[techtalk] Linux and routers

Raven, with the kitchen sink damask0 at yahoo.com
Wed Apr 4 14:20:21 EST 2001 

Heya --

     I've slightly reorganized the quotes from the original message,
because the replies make more sense in this order.

Quoth Kath:
> Everytime you plug in www.nbsd.org to a traceroute inside the
> district, it gives you the IP of the external card.  The traceroute
> reveals that it is dying at/after the 10.75.1.1 router.

     Well, if it's being sent to the router from ten-space without
going through a proxy server or a NAT box, that's your problem right
there.  Ten-space is not routable, and most ISPs will drop any packets
that have private-space non-routable IP addresses.

     Forgive me if I'm giving you more detail than you wanted, but...

     RFC 1918 defines certain ranges of IP addresses that are not
routable across the global Internet.  These are:
10.0.0.0/8 (also known as ten-space)
172.16.0.0/12
192.168.0.0/16
These addresses were set aside for people to use on their private
networks.  When a machine on one of these networks needs to send
packets to the Internet, those packets must come from a regular,
routable IP address.

     There are two common ways of making this happen.  Method one is to
use a proxy server.  The machine with the non-routable address connects
to the proxy server.  The proxy server has a routable IP address, uses
that to connect to whatever machine on the Internet the first machine
was trying to access, gets the information, and passes it back to the
first machine.  You must configure proxying for every service that you
intend to access this way.  So if you have a Web-only proxy server,
your ten-space users will be unable to telnet to boxes on the Internet.

     Method two is to use NAT.  Your ten-space machine connects to the
device that's doing NAT.  The NAT device temporarily "assigns" a
routable IP address out of its pool of routable IP addresses to the
ten-space machine.  (It does not change the actual IP address of the
ten-space machine.  The "assigns" is merely an association on the NAT
machine.)  Packets sent out from the ten-space machine are unmade at
the NAT device, and remade with their source IP address set to the
routable IP address the NAT device has assigned.  Return packets are
broken down, the routable IP taken out of the destination field, and is
replaced with the ten-space IP.  NAT will (theoretically) allow your
ten-space users to access any service on the Internet.  

     In either case, the user on the ten-space machine is going to have
to pass through either the NAT device (usually a router or a firewall
does this) or the proxy server on its way to the Internet.  It sounds
like the problem you're having is that you're trying to send ten-space
packets, which aren't routable, directly into the Internet.

> should the default gateway at the elementary/middle schools be the
> Cisco router for that building (say 10.75.7.1) or should it be the
> master NAT machine?  Each building has its own DHCP server, btw, so
it
> is no problem changing it at just one building.

     Default gateways should traditionally be the router interface that
connects your local network to the rest of the world.  So make them the
local router gateways (usually the IP of the router's Ethernet
interface), and then give the routers a default route pointing all
non-local traffic towards the high school router.  I am assuming that
the NAT machine/proxy server/whatever you use to get ten-space to talk
to routable IPs is off your high school LAN?  You can do this on a
Cisco with the command

ip route 0.0.0.0 0.0.0.0 [IP addy of high school router serial
interface] [subnet mask of that interface]

It's important to use the directly connected interface on the high
school router there, so that you know the middle school router knows
how to get to that interface.  (If you're using a routing protocol, you
don't have to use the directly connected IP.)

> For some reason, no one inside the district can access the web server
> when using straight NAT, but can when using our aging proxy server.

     What's doing the NAT?  Can they get to anything else on the
Internet?  Do you have anything you can use as a packet sniffer, to see
if NAT is actually happening?

> Now, if you set the default gateway on any machine in the high school
> to 10.75.1.4, which is the NAT machine, instead of what the DHCP
tells
> you is 10.75.1.1 (10.75.1.1 is the router), everything works:
internal
> and external. 

     Then NAT is probably working fine, and the inability to access the
web server is probably a connectivity problem.  Is the web server in
ten-space, or does it have a routable IP address?  What local network
is it connected to?

> However, the grumpy Systems Administrator for the district refuses to
> change any DHCP server.  He insists that there is no fault there
> and that it is something with the web server.

     Surely the traffic has to pass through some device that does
proxying or NAT before it hits the Internet.

> Now the fellow student I am working with (the one who wouldn't know
> how to compile a program) keeps insisting that the problem is in the
> routes on the Linux box and continues to fool around with them,
> occasionally breaking them and then sometimes asking me to fix it, 

     Is the Linux box your proxy server or your NAT device?  Or a
firewall?  If it's none of the above, I don't see why it has to be
routing at all.  (Please correct if there's something I'm
misunderstanding about your network.)

Cheers,
Raven

=====
"I'm sorry, but that wouldn't be providing Jiffy Quick Super
 Service Turnaround to our residents."
 -- Lighthouse maintainence, explaining why they couldn't 
    wait to throw sinks out the window until after 7 AM

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/

More information about the Techtalk mailing list