I have checkpoint firewall-1 running on a solaris 7 sparc box with two physical working networks interface cards hme0, qfe0,
(please note these are false addresses)
qfe0 = 195.111.222.178 internet ISP
hme0 = 172.19.12.58 /24 internal Lan which has a router to france on it
I want to add a route to a machine in france (194.222.222.222). It will need to go out of interface hme0 and be routed to france via a router which sits on the internal lan (172.19.12.4) So the packets I send out should have a source address of 172.19.12.58 (hme0), which the french network understands and can route back to. I used command
route add -host 194.222.222.222 172.19.12.4
but I get "not responding" error when I try to ping the destination machine
NoTE: I can get to this machine via this router from any other single nic box on the lan, so the box and router are fine
I then run a snoop on hme0 for anything with 194.222.222.222 in it
As you can see the request is going out of the correct interface (hme0) because I am snooping it, but for some reason the packets have assumed the source address that has been assigned to the qfe0 card. Subsequently, ICMP is making requests but there are no replies coming back because the source address of the request packet is the public internet address (external address of the firewall, qfe0) and the destination french network cannot route the packet back. I have printed an exerpt from netstat -rn below (address's have been changed)
Code:
Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
194.222.222.222 172.19.12.4 UGH 0 1
195.111.222.176 195.111.222.178 U 2 5796 qfe0
172.19.8.0 172.19.12.58 U 3 42257 hme0
224.0.0.0 172.19.12.58 U 3 0 hme0
default 195.111.222.177 UG 01431154
127.0.0.1 127.0.0.1 UH 03366951 lo0
I was wondering whether or not the blank space on the interface column for the route I have added (1st line) has any impact on the source address used when I ping directly from the firewall/solaris box directly
I have been looking into the -interface switch of the route command but cannot see how to incorporate this into the route add command - I have tried
.....and various other combinations, but to no avail. The man page for route is very confusing when it comes to the -interface switch..
Does anybody know how I can resolve this issue. All I want is the source address to be 172.19.12.58 so that the packets can find their way back to the firewall
any help on this would be greatly appreciated
thanks
Gary
Last edited by Perderabo; 12-18-2002 at 12:33 PM..
First I see what may be a discrepancy. You have 194.x.x.x defined and 195.x.x.x defined. That may be your problem right away. If not keep reading.
I recently had problems with my lan and a router in the company. I found that one of my problems was that my broadcast address was incorrect. You may need to open up that for your second IP. Something like 195.255.255.255 and your broadcast to be 255.0.0.0. or possibly move it one more octet to the right 195.111.255.255 and 255.255.0.0.
May not be it but I would check. Print your Ifconfig output for each lan card maybe that would help as well.
Also, you should have an interface for 195.222.222.222. you may have to do a route add gateway again for this. I see you did set it up as a gateway.
If the subnet mask on hme0 is correct so that 172.19.12.4 and 172.19.12.58 are in the same subnet, then the routing table looks good to me.
I don't have access to Solaris 7 box, but I have access to a Solaris 8 box. Looking at the -interface option, I think it would specify that the address is local and an ethernet address can be obtained via arp. That is clearly not your situation.
There is some interesting language on the ifconfig man page: "IP uses an interface group to rotate source address selection when the source address is unspecified." I don't see where it says how long each source address is used, but there may be a way to induce the behavior you're seeing via complex options to the ifconfig command.
The fact that running a firewall on this box really introduces a wrinkle here. Firewalls do strange things with tcp/ip. Can you reproduce the problem without the firewall softwae?
This patch is for Solaris 8, but it claims to fix an interesting bug: "4333995 IPv4 source address should be obtained from the destination route."
I want to add a route to a machine in france (194.222.222.222). It will need to go out of interface hme0 and be routed to france via a router which sits on the internal lan (172.19.12.4) So the packets I send out should have a source address of 172.19.12.58 (hme0), which the french network understands and can route back to. I used command
route add -host 194.222.222.222 172.19.12.4
Kelam is correct about your broadcast...and I'll add that netmasks can mess you up to.
As far as the command you have - you don't specify going out hme0. Since you don't, it takes the default route (from qfe0). Your snoop shows that the ping is going from
(even though you snooped hme0...that part is confusing me)
I believe one of the following will work (although your netmask and broadcast can still mess you up):
route add 194.222.222.222 172.19.12.58 0
OR
route add net 194.222.222.0 172.19.12.58 0
Hi all
With the recent virus attacks we have been tasked with upgrading Samba to a "secure" version. Currently running 3.0.29a and looking to put the latest version down 4.6.5.
Being a lazy bod I have only ever installed this, a long time ago, when you could get it in BFF filesets. Have... (6 Replies)
Hello
I have a question about routing in MANET using Dynamic Source Routing protocol.
IN RFC4728 (DSR) in section "IP fields" of RREP (Route Reply) packet we have this:
ok.
I read in several books and also in rfc4728 that: when a source node (node that initiate route discovery process)... (1 Reply)
Hi,
I'm trying to set up a test bed where I can use a single machine to do some network packet captures between 2 different applications without needing a network connection.
I'm actually trying to do some SIP VoIP development, but for illustration purposes will use ping. I want:
ping 127.0.0.1... (0 Replies)
Greetings Forumers!
I've been fighting a locale problem on a v490 running Solaris 10 u4 (8/07). When I login to the system, I get several "locale" error messages:
user1's password:
Last login: Wed May 26 2010 09:14:13 -0400 from system1
You have mail.
couldn't set locale correctly
couldn't... (0 Replies)
Hi all,
I have some doubts in selecting the interface to transfer packets and receive the packets.
--> Multiple interfaces :
--------------------
1) 0.0.0.0 --------> wild card address.
2) x.x.x.x --------> valid address.(192.168.1.156)
3) ff.ff.ff.ff -------->... (0 Replies)
Morning all,
I am attempting to load a package from a Solaris 8 CDROM.
This fails with the error :
"pkgadd: ERROR: unable to access pkgmap file </cdrom/ .........../SUNWlibC/pkgmap>
No changes were made to the system"
Any help would be appreciated
Andy (6 Replies)
Good Day,
I've remotely mounted a cdrom (no problems theere). The kicker is I can see the directories on the remote CD bout I can't see the files. What am I doing wrong? I'm logged in as root on both systems. All the permissions seem okay - what am I missing? Thanks (2 Replies)
Hi, does anybody know how to set the IP source address of an IP packet to be zero? The problem is that when you create a raw socket and set the IP_HDRINCL socket option, if you put the ip_src address to zero (INADDR_ANY) the kernel will automatically set the source address to the primary IP address... (2 Replies)
