Manual IP Routes Getting Disabled (by Network Manager?)
I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.
On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.
However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via
root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1
root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.1.0 router 255.255.255.0 UG 1 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
At this point, I can successfully connect to a HTTP host on the other virtual LAN:
root@debian$ telnet 192.168.1.24 80
Trying 192.168.1.24...
Connected to 192.168.1.24.
Escape character is '^]'.
I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:
Trying 192.168.1.24...
telnet: Unable to connect to remote host: No route to host
The route -v
still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?
I have seen this related question, and tried all three current answers, none of which worked for me.
I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.
Update
Per questions below, iptables shows:
root@debian$ iptables -vnL
Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)
pkts bytes target prot opt in out source destination
2490 184K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
13 1016 REJECT all -- * * 154.8.139.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.99.122.172 0.0.0.0/0 reject-with icmp-port-unreachable
2477 183K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.
ip addr
on the debian host shows:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.
debian routing debian-jessie networkmanager
add a comment |
I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.
On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.
However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via
root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1
root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.1.0 router 255.255.255.0 UG 1 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
At this point, I can successfully connect to a HTTP host on the other virtual LAN:
root@debian$ telnet 192.168.1.24 80
Trying 192.168.1.24...
Connected to 192.168.1.24.
Escape character is '^]'.
I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:
Trying 192.168.1.24...
telnet: Unable to connect to remote host: No route to host
The route -v
still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?
I have seen this related question, and tried all three current answers, none of which worked for me.
I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.
Update
Per questions below, iptables shows:
root@debian$ iptables -vnL
Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)
pkts bytes target prot opt in out source destination
2490 184K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
13 1016 REJECT all -- * * 154.8.139.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.99.122.172 0.0.0.0/0 reject-with icmp-port-unreachable
2477 183K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.
ip addr
on the debian host shows:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.
debian routing debian-jessie networkmanager
Please useip addr
andip route
on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.
– grawity
Dec 27 '18 at 10:23
@grawity, thanks for the tip. Replaced ifconfig output in edit above.
– Nate
Jan 4 at 1:06
add a comment |
I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.
On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.
However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via
root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1
root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.1.0 router 255.255.255.0 UG 1 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
At this point, I can successfully connect to a HTTP host on the other virtual LAN:
root@debian$ telnet 192.168.1.24 80
Trying 192.168.1.24...
Connected to 192.168.1.24.
Escape character is '^]'.
I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:
Trying 192.168.1.24...
telnet: Unable to connect to remote host: No route to host
The route -v
still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?
I have seen this related question, and tried all three current answers, none of which worked for me.
I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.
Update
Per questions below, iptables shows:
root@debian$ iptables -vnL
Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)
pkts bytes target prot opt in out source destination
2490 184K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
13 1016 REJECT all -- * * 154.8.139.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.99.122.172 0.0.0.0/0 reject-with icmp-port-unreachable
2477 183K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.
ip addr
on the debian host shows:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.
debian routing debian-jessie networkmanager
I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.
On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.
However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via
root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1
root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.1.0 router 255.255.255.0 UG 1 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
At this point, I can successfully connect to a HTTP host on the other virtual LAN:
root@debian$ telnet 192.168.1.24 80
Trying 192.168.1.24...
Connected to 192.168.1.24.
Escape character is '^]'.
I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:
Trying 192.168.1.24...
telnet: Unable to connect to remote host: No route to host
The route -v
still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?
I have seen this related question, and tried all three current answers, none of which worked for me.
I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.
Update
Per questions below, iptables shows:
root@debian$ iptables -vnL
Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)
pkts bytes target prot opt in out source destination
2490 184K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
13 1016 REJECT all -- * * 154.8.139.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.99.122.172 0.0.0.0/0 reject-with icmp-port-unreachable
2477 183K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.
ip addr
on the debian host shows:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.
debian routing debian-jessie networkmanager
debian routing debian-jessie networkmanager
edited Jan 4 at 1:05
Nate
asked Dec 27 '18 at 1:51
NateNate
17415
17415
Please useip addr
andip route
on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.
– grawity
Dec 27 '18 at 10:23
@grawity, thanks for the tip. Replaced ifconfig output in edit above.
– Nate
Jan 4 at 1:06
add a comment |
Please useip addr
andip route
on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.
– grawity
Dec 27 '18 at 10:23
@grawity, thanks for the tip. Replaced ifconfig output in edit above.
– Nate
Jan 4 at 1:06
Please use
ip addr
and ip route
on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.– grawity
Dec 27 '18 at 10:23
Please use
ip addr
and ip route
on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.– grawity
Dec 27 '18 at 10:23
@grawity, thanks for the tip. Replaced ifconfig output in edit above.
– Nate
Jan 4 at 1:06
@grawity, thanks for the tip. Replaced ifconfig output in edit above.
– Nate
Jan 4 at 1:06
add a comment |
1 Answer
1
active
oldest
votes
This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.
My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).
If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.
Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like
tcpdump -n -i eth1 tcp src or dst 192.168.1.24
(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)
I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.
– Nate
Dec 27 '18 at 2:52
Theroute add -net 192.168.1.0 net mask 255.255.255.0 eth1
does not work, BTW. I'll look into installing tcpdump. I'll putiptables
output in an edit above ...
– Nate
Dec 27 '18 at 2:55
Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.
– Nate
Dec 27 '18 at 3:07
That precise tcpdump command isn't valid for me, but removing the TCP protocol filter,tcpdump -n -i eth1 src or dst 192.168.1.24
yields only this, repeating:19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28
. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.
– Nate
Dec 27 '18 at 3:23
Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?
– davidgo
Dec 27 '18 at 8:38
|
show 1 more comment
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387990%2fmanual-ip-routes-getting-disabled-by-network-manager%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.
My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).
If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.
Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like
tcpdump -n -i eth1 tcp src or dst 192.168.1.24
(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)
I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.
– Nate
Dec 27 '18 at 2:52
Theroute add -net 192.168.1.0 net mask 255.255.255.0 eth1
does not work, BTW. I'll look into installing tcpdump. I'll putiptables
output in an edit above ...
– Nate
Dec 27 '18 at 2:55
Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.
– Nate
Dec 27 '18 at 3:07
That precise tcpdump command isn't valid for me, but removing the TCP protocol filter,tcpdump -n -i eth1 src or dst 192.168.1.24
yields only this, repeating:19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28
. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.
– Nate
Dec 27 '18 at 3:23
Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?
– davidgo
Dec 27 '18 at 8:38
|
show 1 more comment
This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.
My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).
If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.
Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like
tcpdump -n -i eth1 tcp src or dst 192.168.1.24
(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)
I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.
– Nate
Dec 27 '18 at 2:52
Theroute add -net 192.168.1.0 net mask 255.255.255.0 eth1
does not work, BTW. I'll look into installing tcpdump. I'll putiptables
output in an edit above ...
– Nate
Dec 27 '18 at 2:55
Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.
– Nate
Dec 27 '18 at 3:07
That precise tcpdump command isn't valid for me, but removing the TCP protocol filter,tcpdump -n -i eth1 src or dst 192.168.1.24
yields only this, repeating:19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28
. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.
– Nate
Dec 27 '18 at 3:23
Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?
– davidgo
Dec 27 '18 at 8:38
|
show 1 more comment
This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.
My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).
If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.
Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like
tcpdump -n -i eth1 tcp src or dst 192.168.1.24
(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)
This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.
My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).
If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.
Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like
tcpdump -n -i eth1 tcp src or dst 192.168.1.24
(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)
answered Dec 27 '18 at 2:32
davidgodavidgo
43.6k75291
43.6k75291
I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.
– Nate
Dec 27 '18 at 2:52
Theroute add -net 192.168.1.0 net mask 255.255.255.0 eth1
does not work, BTW. I'll look into installing tcpdump. I'll putiptables
output in an edit above ...
– Nate
Dec 27 '18 at 2:55
Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.
– Nate
Dec 27 '18 at 3:07
That precise tcpdump command isn't valid for me, but removing the TCP protocol filter,tcpdump -n -i eth1 src or dst 192.168.1.24
yields only this, repeating:19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28
. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.
– Nate
Dec 27 '18 at 3:23
Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?
– davidgo
Dec 27 '18 at 8:38
|
show 1 more comment
I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.
– Nate
Dec 27 '18 at 2:52
Theroute add -net 192.168.1.0 net mask 255.255.255.0 eth1
does not work, BTW. I'll look into installing tcpdump. I'll putiptables
output in an edit above ...
– Nate
Dec 27 '18 at 2:55
Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.
– Nate
Dec 27 '18 at 3:07
That precise tcpdump command isn't valid for me, but removing the TCP protocol filter,tcpdump -n -i eth1 src or dst 192.168.1.24
yields only this, repeating:19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28
. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.
– Nate
Dec 27 '18 at 3:23
Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?
– davidgo
Dec 27 '18 at 8:38
I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.
– Nate
Dec 27 '18 at 2:52
I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.
– Nate
Dec 27 '18 at 2:52
The
route add -net 192.168.1.0 net mask 255.255.255.0 eth1
does not work, BTW. I'll look into installing tcpdump. I'll put iptables
output in an edit above ...– Nate
Dec 27 '18 at 2:55
The
route add -net 192.168.1.0 net mask 255.255.255.0 eth1
does not work, BTW. I'll look into installing tcpdump. I'll put iptables
output in an edit above ...– Nate
Dec 27 '18 at 2:55
Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.
– Nate
Dec 27 '18 at 3:07
Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.
– Nate
Dec 27 '18 at 3:07
That precise tcpdump command isn't valid for me, but removing the TCP protocol filter,
tcpdump -n -i eth1 src or dst 192.168.1.24
yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28
. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.– Nate
Dec 27 '18 at 3:23
That precise tcpdump command isn't valid for me, but removing the TCP protocol filter,
tcpdump -n -i eth1 src or dst 192.168.1.24
yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28
. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.– Nate
Dec 27 '18 at 3:23
Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?
– davidgo
Dec 27 '18 at 8:38
Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?
– davidgo
Dec 27 '18 at 8:38
|
show 1 more comment
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387990%2fmanual-ip-routes-getting-disabled-by-network-manager%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Please use
ip addr
andip route
on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.– grawity
Dec 27 '18 at 10:23
@grawity, thanks for the tip. Replaced ifconfig output in edit above.
– Nate
Jan 4 at 1:06