Hi,
On Mon, 2015-05-18 at 12:56 +0000, Alexander Weber wrote:
Sorry, noted.
no worries.
Challenge: add static IPs (/32) or a routed subnet to a non STATIC RED connection eg. DHCP, PPPoE, Dial-Up etc.
Obvious issue(s) w/ solution:
- Error message in aliases.cgi -> just cosmetic and a quick rewrite to "|| DHCP" or whatever we got workging later
- /etc/rcd/init.d/networking/red starts setaliases (c-program) only if STATIC -> again a quick rewrite to run the script whith other settings
- /usr/local/bin/setaliases gets variables from the /var/ipfire/network/aliases without issues, but /var/ipfire/network/settings does not contain them when connection is not static, eg. red gateway or red subnetmask.
In this case I assume the vars need to come from ipfire/dhcpc and the ethernet setting?
Please commit these changes to a git repository so that we can keep track of them individually.
As far as I understand, you already changed the aliases.cgi file. So this is probably done?
I sent you a changed version of the setaliases binary. Do these changes work?
The last point is a bit tricky. The setting file is read to find out about the netmask and broadcast address. The broadcast address is not actually needed if we replace that ifconfig command by the ip command (even ifconfig should not require it).
The bit with the netmask is more complicated. setaliases assumes that the network is one network in which all the IP addresses are. That is most likely not the case for your DHCP setup and you usually don't get consecutive IP addresses when you order extra ones in a data center. They will give you what ever is not allocated.
So I suppose that it should be fine if we set those up with /32 as you do further below. I am not aware if any disadvantages.
Config: Static via DHCP IP: 212.51.153.253 SN: 255.255.255.0 GW: 212.51.153.1 BC: 212.51.153.255
Static routed subnet: 85.195.224.64/29
Real issue(s) w/o solution: So I tried directly attaching each IP to make all IPs available to DNAT:
$ ifconfig red0:0 85.195.224.64 netmask 255.255.255.255 up $ $ /usr/sbin/arping -c 1 -w 1 -i red0 -S 85.195.224.64 212.51.153.1 In WebIFC with the corresponding DNAT and SNAT entry
And routed: $ ifconfig red0:0 85.195.224.65 netmask 255.255.255.248 up $ $ /usr/sbin/arping -c 1 -w 1 -i red0 -S 85.195.224.65 85.195.224.64 In WebIFC, static routes: 85.195.224.64/29 gw: 85.195.224.65
With or without any configuration changes except firewall rules the package leaves the origin, arrives at the correct alias, is correctly transmitted to the destination server. The corresponging ACK comes back from the destination server, leaves the firewall on RED but never arrives athe the origin.
I called the provider and he sees the incoming pacakges correctly routing, but he cannot inspect the outgoing ones and state if they are correct or not.
Forum: http://forum.ipfire.org/viewtopic.php?f=51&t=12800&sid=08a461d562a2e...
Any ideas hints or comments are highly appreciated.
It is a bit hard to say what is going wrong here. Do you think that the firewall drops the packet?
-Michael
Thanks,
Alex
-----Original Message----- From: Michael Tremer [mailto:michael.tremer@ipfire.org] Sent: Wednesday, May 06, 2015 12:47 To: Alexander Weber Cc: development@lists.ipfire.org Subject: Re: static via dhcp/pppoe + additonal static IPs (UK BT infinity, AT/CH UPC Business, CH Init7)
Hello Alex,
we speak English on this list.
What I would need for a beginning is recap of what is supposed to be done here and what the current state of your efforts is.
I have not been following the forum thread very closely and I am now not in a position to tell what is working and what is not and what problem you are trying to solve right now.
Best, -Michael
On Tue, 2015-05-05 at 14:44 +0000, Alexander Weber wrote:
Hi,
Haette auch vermutet einfach den GW von der DHCP Adresse herzunehmen tut, aber wohl nein.
Ich glaube das grosse Problem liegt daran, dass eine IP aus einem Subnet fix per DHCP kommt und die weiteren IPs aus einem Anderen. Vielleicht bin ich auch zu ungeduldig, siehe http://shorewall.net/shorewall_setup_guide.htm#ProxyARP kommender Absatz CAUTION und der Provider hats nicht geaendert – dagegen spricht aber ein traceroute (siehe Attachments).
Pfsense hat es geloest, da heist es VIP, ich lad mir mal die Distro und schaue mir an wie es dort geloest ist, vielleicht bringt das ja noch eine Idee.
Cheers,
Alex
Sent: Tue May 05, 2015 12:51 pm From: MichaelTremer Recipient:NODeeJay
Hi,
das sind jetzt nicht gerade all zu viele Informationen...
Grundsätzlich ist das egal welche Subnetzmaske du benutzt. Das Gateway ist doch sowieso klar oder? Oder ist wirklich eine Adresse aus dem Netz das Gateway für das Netz?
Können wir die ganze Diskussion auch auf der Devel Mailing Liste führen? Dann sind mehr Leute dabei...
NODeeJay wrote:Hey Michael,
ich hab jetzt alles was mir einfiel versucht, mit SNAT/DNAT, ohne, mit dem Gateway vom der DHCP Adresse, mit einer Route zum gerouteten Netz etc. In allen Faellen gehen lt. tcpdump auch ACKs raus, kommen aber nie an. Arping liefert uebrigens auch immer 100% Verlust. Vielleicht bin ich mittelerweile auch Konsolenblind geworden.
Config statische via DHCP IP: 212.51.153.253 SN: 255.255.255.0 GW: 212.51.153.1 BC: 212.51.153.255
fixe: 85.195.224.64/29
was m.E. funktionierte sollte nicht gerouted:
Code: Select all
$ ifconfig red0:0 85.195.224.64 netmask 255.255.255.255 up $ /usr/sbin/arping -c 1 -w 1 -i red0 -S 85.195.224.64 212.51.153.1
gerouted:
Code: Select all
$ ifconfig red0:0 85.195.224.65 netmask 255.255.255.248 up $ /usr/sbin/arping -c 1 -w 1 -i red0 -S 85.195.224.65 85.195.224.64
und die Route unter den statischen mit 85.195.224.64/29 gw: 85.195.224.65 eingetragen.
beim Provider ist lt Provider alles i.O.
Vielleicht siehst Du noch wo das Problem sein koennte, im Prinzip ist es ja nichts anderes als auf DD-WRT http://www.dd-wrt.com/phpBB2/viewtopic. ... 639#211639.
Cheers,
Alex
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development