Network routing on multi-homed system

Isaac Freeman Fri, 01 Aug 2014 12:36:32 -0700


I'm not subscribed to the list, so please make sure my actual e-mail
address is on copy if you reply.


This is a slightly complicated network routing issue so please bear with me
while I try to organize all the relevant info.

So, I'm setting up a secondary DNS server to act as a slave of my existing
primary. The primary has two NICs each on different subnets which are
VLAN'd and firewalled from each other. One is our external/DMZ, the other
is our internal network. My problem is that I keep getting time-outs trying
to transfer the external zones across the external NICs. Looking at packet
traces what I see happening is that the request packet comes out of the DMZ
NIC on ns1 (the slave (don't ask)) with the DMZ IP as the source and the
DMZ IP of ns2 (master) as the destination. I see the packet come in on ns2,
which generates a response packet coming from the DMZ IP on the DMZ NIC
with ns1's DMZ IP as the destination, *BUT* the destination MAC is that of
the DMZ gateway, not the DMZ NIC on ns1. For some reason ns2 wants to route
the return packet to the gateway instead of directly to ns1 even though
it's on the same subnet.

Now, with a prose outline of the problem out of the way, here it is in
detail (I've redacted/substituted the 172.1.1 prefix for our actual public
IP range in all relevant snippets, etc.)

Internal network: 10.1.10.0/24
ns1 Internal IP (MAC): 10.1.10.105 (00:50:56:8b:70:de)
ns2 Internal IP (MAC): 10.1.10.5 (00:50:56:85:26:6e)
Internal gateway IP (MAC): 10.1.10.254 (00:10:db:ff:10:01)

DMZ network: 172.1.1.32/27
ns1 DMZ IP (MAC): 172.1.1.40 (00:50:56:8b:64:4c)
ns2 DMZ IP (MAC): 172.1.1.41 (00:50:56:85:0b:72)
DMZ gateway IP (MAC): 172.1.1.62 (00:10:db:ff:10:02)

The basic network flow looks like this from ns1's perspective (forgive me
if the formatting gets messed up, I'm unfortunately writing this in Lotus
Notes...):

UDP DNS query: ns2 172.1.1.40 (00:50:56:8b:64:4c) -> ns1 172.1.1.41
(00:50:56:85:0b:72)
ARP query:     ns2             00:50:56:8b:64:4c  -> ns1
00:50:56:85:0b:72
ARP reply:     ns2             00:50:56:8b:64:4c  <- ns1
00:50:56:85:0b:72
TCP DNS query: ns2 172.1.1.40 (00:50:56:8b:64:4c) -> ns1 172.1.1.41 (
00:50:56:85:0b:72)

Etc, etc... Odd that I get ARP replies from ns2 but not TCP or UDP replies.
However, from the perspective of ns2 I see:
UDP DNS query: ns2 172.1.1.40 (00:50:56:8b:64:4c) -> ns1 172.1.1.41
(00:50:56:85:0b:72)
UDP DNS reply: ns2 172.1.1.40 (00:10:db:ff:10:02) <- ns1 172.1.1.41
(00:50:56:85:0b:72)
ARP query:     ns2             00:50:56:8b:64:4c  -> ns1
00:50:56:85:0b:72
ARP reply:     ns2             00:50:56:8b:64:4c  <- ns1
00:50:56:85:0b:72
TCP DNS query: ns2 172.1.1.40 (00:50:56:8b:64:4c) -> ns1 172.1.1.41
(00:50:56:85:0b:72)
TCP DNS reply: ns2 172.1.1.40 (00:10:db:ff:10:02) <- ns1 172.1.1.41
(00:50:56:85:0b:72)

Here is what I have in the /etc/network/interfaces for each host:

ns1:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 10.1.10.105
        netmask 255.255.255.0
        gateway 10.1.10.254

        # dns-* options are implemented by the resolvconf package, if
installed
        dns-nameservers 10.1.10.105

        # routing
        post-up ip route add 10.1.10.254/32 dev eth0 src 10.1.10.105 table
internal
        post-up ip route add default via 10.1.10.254 table internal
        post-up ip rule add from 10.1.10.105 table internal
        post-down ip rule del from 10.1.10.105 table internal


allow-hotplug eth1
iface eth1 inet static
        address 172.1.1.40
        netmask 255.255.255.224

        # routing
        post-up ip route add 172.1.1.62/32 dev eth1 src 172.1.1.40 table
external
        post-up ip route add default via 172.1.1.62 table external
        post-up ip rule add from 172.1.1.40 table external
        post-down ip rule del from 172.1.1.40 table external


ns2:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 10.1.10.5
        netmask 255.255.255.0
        gateway 10.1.10.254

        # dns-* options are implemented by the resolvconf package, if
installed
        dns-nameservers 10.1.10.5

        # routing
        post-up ip route add 10.1.10.254/32 dev eth0 src 10.1.10.5 table
internal
        post-up ip route add default via 10.1.10.254 table internal
        post-up ip rule add from 10.1.10.5 table internal
        post-down ip rule del from 10.1.10.5 table internal


allow-hotplug eth1
iface eth1 inet static
        address 172.1.1.41
        netmask 255.255.255.224

        # routing
        post-up ip route add 172.1.1.62/32 dev eth1 src 172.1.1.41 table
external
        post-up ip route add default via 172.1.1.62 table external
        post-up ip rule add from 172.1.1.41 table external
        post-down ip rule del from 172.1.1.41 table external


--
Isaac Freeman - Systems Administrator
IBM SmartCloud Managed Backup
is...@us.ibm.com
919-254-0245

Network routing on multi-homed system

Reply via email to