[ previous ] [ next ] [ threads ]
 
 From:  "Jesse D. Guardiani" <jesse at wingnet dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: wierd static route problem
 Date:  Tue, 05 Apr 2005 03:34:19 -0400
On Mon, 2005-04-04 at 11:08 -0500, Chris Buechler wrote:
> On Apr 4, 2005 12:12 AM, Jesse D. Guardiani <jesse at wingnet dot net> wrote:
> > >
> > > I don't know why you say that. I can ping 90.3 from the firewall,
> > > and, like I said, if I add a static route for 90.3=gw89.52 on another
> > > host then I can access anything at 90.3 perfectly fine.
> > >
> 
> Sorry, I misread your previous post.  You're right.  
> 
> 
> > 
> > I've been doing some tcpdumps, and it looks to me like 89.1
> > (the m0n0wall) isn't routing, but I'm not particularly skilled
> > at this sort of thing. Do you agree, based on the below
> > traceroute output (taken from the perspective of 89.52.
> > trevarthan-wlan.guardiani.us is the remote host I've been
> > testing from - my laptop):
> > 
> 
> Looks like there might be a couple things going on here.  Might be
> interrelated.
> 
> First, looks like the Asterisk box is sending back ICMP unreachables
> for the UDP port the laptop is trying to hit?

yes. It would appear that way.


> Second, the "time exceeded" messages indicate the TTL expired, so a
> routing loop perhaps?

I wouldn't know, unfortunately. I'm still learning when it comes to
routing. I've been playing around some more with tcpdump this morning,
trying to figure exactly what is working and what
isn't. Here are my results:

1.) A ping from the m0n0wall webgui to 192.168.90.3 seems to work, but
    please examine the below tcpdump output, taken from 192.168.90.3
    during the ping test, and tell me if anything looks incorrect:

03:04:11.410313 IP 192.168.89.1 > 192.168.90.3: icmp 64: echo request
seq 0
03:04:11.475002 IP 192.168.90.3 > 192.168.89.1: icmp 64: echo reply seq
0
03:04:11.416746 IP 192.168.89.1 > 192.168.90.3: icmp 64: echo request
seq 0
03:04:11.416816 IP 192.168.90.3 > 192.168.89.1: icmp 64: echo reply seq
0
03:04:11.476862 IP asterisk.guardiani.us > 192.168.89.1: icmp 79:
asterisk.guardiani.us udp port 32904 unreachable
03:04:11.511441 IP asterisk.guardiani.us > 192.168.89.1: icmp 115:
asterisk.guardiani.us udp port 32904 unreachable
03:04:11.517862 IP asterisk.guardiani.us > 192.168.89.1: icmp 115:
asterisk.guardiani.us udp port 32904 unreachable
03:04:12.409756 IP 192.168.89.1 > 192.168.90.3: icmp 64: echo request
seq 1
03:04:12.409868 IP 192.168.90.3 > 192.168.89.1: icmp 64: echo reply seq
1
03:04:13.411331 IP 192.168.89.1 > 192.168.90.3: icmp 64: echo request
seq 2
03:04:13.411441 IP 192.168.90.3 > 192.168.89.1: icmp 64: echo reply seq
2
03:04:16.408247 arp who-has 192.168.89.1 tell asterisk.guardiani.us
03:04:16.410120 arp reply 192.168.89.1 is-at 00:02:b3:15:2d:6d

13 packets captured
29 packets received by filter
0 packets dropped by kernel


2.) Packets can get out from 192.168.90.3, and 192.168.90.3 can
    receive packets. I know this because if I do this on my Gentoo
    Linux laptop:

    route add -net 192.168.90.3 netmask 255.255.255.255 gw 192.168.89.52

    Then I can access any daemons bound to 192.168.90.3 from the
    laptop.

3.) Without adding static routes to my laptop, pings and traceroutes
    from the laptop to 192.168.90.3 fail (but traceroutes to
    192.168.89.51, an IP bound to the same machine as 192.168.90.3,
    succeed). Here is the traceroute from the Gentoo laptop:

    [3:12]jesse@trevarthan:[/home/jesse]# traceroute 192.168.90.3
traceroute to 192.168.90.3 (192.168.90.3), 30 hops max, 40 byte packets
 1  192.168.89.1 (192.168.89.1)  2.059 ms  58.219 ms  30.909 ms
 2  * * *
 3  *

    And here is the tcpdump output taken from 192.168.90.3 during
    the above traceroute test:

    03:01:03.727878 IP trevarthan-wlan.guardiani.us.43564 >
192.168.90.3.33435: UDP, length: 12
03:01:03.729256 IP 192.168.89.1 > trevarthan-wlan.guardiani.us: icmp 36:
time exceeded in-transit
03:01:03.792812 IP asterisk.guardiani.us > 192.168.89.1: icmp 79:
asterisk.guardiani.us udp port 32904 unreachable
03:01:03.812050 IP trevarthan-wlan.guardiani.us.43564 >
192.168.90.3.33436: UDP, length: 12
03:01:03.869150 IP 192.168.89.1 > trevarthan-wlan.guardiani.us: icmp 36:
time exceeded in-transit
03:01:03.871102 IP trevarthan-wlan.guardiani.us.43564 >
192.168.90.3.33437: UDP, length: 12
03:01:03.900202 IP 192.168.89.1 > trevarthan-wlan.guardiani.us: icmp 36:
time exceeded in-transit
03:01:03.903046 IP trevarthan-wlan.guardiani.us.43564 >
192.168.90.3.33438: UDP, length: 12
03:01:06.630001 arp who-has 192.168.89.1 tell asterisk.guardiani.us
03:01:06.632051 arp reply 192.168.89.1 is-at 00:02:b3:15:2d:6d
03:01:08.900773 IP trevarthan-wlan.guardiani.us.43564 >
192.168.90.3.33439: UDP, length: 12
03:01:13.900298 IP trevarthan-wlan.guardiani.us.43564 >
192.168.90.3.33440: UDP, length: 12
03:01:18.907723 IP trevarthan-wlan.guardiani.us.43564 >
192.168.90.3.33441: UDP, length: 12
03:01:22.353898 arp who-has 192.168.89.1 tell
trevarthan-wlan.guardiani.us
03:01:22.355177 arp reply 192.168.89.1 is-at 00:02:b3:15:2d:6d
03:01:23.906858 IP trevarthan-wlan.guardiani.us.43564 >
192.168.90.3.33442: UDP, length: 12

16 packets captured
22 packets received by filter
0 packets dropped by kernel



>   That same message is typical with traceroute,
> if you happened to be using it at the time.

I didn't say what generated that previous traceroute at the time, and
unfortunately I can't remember now. Sorry...


> What subnet is the laptop on?

Same subnet as the asterisk machine. Specifically, the laptop IP is:
    192.168.89.51
Whereas the asterisk machine's IP is:
    192.168.89.52
And the m0n0wall is:
    192.168.89.1


>   What kind of traffic are you generating?  

All kinds at this point. See above.

Can anyone tell me at least where the problem is from the above
output? If I know for sure which machine is at fault then I can
move on. Thanks!


-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net