Okay web server/network/Linux gurus, you up for a challenge?

[Russ]

I've been beating on my server setup for a few weeks and trying to get my block of IP addresses to work. I've now determined WHY they don't work, but have so far been unable to figure out how to solve the problem.

Here's the setup:

The net pipe is a Cisco 675 DSL modem/router. This plugs in to a Linksys 5 port switch. From this switch, one patch goes directly to Eth0 on the server, and a second goes to a Linksys DSL Router. All other systems on the network are using the Linksys DSL router for web access and DHCP.

This setup is supposed to bypass the Linksys DSL router for any requests to the IP addresses assigned to Eth0 in the server.

Because a picture is worth a thousand words, and I realize I may not be adequately explaining this, I diagrammed my network. Diagram is HERE.

Here's the problem. If you go to http://207.108.218.137 the server loads up lickity split. This IP address is assigned to the Linksys DSL router and is port-forwarded to the second NIC on the server (Eth1). With me so far?

The other IP addresses are 138, 139, 140, and 141. These are all assigned as virtual IP's to Eth0 on the server. BUT, what is happening is that if you ping or traceroute to any of them, they all respond with 137, the address that is assigned to the router and port forwarded.

So, the requests are NOT bypassing the Linksys DSL router as they should. The question is how do I solve this problem?

All hardware verifies good. Everything on the network communicates with everything else, and the web no problem. Apache is working just fine on all addresses as internally ALL of them load up fine. But, the only one that works externally is 137.

Ideas? Thanks.

Russ, NCNE

 

[Bleep]

Bumpty bump

 

[twren]

Ok, things in here may be incorrect because it is tough to diagnose your problems from a simple post but I will give it a try.

First the questions.
1. Are you assigned multiple ip's and are only using the first router to distribute external ip numbers. I am going to treat those Ip's as externals in my evaluation if this is not true this post is useless.
2. Is that diagram incorrect? If eth0 on your server is external it should be setup as your Web's ip but your web ip is actually your router. For example if this was set up correctly I should be able to type in 207.108.218.138 and bring up your server. Also I cannot ping that address which leads me to believe that eth0 is serving no surpose in your network configuration. Instead you are using eth1 for your web server and internal lan server. So you only have one ip address that is being distrubuted as a gateway through the router to the rest of your computers. All the other ip addresses(external) are laying dormant. Since you are not running a proxy server I don't understand why you have two nics, and I believe that is what is fooling you also. THe system is secure but the majority of corporations would want one nic on the server to be external. Ideally what you want is two ip addresses one for the server one for the router. Then do all networking over tcp/ip but do it internally and make sure that file and print sharing is disabled on eth 0.
Personally I have a SBS with a T1 that provides 13 ip's but I use one, that ip goes into the server and then a proxy server is run and on the second nic internet is distributed through dhcp.
Hope this helps

 

[Xanathar]

I have had problems with NT and having 2 Gateways, which it seems your solution requires, how about removing the gateway on the internal card (eth 1) and then changing the linksys to a different IP, and adding the .137 to the outside Nic. (Are you assigning IPS in the network card, or in IIS? It needs both)

 

[Russ]

twren,



<< 1. Are you assigned multiple ip's and are only using the first router to distribute external ip numbers. I am going to treat those Ip's as externals in my evaluation if this is not true this post is useless. >>



This is correct. I want requests for these IP's to go directly from the Cisco 675 to Eth0, bypassing the Linksys DSL router which serves the internal network.



<< 2. Is that diagram incorrect? If eth0 on your server is external it should be setup as your Web's ip but your web ip is actually your router. For example if this was set up correctly I should be able to type in 207.108.218.138 and bring up your server. Also I cannot ping that address which leads me to believe that eth0 is serving no surpose in your network configuration. Instead you are using eth1 for your web server and internal lan server. >>



The Linksys router address of 207.108.218.137 is currently being forwarded to Eth1 for testing purposes. It is setup this way only so I can test the server externally. Any internal testing is useless because ALL addresses always load up without any problem because they're bouncing one hop.

If all I wanted was just one IP address, I'd leave it this way. But, I need to use all five of the available addresses for different sites.



<< So you only have one ip address that is being distrubuted as a gateway through the router to the rest of your computers. All the other ip addresses(external) are laying dormant. Since you are not running a proxy server I don't understand why you have two nics, and I believe that is what is fooling you also. >>



I'm using two NICs so I can bind services only to the internal NIC in order to reduce the possibility of compromise.



<< THe system is secure but the majority of corporations would want one nic on the server to be external. Ideally what you want is two ip addresses one for the server one for the router. Then do all networking over tcp/ip but do it internally and make sure that file and print sharing is disabled on eth 0. >>



This is precisely what I'm trying to do; have Eth0 be an external NIC to serve up the WAN addresses. All of the internal network is served by the DHCP and NAT of the Linksys router. I want Eth0 in the server to have a straight pipe through the Cisco 675 so that I can serve up sites on the IP addresses that I have leased.

Eth1 is to be used only for internal access to services on the server.

Xanathar,

It's not Windows, it's Linux.

Russ, NCNE

 

[Xanathar]

My questions still hold true thou, are you assigning the IPs to the network card, or in the (i guess apache) You should be able to ping .138 from the cisco router, can you?

Where are all you pinging from, and where is it returning the .137? What is your external IP address (Eth0), and what are you setting the gateway to?

 

[spidey07]

That is a very strange diagram. It looks like you have some sort of addressing/routing problem.

1) What are the addresses/masks of internal clients and thier gateway?
2) What is the ip address of apache server Eth1
3) Provide a print out of the apache server routing table (Sun is netstat -r, don't know linux)
4) Provide a print out of the apache server interface table (ifconfig -a)
5) What is linksys routing table? Or maybe just default gateway
I'll scratch my head some more when you get that info.

spidey

 

[shadow]

Ok, this may be completely stupid of me, but if I am correct - that switch (between the gateway and the DSL router) is not sending any external traffic to the server. The reason why is because the incoming external messages do not have the server's MAC adress (I assume with virtual IP that there is still only one MAC for the NIC - can someone confirm this?). Remember switches use layer2(MAC), and routers use layer3(IP), if I am correct then replacing that switch with a hub will fix your problem, or set up some sort of ARP on the gateway (I don't know if this is possible)


If anyone realizes that I am a complete fool for saying this then please explain to me where I went wrong. Try the hub tho please, I'm curious to see if I am right.

This would also explain why everything internally works, as after a broadcast and a response the internal machines discover the .138-141's MAC address (which I assume is the same for all) and then when you wish to communicate with that range of IP address the MAC address is included in the frame, which allows the switch to properly direct traffic.

However the packets coming through your gateway do not have the proper MAC address and actually have no way to figure out the MAC address either. Every single time an external packet comes through that switch looks at the frame header does not see a MAC address or one that it recognizes anyway it broadcasts that IP address on all ports and when it gets a response to the broadcast it includes that MAC address in it's tables. Communication with external clients NEVER gets beyond this stage. You simply have tons of broadcasting by that switch.

well that's my idea.

 

[shadow]

6:17 Central

well, I just hit .138 and .139, but I could not hit .137

 

[Russ]

Xanathar,



<< My questions still hold true thou, are you assigning the IPs to the network card, or in the (i guess apache) You should be able to ping .138 from the cisco router, can you? >>



They are assigned both to the NIC, and setup as virtual server addresses in Apache. Yes, I can ping ANY of the additional addresses from the Cisco or from anywhere on the network.



<< Where are all you pinging from, and where is it returning the .137? What is your external IP address (Eth0), and what are you setting the gateway to? >>



Because an internal ping is useless (they always work) I'm pinging from a web proxy, www.cotse.com. All pings or traceroutes to 138 thru 141, return 137. The external addresses for Eth0 are 138 thru 141, with 138 assigned, and 139 thru 141 as virtual adapters. Gateway is 207.108.218.142, which is the same as the Cisco and the WAN gateway on the Linksys router.

spidey07,



<< 1) What are the addresses/masks of internal clients and thier gateway? >>



192.168.1.xxx, 255.255.255.0, 192.168.1.1 (Linksys router).



<< 2) What is the ip address of apache server Eth1 >>



192.168.1.10 This is the NIC that 207.108.218.137 loads from as it is the address assigned to the Linksys Router and port forwarded.



<< 3) Provide a print out of the apache server routing table (Sun is netstat -r, don't know linux) >>



Kernel IP Routing Table

Destination.. Gateway.. Genmask.. Flags.. MSS.. Window.. Irtt.. Iface

192.168.1.10... *... 255.255.255.255 UH... 0..... 0....... 0.... Eth1
207.108.218.136 *... 255.255.255.248 U ....0..... 0....... 0.... Eth0
192.168.1.0.... * ...255.255.255.0.. U ....0..... 0....... 0.... Eth1
127.0.0.0...... *... 255.0.0.0...... U.... 0..... 0....... 0.... lo
Default.... 192.168.1.1. 0.0.0.0.... UG... 0..... 0....... 0.... Eth1

(Note: dots do not actually appear in the table; added to try and line it up).



<< 4) Provide a print out of the apache server interface table (ifconfig -a) >>



Is there any way to copy/paste this from a terminal? It has a lot more info then the routing table. It would take me a week at my typing speed to write it out like I just did above.



<< 5) What is linksys routing table? Or maybe just default gateway
I'll scratch my head some more when you get that info. >>



Destination LAN IP.. Subnet Mask Default Gateway Hop Count...Interface
0.0.0.0............ ...0.0.0.0.. 207.108.218.142... 1......... WAN
192.168.1.0...... 255.255.255.0... 0.0.0.0......... 1......... LAN
207.108.218.136.. 255.255.255.248 .0.0.0.0......... 1......... WAN

shadow,

I just tried a hub, still no go.



<< well, I just hit .138 and .139, but I could not hit .137 >>



All addresses from 138 to 141 will always respond to a ping or traceroute, but the return 137. The address of 137 NEVER responds, but it loads up the site no problem.

Thanks guys!

Russ, NCNE

 

[Captain_Rob]

<< Default.... 192.168.1.1. 0.0.0.0.... UG... 0..... 0....... 0.... Eth1 >>



Now there's the missing part of the puzzle. It's doing just what you have setup, routing all unknown routes from eth1 through the linksys.

Try changing your default route to:

Default.... 207.108.218.142. 0.0.0.0.... UG... 0..... 0....... 0.... Eth0


[edit]
To copy your whole route table to a file, try

netstat -r >file.txt

...or telnet to the server and copy paste from the telnet client.

 

[Russ]

<< Try changing your default route to:

Default.... 207.108.218.142. 0.0.0.0.... UG... 0..... 0....... 0.... Eth0 >>



I'll try that. Thanks.



<< netstat -r >file.txt

...or telnet to the server and copy paste from the telnet client. >>



You mean ifconfig -a > right? I already hand wrote the routing table above. As for telnet, haven't even gotten to setting that up yet. One step at a time.

Russ, NCNE

 

[Russ]

Captain_Rob,

YEEHHAAWWWWW!!!!! YOU ARE A F*CKING GENIOUS!!!!!!!! I've been beating my brains out on this thing for weeks, and that one change did it! Now all the IP's ping to their own address and EVERY one loads up the server!!!!!!!

I love you, man!

Russ, NCNE

 

[Captain_Rob]

Glad I could help. I traced it out from here too and it's working fine.

Congratulations!

 

[shadow]

good job rob

 

[spidey07]

Nice catch.

congrats