You are not logged in.

#1 2016-03-02 19:46:07

msalerno
Member
Registered: 2014-08-15
Posts: 32

[Solved] IPTables with Vlan

Situation:
Node1
eth0: 192.168.1.10
eth1: 192.168.2.10
Vlan10: 10.10.10.10

Node2
eth0: 192.168.1.20
eth1: 192.168.2.20
Vlan10: 10.10.10.20

Situation:  I have a service that runs on both nodes and needs a heartbeat connection for which I am using eth1.   The problem is that I do not have control over the network and eth1 is full of other hosts.   This service is very picky and will only work if all hosts on the network are registered and there is not default gateway specified.   It registers via MAC and does lots of ARP queries.   My solution was to create a vlan between the two nodes and bind the application to the vlan adapter.   The problem I am having now is that it will not route across the VLAN network.   I can ping 192.168.2.10 from 192.168.2.20 and the other way, but I cannot ping 10.10.10.10 from 10.10.10.20 in either way.

Would it be possible to use SNAT or MASQUERADE to solve this problem?

iptables -t nat -I POSTROUTING 1 --src 10.10.10.0/24 -o eth1 -j MASQUERADE

What about in the other direction?   I'm a little lost when it comes to iptables.


Thanks

Last edited by msalerno (2016-03-03 04:16:14)

Offline

#2 2016-03-02 21:54:27

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved] IPTables with Vlan

msalerno wrote:

Would it be possible to use SNAT or MASQUERADE to solve this problem?

No.

Post the output of the following commands, from both nodes:

ip -4 a s
ip -4 r s

EDIT: And use code tags please.

Last edited by fukawi2 (2016-03-02 21:55:16)

Offline

#3 2016-03-02 22:08:19

msalerno
Member
Registered: 2014-08-15
Posts: 32

Re: [Solved] IPTables with Vlan

The systems are down at the moment so I can't get the info.   Upon further reading, I think what I need is full cone nat.

I'll still post the output when I get access.

Offline

#4 2016-03-02 22:20:39

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved] IPTables with Vlan

If your setup is what you have described, then you need no kind of NAT. This is basic routing connectivity.

Offline

#5 2016-03-02 23:34:02

msalerno
Member
Registered: 2014-08-15
Posts: 32

Re: [Solved] IPTables with Vlan

I should be able to ping 10.10.10.3 from 10.10.10.2 without any routing required but it won't.

Node1:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 192.168.1.20/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 192.168.2.20/28 brd 192.168.2.31 scope global eth1
       valid_lft forever preferred_lft forever
4: eth1.10@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    inet 10.10.10.2/24 brd 10.10.10.255 scope global eth1.10
       valid_lft forever preferred_ft forever

default via 192.168.1.1 dev eth0  proto static  metric 100
10.10.10.0/24 dev eth1.10  proto kernel  scope link  src 10.10.10.2  metric 400
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.20  metric 100
192.168.2.16/28 dev eth1  proto kernel  scope link  src 192.168.2.20  metric 100

Node2:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 192.168.1.21/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 192.168.2.21/28 brd 192.168.2.31 scope global eth1
       valid_lft forever preferred_lft forever
4: eth1.10@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    inet 10.10.10.3/24 brd 10.10.10.255 scope global eth1.10
       valid_lft forever preferred_ft forever

default via 192.168.1.1 dev eth0  proto static  metric 100
10.10.10.0/24 dev eth1.10  proto kernel  scope link  src 10.10.10.3  metric 400
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.21  metric 100
192.168.2.16/28 dev eth1  proto kernel  scope link  src 192.168.2.21  metric 100

Offline

#6 2016-03-02 23:57:28

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved] IPTables with Vlan

msalerno wrote:

I should be able to ping 10.10.10.3 from 10.10.10.2 without any routing required but it won't.

Correct; it's technically still routing even though there's no router. Each node needs to route via it's correct interface, which looks like they should be doing correctly based on the output you've posted.

How are the 2 nodes connected? Check your VLAN config on your switch(es).

Run a tcpdump on both hosts while trying to ping:

tcpdump -lnn -ieth1.10 icmp or arp

Offline

#7 2016-03-03 01:27:28

msalerno
Member
Registered: 2014-08-15
Posts: 32

Re: [Solved] IPTables with Vlan

The problem is that they are not my switches.  I'm remote with just SSH access.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.10, link-type EN10MB (Ethernet), capture size 65535 bytes
20:26:15.136276 ARP, Request who-has 10.10.10.3 tell 10.10.10.2, length 28
20:26:16.137144 ARP, Request who-has 10.10.10.3 tell 10.10.10.2, length 28
20:26:17.139164 ARP, Request who-has 10.10.10.3 tell 10.10.10.2, length 28
20:26:19.137363 ARP, Request who-has 10.10.10.3 tell 10.10.10.2, length 28
20:26:20.139140 ARP, Request who-has 10.10.10.3 tell 10.10.10.2, length 28

I've also tried both 2 and 0 for the rp_filter with not change in result.

Last edited by msalerno (2016-03-03 01:37:03)

Offline

#8 2016-03-03 01:34:24

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved] IPTables with Vlan

Well you can't just create VLAN's randomly. If the switches aren't configured for it, they're most likely just going to drop those ethernet frames as invalid, which is exactly what it looks like it happening from the tcpdump (I'm assuming that was captured on 10.10.10.2 when you were pinging to 10.10.10.3).

Offline

#9 2016-03-03 01:38:03

msalerno
Member
Registered: 2014-08-15
Posts: 32

Re: [Solved] IPTables with Vlan

Correct about the direction of the ping and correct about the switches.   That's why I was looking at a NAT solution or some kind of tunnel.

Offline

#10 2016-03-03 01:42:07

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved] IPTables with Vlan

NAT is not going to help, VLAN's are a Layer 2 technology. The switches see ethernet frames (Layer 2) coming in with 802.11q VLAN header, and since the switchport you're connected to isn't configured for VLAN 10, the switch drops the frame. No amount of adjusting the IP source address (Layer 3) will change that.

You can probably achieve what you want by removing the VLAN's altogether, and just assigning the additional 10.10.10.0/24 addresses directly to eth1, unless your switches have some kind of Layer 3 ACL's in place.

Offline

#11 2016-03-03 02:01:29

msalerno
Member
Registered: 2014-08-15
Posts: 32

Re: [Solved] IPTables with Vlan

I just setup a quick GRE tunnel to see if that will solve the problem.  So far i'm pinging through the tunnel, now to test the app.

Thanks

Offline

#12 2016-03-03 04:18:10

msalerno
Member
Registered: 2014-08-15
Posts: 32

Re: [Solved] IPTables with Vlan

The Vlan and GRE tunnel didn't work and the full cone nat solution was more than I wanted to manage.  Then I found Ntop N2N.   It's all about the multicast.

Thanks again for the help

Offline

#13 2016-03-03 05:36:22

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [Solved] IPTables with Vlan

Ah, an XY Problem. Glad you figured it out.

Offline

Board footer

Powered by FluxBB