Very Computer

Greetings. Here's my situation: I have a PC running SuSe 9.3 that has
two NIC's. One of these is configured with a static IP such as:
device: eth0
IP: 10.9.81.204
Subnet Mask: 255.255.255.192
Default Gateway: 10.9.81.193

This is an "isolated" network. By this I mean that the routers on this
network have extensive access control lists so that only certain
machines on this network can see other machines. There is no access
from this network to the public internet, (the proxy server for the
internet is blocked on this network).

My other NIC is configured to get an IP via DHCP (although I could get
a static IP if that would help). It gets an IP like:
device: eth1
IP: 10.9.16.140
Subnet Mask:255.255.255.0
Gateway: 10.9.16.1

This network does have a connection to the public internet through a
proxy server at IP 10.22.2.100.

I can ping and ssh to machines on both networks. Machines on both
networks can see me, even my samba shares. But, I cannot get to the
public internet from my machine, it seems that my connection to the
proxy server is blocked. I suspect it is because my default gateway is
going through eth0 onto the private network. If I remove the default
gateway entry, then I can get to the public internet, but I loose the
connection I have to machines on the "isolated" network network.

Is there some sort of solution that will allow me to have my default
network traffic go to the eth1 adapter configured via DHCP, and still
allow traffic to go through eth0 for the isolated network. Note that
there are about 35 machines I need to connect to on the isolated
network. They have IP's in the 10.9.##. domains, where ## is 52-69. So,
maybe I could use a bunch of route statements to forward traffic to
these machines through the gateway of eth0? Or, maybe I just need to
use a route command to direct the proxy out eth1? I'm kind of at a loss
here, this sort of networking is not my strong suit.

Any help here is greatly appreciated! Thanks!

You don't want to do this, since  10.9.81.193 is not the gateway to the
outside world.

Quote:> This is an "isolated" network. By this I mean that the routers on this
> network have extensive access control lists so that only certain
> machines on this network can see other machines. There is no access
> from this network to the public internet, (the proxy server for the
> internet is blocked on this network).

> My other NIC is configured to get an IP via DHCP (although I could get
> a static IP if that would help). It gets an IP like:
> device: eth1
> IP: 10.9.16.140
> Subnet Mask:255.255.255.0
> Gateway: 10.9.16.1

> This network does have a connection to the public internet through a
> proxy server at IP 10.22.2.100.

Is this a gateway (forwards traffic) or just a proxy server for http/ftp?

Quote:

> I can ping and ssh to machines on both networks. Machines on both
> networks can see me, even my samba shares. But, I cannot get to the
> public internet from my machine, it seems that my connection to the
> proxy server is blocked. I suspect it is because my default gateway is
> going through eth0 onto the private network.

You should post the output of "route -n" so we can see what is going on.

Quote:> If I remove the default
> gateway entry, then I can get to the public internet, but I loose the
> connection I have to machines on the "isolated" network network.

> Is there some sort of solution that will allow me to have my default
> network traffic go to the eth1 adapter configured via DHCP, and still
> allow traffic to go through eth0 for the isolated network. Note that
> there are about 35 machines I need to connect to on the isolated
> network. They have IP's in the 10.9.##. domains, where ## is 52-69. So,
> maybe I could use a bunch of route statements to forward traffic to
> these machines through the gateway of eth0?

At a guess, you need to make 10.9.16.1 the default gateway (this may
happen automagically) and 10.9.81.193 the gateway for 10.9.52.0 through
10.9.69.255 using some static routing entries.  Off the top of my head
you should be able to do this with 4 table entries.

 > Or, maybe I just need to
 > use a route command to direct the proxy out eth1?

In your shoes I'd try to direct as much traffic as possible out eth1.

Thanks for the quick reply Allen. I did figure out that using
10.9.81.193 as my default gateway was bad, and that having 2 gateways
was also bad. So, I removed that entry, and I think my default gateway
is now automagically set to that which I get from DHCP.

Soo... I made a perl script to parse my /etc/hosts file and get the
IP's of the machines on the isolated network I need access to. For each
of these $ip addresses I have the script execute:
/sbin/route -v add -host $ip eth0

Now I have access to all of the machines I need on the isolated
network, and public internet works too. So, I seem to have what i
wanted. Is this really the correct or proper way to do this?  One
question I have, is why didn't it need me to tell it that the gateway
for those routes on eth0 was 10.9.81.193? I also need to figure out how
to make those route commands persist, or run the script after bootup,
which isn't a big deal..

Here is a snippet of output of route -n. I've snipped out a bunch of
lines that are similar to the first 2, and are the IP's of the other 30
or so systems on the isolated network. Does anything here look like it
will cause me any problems?

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.9.71.196     0.0.0.0         255.255.255.255 UH    0      0        0
eth0
10.9.69.196     0.0.0.0         255.255.255.255 UH    0      0        0
eth0
10.9.16.0       0.0.0.0         255.255.255.0   U     0      0        0
eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0
lo
0.0.0.0         10.9.16.1       0.0.0.0         UG    0      0        0
eth1

Thanks!

2 gateways isn't bad unless both are default gateways.

Quote:> So, I removed that entry, and I think my default gateway
> is now automagically set to that which I get from DHCP.

Looks like it, based on the routing table you appended.

Quote:> Soo... I made a perl script to parse my /etc/hosts file and get the
> IP's of the machines on the isolated network I need access to. For each
> of these $ip addresses I have the script execute:
> /sbin/route -v add -host $ip eth0

One host at a time is a bit ugly, but if it works...
Are you sure all those hosts are directly connected to the network
attached to eth0 and hence do not need a gateway?  (Maybe something is
proxy ARPing for them??)  Did you try pinging or otherwise contacting
all of them?  If you can contact them directly without a gateway, this
doesn't match the original netmask you gave us.

Quote:

> Now I have access to all of the machines I need on the isolated
> network, and public internet works too. So, I seem to have what i
> wanted. Is this really the correct or proper way to do this?  One
> question I have, is why didn't it need me to tell it that the gateway
> for those routes on eth0 was 10.9.81.193?

Depends on whether they are directly connected or not.  See previous
comment.

Quote:> I also need to figure out how
> to make those route commands persist, or run the script after bootup,
> which isn't a big deal..

You can make the commands persist, but the details depend on the
distribution you are using.  In your shoes I would probably find the GUI
tool for adding static routes, add one, figure out what file was
changed, and then run the awk script.

Quote:> Here is a snippet of output of route -n. I've snipped out a bunch of
> lines that are similar to the first 2, and are the IP's of the other 30
> or so systems on the isolated network. Does anything here look like it
> will cause me any problems?

You seem to have snipped out the entry for the network attached to eth0
(169.254.0.0 doesn't count).

Quote:> Kernel IP routing table
> Destination Gateway    Genmask         Flags Metric Ref Use Iface
> 10.9.71.196 0.0.0.0    255.255.255.255 UH    0      0     0 eth0
> 10.9.69.196 0.0.0.0    255.255.255.255 UH    0      0     0 eth0
> 10.9.16.0   0.0.0.0    255.255.255.0   U     0      0     0 eth1
> 169.254.0.0 0.0.0.0    255.255.0.0     U     0      0     0 eth0
> 127.0.0.0   0.0.0.0    255.0.0.0       U     0      0     0 lo
> 0.0.0.0     10.9.16.1  0.0.0.0         UG    0      0     0 eth1

Quote:> Are you sure all those hosts are directly connected to the network
> attached to eth0 and hence do not need a gateway?  (Maybe something is
> proxy ARPing for them??)  Did you try pinging or otherwise contacting
> all of them?  If you can contact them directly without a gateway, this
> doesn't match the original netmask you gave us.

I think each system is connected to a local switch with several other
local devices, and then this switch is connected back to a central
large switch/router that implements the access control lists, vlans,
etc. I'm not too clear of the exact topolgy truthfully. But, I can
connect to all of the rooms, which did actually surprise me, so
something out there is making it work. Just in case, I changed the
route command to specify the gw 10.9.81.193 for these routes:

/sbin/route -v add -host $ip gw 10.9.81.193 eth0

Is there a way to tell eth0 to use the gateway 10.9.81.193 for all
connections? I didn't see a way to really do that with the route
command. Maybe I don't want to do that anyways, since it is working
now, why push it...

Quote:> You seem to have snipped out the entry for the network attached to eth0
> (169.254.0.0 doesn't count).

Here is what I snipped out:
10.9.81.192     0.0.0.0         255.255.255.192 U     0      0        0
eth0

Quote:> I think each system is connected to a local switch with several other
> local devices, and then this switch is connected back to a central
> large switch/router that implements the access control lists, vlans,
> etc. I'm not too clear of the exact topology truthfully.

Can you ask your system administrator?

Quote:> But, I can
> connect to all of the rooms, which did actually surprise me, so
> something out there is making it work.

Maybe the network isn't segmented the way you think it is.

Quote:> Just in case, I changed the
> route command to specify the gw 10.9.81.193 for these routes:

> /sbin/route -v add -host $ip gw 10.9.81.193 eth0

> Is there a way to tell eth0 to use the gateway 10.9.81.193 for all
> connections?

route add -net 10.9.52.0 netmask 255.255.252.0 gw 10.9.81.193
route add -net 10.9.56.0 netmask 255.255.248.0 gw 10.9.81.193
route add -net 10.9.64.0 netmask 255.255.252.0 gw 10.9.81.193
route add -net 10.9.68.0 netmask 255.255.254.0 gw 10.9.81.193

You may need to add the interface name.

Quote:> I didn't see a way to really do that with the route
> command. Maybe I don't want to do that anyways, since it is working
> now, why push it...

Too true.

Quote:> 10.9.81.192     0.0.0.0         255.255.255.192 U     0      0        0
> eth0

This says that the local network connected to eth0 consists of addresses
10.9.81.192 through 10.9.81.255.  The working direct routes you added
conflict with this statement.

Thanks for all the info Allen. The sysadmins aren't very accessible to
me, they are located in mysterious, secured, undisclosed location. From
talking to some other people that think they know something about it,
they describe it as all of the connections going back to a central IDF
cabinet, and the router segments the networks into vlans. I don't
really know what this means or implies...

But, since my stuff works, I'm not going to push it. I am going to try
and learn more about how all of this stuff works, as this has been my
first real foray into networking, and I've learned a lot doing this.

Thanks again.