Hello,
I'm using ClearOS mainly as a internet gateway for a bunch of private networks. Therefore I have set Network mode to "Gateway" (https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_network_types_-_external_lan_hotlan_dmz). This works fine, all computers on different LANs can access the internet.
But I'm unable to communicate between LANs. I have three interfaces: eth0 (external) and eth1 + eth2 for LAN (two different subnets): http://prntscr.com/mcvaw8
According to the documentation, routing beween LANs shoud work out of the box, but it does not and I cannot figure out why.
From a computer on the 10.10.254.X subnet I can ping the gateway both on 10.10.254.10 and 10.1.87.10 address. But I'm unable to ping anything on the 10.1.87.X subnet. Of course I have set the clearos IP as the default gateway on client computer (so all traffic goes through clearos).
Iptables on clearos looks like: http://prntscr.com/mcvf6l
Any help appreciated. Thanks!
I'm using ClearOS mainly as a internet gateway for a bunch of private networks. Therefore I have set Network mode to "Gateway" (https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_network_types_-_external_lan_hotlan_dmz). This works fine, all computers on different LANs can access the internet.
But I'm unable to communicate between LANs. I have three interfaces: eth0 (external) and eth1 + eth2 for LAN (two different subnets): http://prntscr.com/mcvaw8
According to the documentation, routing beween LANs shoud work out of the box, but it does not and I cannot figure out why.
From a computer on the 10.10.254.X subnet I can ping the gateway both on 10.10.254.10 and 10.1.87.10 address. But I'm unable to ping anything on the 10.1.87.X subnet. Of course I have set the clearos IP as the default gateway on client computer (so all traffic goes through clearos).
Iptables on clearos looks like: http://prntscr.com/mcvf6l
Any help appreciated. Thanks!
Share this post:
Responses (7)
-
Accepted Answer
Use "host" instead of "src" if you want to see traffic in both directions. I can't get it to work with the "icmp" selector as well. You can even get more ambitious and monitor both NICs at the same time.
If you see no reply at all on either interface, then either the target machine is not responding or a smart switch is not routing correctly. -
Accepted Answer
Nick Howitt wrote:
What is the contents of /etc/clearos/network.conf? Also the output of "ip r"..
# Network mode
MODE="gateway"
# Network interface roles
EXTIF="eth0"
LANIF="eth1 eth2"
DMZIF=""
HOTIF=""
# Domain and Internet Hostname
DEFAULT_DOMAIN="XXX.net"
INTERNET_HOSTNAME="gw-private.YYY.XXX.net"
# Extra LANS
EXTRALANS=""
# ISP Maximum Speeds
ETH0_MAX_DOWNSTREAM=0
ETH0_MAX_UPSTREAM=0
[root@gw-private ~]# ip r
default via 185.175.87.1 dev eth0
10.1.0.0/16 dev eth1 proto kernel scope link src 10.1.87.10
10.10.254.0/24 dev eth2 proto kernel scope link src 10.10.254.10
10.20.84.0/23 dev eth1 proto kernel scope link src 10.20.84.10
XXX.YYY.ZZZ.0/26 dev eth0 proto kernel scope link src XXX.YYY.ZZZ.10
I would guess the next thing to do is set up something like tcpdump to see if the packets are going to the correct interface. If they are, it is probably a VM issue. If they are not it is a ClearOS issue, but your firewall looks good (in the FORWARD chain you have ACCEPT rules for each LAN).
I tried to ping 10.1.24.1 (connected through eth1 on gw) from 10.10.254.99 (connected through eth2). This is output from tcpdump:
[root@gw-private ~]# tcpdump -i eth2 src 10.10.254.99
22:22:34.733911 IP 10.10.254.99 > 10.1.24.1: ICMP echo request, id 39664, seq 11, length 64
[root@gw-private ~]# tcpdump -i eth1 src 10.10.254.99
22:23:04.429610 IP 10.10.254.99 > 10.1.24.1: ICMP echo request, id 39664, seq 40, length 64
Weird thing is that I do not see a reply. When I try to ping external IP, I can see ICMP echo request and reply on eth0 through tcpdump. -
Accepted Answer
I don't like VM problems. There are too many variables.
What is the contents of /etc/clearos/network.conf? Also the output of "ip r".
I would guess the next thing to do is set up something like tcpdump to see if the packets are going to the correct interface. If they are, it is probably a VM issue. If they are not it is a ClearOS issue, but your firewall looks good (in the FORWARD chain you have ACCEPT rules for each LAN). -
Accepted Answer
Nick Howitt wrote:
Are you running in a VM? ethX interfaces only seem to appear now in VM's or web hosts.
Yes, this is a fully virtualized environment (Proxmox/KVM). ClearOS and all other machines are VMs.
Anyway, can you try pinging a non-Windows device? The Windoze firewall often blocks traffic not from its own LAN and you need to make exceptions for your other subnets. Either that or try stopping the Windoze firewall temporarily.
None of the machines are running windows. Those are linux servers (CentOS and Debian). -
Accepted Answer
Your next reply **should** appear immediately now.
The subnets are fine - no overlaps, although your eth1 subnet is quite big. Are you running in a VM? ethX interfaces only seem to appear now in VM's or web hosts.
Anyway, can you try pinging a non-Windows device? The Windoze firewall often blocks traffic not from its own LAN and you need to make exceptions for your other subnets. Either that or try stopping the Windoze firewall temporarily. -
Accepted Answer
Thank you for your reply. My ipconfig output:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet XX.YYY.ZZZ.10 netmask 255.255.255.192 broadcast XX.YYY.ZZZ.63
inet6 fe80::3cac:9eff:fe8a:a8b7 prefixlen 64 scopeid 0x20<link>
ether 3e:ac:9e:8a:a8:b7 txqueuelen 1000 (Ethernet)
RX packets 1739384 bytes 530208632 (505.6 MiB)
RX errors 0 dropped 23258 overruns 0 frame 0
TX packets 337716 bytes 527521483 (503.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.87.10 netmask 255.255.0.0 broadcast 10.1.255.255
inet6 fe80::5474:37ff:fed8:59f8 prefixlen 64 scopeid 0x20<link>
ether 56:74:37:d8:59:f8 txqueuelen 1000 (Ethernet)
RX packets 44246 bytes 3250674 (3.1 MiB)
RX errors 0 dropped 12215 overruns 0 frame 0
TX packets 45669 bytes 5025541 (4.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.254.10 netmask 255.255.255.0 broadcast 10.10.254.255
inet6 fe80::44ca:48ff:fe65:4aca prefixlen 64 scopeid 0x20<link>
ether 46:ca:48:65:4a:ca txqueuelen 1000 (Ethernet)
RX packets 300320 bytes 489709417 (467.0 MiB)
RX errors 0 dropped 12215 overruns 0 frame 0
TX packets 187447 bytes 15492622 (14.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 -
Accepted Answer
Welcome to the forums
What subnet masks are you using on your LAN's? Perhaps give the output to "ifconfig". When giving output if you use PuTTy for the console you can copy text to the clipboard just by selecting it. You can then paste it into the forum post directly, and please paste it between "code" tags (the piece of paper icon with a <> on it).
BTW your next forum post will also be moderated so will not appear immediately.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »