i.e emanating from the PC on which I''m trying to 
 : catch the packets. So the ACK packet will be generated on the PC 
 : itself. But the problem how do I capture that particular ACK 
 : packet and not the other ACK packets during data transfer phase, 
 : w/o keeping track of IP address/port no. pairs.

It sounds like argus [0] may provide a better solution to your 
problem.  You will get much more information than you''d get with 
tcpdump, but you''ll get at least what you describe.

-Martin

 [0] http://www.qosient.com/argus/

-- 
Martin A. Brown
http://linux-ip.net/

Many thx for the info Martin..I''ll look at it right away.

Warm regards,
Visham

> -----Original Message-----
> From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl]
> On Behalf Of ramsurrunv@mx.uom.ac.mu
> Sent: Sunday, June 04, 2006 12:32 PM
> To: Martin A. Brown
> Cc: lartc@mailman.ds9a.nl; ramsurrunv@mx.uom.ac.mu
> Subject: RE: [LARTC] Not understanding network setup!!
> 
> Hi Martin,
> 
> > How many times (or how quickly) do you need to do this?  I have a
> > somewhat simple-minded solution for you, but it doesn''t
scale, and
> > may not actually solve you problem(s).
> 
> I actually need this for as long as the machine communicates with
other
> PCs.
> 
> > If you are looking at inbound traffic to one of your servers, that
> > can be a bit trickier.
> 
> I have to capture those three packets for each and every TCP stream
that
> is initiated. Also, I''m looking only for outbound communication,
i.e
> emanating from the PC on which I''m trying to catch the packets. So
the
ACK
> packet will be generated on the PC itself. But the problem how do I
> capture that particular ACK packet and not the other ACK packets
during
> data transfer phase, w/o keeping track of IP address/port no. pairs.

The way I would do this is write a small userspace capturing tool that
runs as a daemon all the time and watches the packets as they traverse
the machine. I have written a small libpcap based program which does
something similar. You are free to use whatever code you need from it as
long as the code will not be included in anything that is resold:

http://eliot.kayandee.net/traflog.php

This program simply counts traffic on a per-MAC and per-IP basis. It
also provides both MAC->IP and IP->MAC lookup tables. It should be
fairly trivial (as in no more than a days worth of work) to modify it to
suit your needs. 


Eliot Gable
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and System Engineer
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324
 
Now offering Broadband Wireless Internet access in Croswell, Lexington,
Brown City, Yale, Worth Township, and Sandusky. Call for details.

Eliot, thx for the link..i''ll check the program and see if I can use
it.

Warm regards,
Visham