Manual IP Routes Getting Disabled (by Network Manager?)












1















I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.



On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.



However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via



root@debian$ route -v 

Kernel IP routing table 

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

default         router          0.0.0.0         UG    1024   0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1



root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1



root@debian$ route -v

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         router          0.0.0.0         UG    1024   0        0 eth1

192.168.1.0     router          255.255.255.0   UG    1      0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1


At this point, I can successfully connect to a HTTP host on the other virtual LAN:



root@debian$ telnet 192.168.1.24 80

Trying 192.168.1.24...

Connected to 192.168.1.24.

Escape character is '^]'.


I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:



Trying 192.168.1.24...

telnet: Unable to connect to remote host: No route to host


The route -v still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?



I have seen this related question, and tried all three current answers, none of which worked for me.



I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.



Update



Per questions below, iptables shows:



root@debian$ iptables -vnL

Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)

 pkts bytes target     prot opt in     out     source               destination         

 2490  184K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain fail2ban-ssh (1 references)

 pkts bytes target     prot opt in     out     source               destination         

   13  1016 REJECT     all  --  *      *       154.8.139.43         0.0.0.0/0            reject-with icmp-port-unreachable

    0     0 REJECT     all  --  *      *       192.99.122.172       0.0.0.0/0            reject-with icmp-port-unreachable

 2477  183K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0


None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.



ip addr on the debian host shows:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000

    link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff

    inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1

       valid_lft forever preferred_lft forever


Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.






debian routing debian-jessie networkmanager







share|improve this question

























  • Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

    – grawity
    Dec 27 '18 at 10:23











  • @grawity, thanks for the tip. Replaced ifconfig output in edit above.

    – Nate
    Jan 4 at 1:06
















1















I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.



On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.



However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via



root@debian$ route -v 

Kernel IP routing table 

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

default         router          0.0.0.0         UG    1024   0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1



root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1



root@debian$ route -v

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         router          0.0.0.0         UG    1024   0        0 eth1

192.168.1.0     router          255.255.255.0   UG    1      0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1


At this point, I can successfully connect to a HTTP host on the other virtual LAN:



root@debian$ telnet 192.168.1.24 80

Trying 192.168.1.24...

Connected to 192.168.1.24.

Escape character is '^]'.


I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:



Trying 192.168.1.24...

telnet: Unable to connect to remote host: No route to host


The route -v still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?



I have seen this related question, and tried all three current answers, none of which worked for me.



I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.



Update



Per questions below, iptables shows:



root@debian$ iptables -vnL

Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)

 pkts bytes target     prot opt in     out     source               destination         

 2490  184K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain fail2ban-ssh (1 references)

 pkts bytes target     prot opt in     out     source               destination         

   13  1016 REJECT     all  --  *      *       154.8.139.43         0.0.0.0/0            reject-with icmp-port-unreachable

    0     0 REJECT     all  --  *      *       192.99.122.172       0.0.0.0/0            reject-with icmp-port-unreachable

 2477  183K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0


None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.



ip addr on the debian host shows:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000

    link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff

    inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1

       valid_lft forever preferred_lft forever


Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.






debian routing debian-jessie networkmanager







share|improve this question

























  • Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

    – grawity
    Dec 27 '18 at 10:23











  • @grawity, thanks for the tip. Replaced ifconfig output in edit above.

    – Nate
    Jan 4 at 1:06














1












1








1








I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.



On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.



However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via



root@debian$ route -v 

Kernel IP routing table 

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

default         router          0.0.0.0         UG    1024   0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1



root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1



root@debian$ route -v

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         router          0.0.0.0         UG    1024   0        0 eth1

192.168.1.0     router          255.255.255.0   UG    1      0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1


At this point, I can successfully connect to a HTTP host on the other virtual LAN:



root@debian$ telnet 192.168.1.24 80

Trying 192.168.1.24...

Connected to 192.168.1.24.

Escape character is '^]'.


I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:



Trying 192.168.1.24...

telnet: Unable to connect to remote host: No route to host


The route -v still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?



I have seen this related question, and tried all three current answers, none of which worked for me.



I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.



Update



Per questions below, iptables shows:



root@debian$ iptables -vnL

Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)

 pkts bytes target     prot opt in     out     source               destination         

 2490  184K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain fail2ban-ssh (1 references)

 pkts bytes target     prot opt in     out     source               destination         

   13  1016 REJECT     all  --  *      *       154.8.139.43         0.0.0.0/0            reject-with icmp-port-unreachable

    0     0 REJECT     all  --  *      *       192.99.122.172       0.0.0.0/0            reject-with icmp-port-unreachable

 2477  183K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0


None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.



ip addr on the debian host shows:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000

    link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff

    inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1

       valid_lft forever preferred_lft forever


Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.






debian routing debian-jessie networkmanager







share|improve this question
















I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.



On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.



However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via



root@debian$ route -v 

Kernel IP routing table 

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 

default         router          0.0.0.0         UG    1024   0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1



root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1



root@debian$ route -v

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         router          0.0.0.0         UG    1024   0        0 eth1

192.168.1.0     router          255.255.255.0   UG    1      0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1


At this point, I can successfully connect to a HTTP host on the other virtual LAN:



root@debian$ telnet 192.168.1.24 80

Trying 192.168.1.24...

Connected to 192.168.1.24.

Escape character is '^]'.


I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:



Trying 192.168.1.24...

telnet: Unable to connect to remote host: No route to host


The route -v still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?



I have seen this related question, and tried all three current answers, none of which worked for me.



I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.



Update



Per questions below, iptables shows:



root@debian$ iptables -vnL

Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)

 pkts bytes target     prot opt in     out     source               destination         

 2490  184K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain fail2ban-ssh (1 references)

 pkts bytes target     prot opt in     out     source               destination         

   13  1016 REJECT     all  --  *      *       154.8.139.43         0.0.0.0/0            reject-with icmp-port-unreachable

    0     0 REJECT     all  --  *      *       192.99.122.172       0.0.0.0/0            reject-with icmp-port-unreachable

 2477  183K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0


None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.



ip addr on the debian host shows:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000

    link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff

    inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1

       valid_lft forever preferred_lft forever


Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.






debian routing debian-jessie networkmanager




debian routing debian-jessie networkmanager






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 4 at 1:05







Nate

















asked Dec 27 '18 at 1:51









NateNate

17415




17415













  • Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

    – grawity
    Dec 27 '18 at 10:23











  • @grawity, thanks for the tip. Replaced ifconfig output in edit above.

    – Nate
    Jan 4 at 1:06



















  • Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

    – grawity
    Dec 27 '18 at 10:23











  • @grawity, thanks for the tip. Replaced ifconfig output in edit above.

    – Nate
    Jan 4 at 1:06

















Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

– grawity
Dec 27 '18 at 10:23





Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

– grawity
Dec 27 '18 at 10:23













@grawity, thanks for the tip. Replaced ifconfig output in edit above.

– Nate
Jan 4 at 1:06





@grawity, thanks for the tip. Replaced ifconfig output in edit above.

– Nate
Jan 4 at 1:06










1 Answer
1






active

oldest

votes


















1














This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)






share|improve this answer
























  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387990%2fmanual-ip-routes-getting-disabled-by-network-manager%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)






share|improve this answer
























  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38
















1














This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)






share|improve this answer
























  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38














1












1








1







This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)






share|improve this answer













This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 27 '18 at 2:32









davidgodavidgo

43.6k75291




43.6k75291













  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38



















  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38

















I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

– Nate
Dec 27 '18 at 2:52





I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

– Nate
Dec 27 '18 at 2:52













The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

– Nate
Dec 27 '18 at 2:55





The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

– Nate
Dec 27 '18 at 2:55













Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

– Nate
Dec 27 '18 at 3:07





Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

– Nate
Dec 27 '18 at 3:07













That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

– Nate
Dec 27 '18 at 3:23





That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

– Nate
Dec 27 '18 at 3:23













Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

– davidgo
Dec 27 '18 at 8:38





Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

– davidgo
Dec 27 '18 at 8:38


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387990%2fmanual-ip-routes-getting-disabled-by-network-manager%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

If I really need a card on my start hand, how many mulligans make sense? [duplicate]

Image
5 This question already has an answer here: How do you calculate the likelihood of drawing certain cards in your opening hand? 3 answers There is a funny modern deck where you play Treasure Hunt, but you really need to have it on the starting hand. How many mulligans should I take, if my deck contains 60 cards and contains 4 copies of Treasure Hunt? magic-the-gathering probability share | improve this question asked Nov 23 '18 at 12:12 dan dan 152 4
Read more

Alcedinidae

Image
Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
Read more

Can an atomic nucleus contain both particles and antiparticles? [duplicate]

Image
9 $begingroup$ This question already has an answer here: What happens if we put together a proton and an antineutron? 2 answers Is it theoretically possible to make a "deuterium" atom containing a proton and an antineutron in its nucleus? Would the strong nuclear force cause attraction between a proton and an antineutron? Would such a nucleus be stable, or would the proton somehow annihilate the antineutron when close enough? nuclear-physics antimatter share | cite | improve this question asked yesterday
Read more