From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: static via dhcp/pppoe + additonal static IPs (UK BT infinity, AT/CH UPC Business, CH Init7) Date: Tue, 19 May 2015 11:48:21 +0200 Message-ID: <1432028901.16602.29.camel@ipfire.org> In-Reply-To: <87CBE8D3E7D93049B8B80C5A40A9A89F6FBCA72E@ODIN.nodeejay.local> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7374137172528216246==" List-Id: --===============7374137172528216246== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Mon, 2015-05-18 at 12:56 +0000, Alexander Weber wrote: > Sorry, noted. no worries. > Challenge: add static IPs (/32) or a routed subnet to a non STATIC RED conn= ection eg. DHCP, PPPoE, Dial-Up etc. >=20 > Obvious issue(s) w/ solution:=20 > - Error message in aliases.cgi -> just cosmetic and a quick rewrite to "|| = DHCP" or whatever we got workging later > - /etc/rcd/init.d/networking/red starts setaliases (c-program) only if STAT= IC -> again a quick rewrite to run the script whith other settings > - /usr/local/bin/setaliases gets variables from the /var/ipfire/network/ali= ases without issues, but /var/ipfire/network/settings does not contain them w= hen connection is not static, eg. red gateway or red subnetmask. > In this case I assume the vars need to come from ipfire/dhcpc and the ether= net setting? Please commit these changes to a git repository so that we can keep track of them individually. As far as I understand, you already changed the aliases.cgi file. So this is probably done? I sent you a changed version of the setaliases binary. Do these changes work? The last point is a bit tricky. The setting file is read to find out about the netmask and broadcast address. The broadcast address is not actually needed if we replace that ifconfig command by the ip command (even ifconfig should not require it). The bit with the netmask is more complicated. setaliases assumes that the network is one network in which all the IP addresses are. That is most likely not the case for your DHCP setup and you usually don't get consecutive IP addresses when you order extra ones in a data center. They will give you what ever is not allocated. So I suppose that it should be fine if we set those up with /32 as you do further below. I am not aware if any disadvantages. > Config: > Static via DHCP > IP: 212.51.153.253 > SN: 255.255.255.0 > GW: 212.51.153.1 > BC: 212.51.153.255 > =20 > Static routed subnet: 85.195.224.64/29 >=20 > Real issue(s) w/o solution: > So I tried directly attaching each IP to make all IPs available to DNAT: >=20 > $ ifconfig red0:0 85.195.224.64 netmask 255.255.255.255 up $=20 > $ /usr/sbin/arping -c 1 -w 1 -i red0 -S 85.195.224.64 212.51.153.1 > In WebIFC with the corresponding DNAT and SNAT entry >=20 > And routed: > $ ifconfig red0:0 85.195.224.65 netmask 255.255.255.248 up $=20 > $ /usr/sbin/arping -c 1 -w 1 -i red0 -S 85.195.224.65 85.195.224.64 > In WebIFC, static routes: 85.195.224.64/29 gw: 85.195.224.65 >=20 > With or without any configuration changes except firewall rules the package= leaves the origin, arrives at the correct alias, is correctly transmitted to= the destination server. The corresponging ACK comes back from the destinatio= n server, leaves the firewall on RED but never arrives athe the origin. >=20 > I called the provider and he sees the incoming pacakges correctly routing, = but he cannot inspect the outgoing ones and state if they are correct or not. >=20 > Forum: http://forum.ipfire.org/viewtopic.php?f=3D51&t=3D12800&sid=3D08a461d= 562a2eea83d1224c2980882ab >=20 > Any ideas hints or comments are highly appreciated. It is a bit hard to say what is going wrong here. Do you think that the firewall drops the packet? -Michael >=20 > Thanks, >=20 > Alex >=20 > -----Original Message----- > From: Michael Tremer [mailto:michael.tremer(a)ipfire.org]=20 > Sent: Wednesday, May 06, 2015 12:47 > To: Alexander Weber > Cc: development(a)lists.ipfire.org > Subject: Re: static via dhcp/pppoe + additonal static IPs (UK BT infinity, = AT/CH UPC Business, CH Init7) >=20 > Hello Alex, >=20 > we speak English on this list. >=20 > What I would need for a beginning is recap of what is supposed to be done h= ere and what the current state of your efforts is. >=20 > I have not been following the forum thread very closely and I am now not in= a position to tell what is working and what is not and what problem you are = trying to solve right now. >=20 > Best, > -Michael >=20 > On Tue, 2015-05-05 at 14:44 +0000, Alexander Weber wrote: > > Hi, > >=20 > > Haette auch vermutet einfach den GW von der DHCP Adresse herzunehmen=20 > > tut, aber wohl nein. > >=20 > > Ich glaube das grosse Problem liegt daran, dass eine IP aus einem=20 > > Subnet fix per DHCP kommt und die weiteren IPs aus einem Anderen. > > Vielleicht bin ich auch zu ungeduldig, siehe=20 > > http://shorewall.net/shorewall_setup_guide.htm#ProxyARP kommender=20 > > Absatz CAUTION und der Provider hats nicht geaendert =E2=80=93 dagegen sp= richt=20 > > aber ein traceroute (siehe Attachments). > >=20 > > Pfsense hat es geloest, da heist es VIP, ich lad mir mal die Distro=20 > > und schaue mir an wie es dort geloest ist, vielleicht bringt das ja=20 > > noch eine Idee. > >=20 > > Cheers, > >=20 > > Alex > >=20 > > =20 > > ______________________________________________________________________ > > Sent: Tue May 05, 2015 12:51 pm > > From: MichaelTremer > > Recipient:NODeeJay > >=20 > > Hi, > >=20 > > das sind jetzt nicht gerade all zu viele Informationen... > >=20 > > Grunds=C3=A4tzlich ist das egal welche Subnetzmaske du benutzt. Das Gatew= ay=20 > > ist doch sowieso klar oder? Oder ist wirklich eine Adresse aus dem=20 > > Netz das Gateway f=C3=BCr das Netz? > >=20 > > K=C3=B6nnen wir die ganze Diskussion auch auf der Devel Mailing Liste=20 > > f=C3=BChren? Dann sind mehr Leute dabei... > >=20 > > NODeeJay wrote:Hey Michael, > >=20 > > ich hab jetzt alles was mir einfiel versucht, mit SNAT/DNAT, ohne, mit=20 > > dem Gateway vom der DHCP Adresse, mit einer Route zum gerouteten Netz=20 > > etc. > > In allen Faellen gehen lt. tcpdump auch ACKs raus, kommen aber nie an. > > Arping liefert uebrigens auch immer 100% Verlust. Vielleicht bin ich=20 > > mittelerweile auch Konsolenblind geworden. > >=20 > > Config > > statische via DHCP > > IP: 212.51.153.253 > > SN: 255.255.255.0 > > GW: 212.51.153.1 > > BC: 212.51.153.255 > >=20 > > fixe: 85.195.224.64/29 > >=20 > > was m.E. funktionierte sollte > > nicht gerouted: > >=20 > > Code: Select all > >=20 > > $ ifconfig red0:0 85.195.224.64 netmask 255.255.255.255 up $=20 > > /usr/sbin/arping -c 1 -w 1 -i red0 -S 85.195.224.64 212.51.153.1 > >=20 > >=20 > >=20 > > gerouted: > >=20 > > Code: Select all > >=20 > > $ ifconfig red0:0 85.195.224.65 netmask 255.255.255.248 up $=20 > > /usr/sbin/arping -c 1 -w 1 -i red0 -S 85.195.224.65 85.195.224.64 > > =20 > >=20 > >=20 > > und die Route unter den statischen mit 85.195.224.64/29 gw: > > 85.195.224.65 eingetragen. > >=20 > > beim Provider ist lt Provider alles i.O. > >=20 > > Vielleicht siehst Du noch wo das Problem sein koennte, im Prinzip ist=20 > > es ja nichts anderes als auf DD-WRT=20 > > http://www.dd-wrt.com/phpBB2/viewtopic. ... 639#211639. > >=20 > > Cheers, > >=20 > > Alex > >=20 > > =20 > >=20 > >=20 > > _______________________________________________ > > Development mailing list > > Development(a)lists.ipfire.org > > http://lists.ipfire.org/mailman/listinfo/development --===============7374137172528216246== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlZXd2JvQUFvSkVJQjU4UDl2a0FrSDAvd1AvM3ZOQ25oTnFRQ2xqVXAxaU5XSUdkNFEK eFN2NXBvU3ZkZEFkdFVabE5VeWtWLzV5akJWbzFlSjdQVlduclRPN3Y0ZS9TRTZtUnNzcXpaSnpl em1VVnBlZApDc1IvbzRQNGJTcXN4ZjFwelNUQ2tCSG53RFBJQWNabzIxME1RRGRobDFvc0s0Q2px Mm9lemMwaHJTL1FJbGhCCks0dTVGS2xvc2hwZW5RUXZWQ2pFSHF3dHVaa1E0MkUrS2lxR2V0SUhz VHQvbGtaZGhUekhDU2VESGI3VW8rRUcKTnBMSE9vaGRJOXJEaXVvam9MRG92WVZocFA2dURtSFhy NlprZ0xKSVFuNTRjRWJ5SHhKSksxUjg3QWJpQ09QawpINzNHVC9nV3NMVmhBZHlCbEpRRHVsODc0 YW1mSjJTWVBNeGhpcFo4dE9RNTh5NFFFNTh2S3FZR2hUTGdIbkpzClJKWDl0RE9SeU1zY05LeXJk MGQwQjNGZDFaVlZyNzNlNkF3N3VHMUZ5K1N6ZUFUQk11V1Q0ZXNUeDYzZjZzeHUKNHFlSkhnenhJ ZmVySWd5c0FjM2UzRVRvUnNFL1IwRnIyUUFYRlk5QkI5SnBJRVFVNURESmZsYXlreW1HbkpvZgpH anZTd2FCTHNNVXhubGZ5U0JJNHJxUFhKdFBHanFLVEd5OTVSeTY3UXowMVdhKzlPaFZmL3B4dEJi TzQ1WjUwCm05TUVOaHg3djY5WFVCb3U2MTZaVUVobzd4MDA1YUNkK0QzQXlBUWNOcWI5V3hhQ3hn aFFtRG1TcGNDelo2dksKUkZDeGJscTlXRWdrT3V5OEZZTHRHd08xNEJuSFRHaHk5TVk1bk8zQitW NjJkSDBVbUdScUViQ3ArTVczb1ZnUQpyTXEwV1NneWNJVzJ4Mk90Qjh5NQo9Zm1nRAotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============7374137172528216246==--