Manual IP Routes Getting Disabled (by Network Manager?)












1















I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.



On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.



However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via



root@debian$ route -v 
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1

root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1

root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.1.0 router 255.255.255.0 UG 1 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1


At this point, I can successfully connect to a HTTP host on the other virtual LAN:



root@debian$ telnet 192.168.1.24 80
Trying 192.168.1.24...
Connected to 192.168.1.24.
Escape character is '^]'.


I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:



Trying 192.168.1.24...
telnet: Unable to connect to remote host: No route to host


The route -v still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?



I have seen this related question, and tried all three current answers, none of which worked for me.



I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.



Update



Per questions below, iptables shows:



root@debian$ iptables -vnL
Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)
pkts bytes target prot opt in out source destination
2490 184K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
13 1016 REJECT all -- * * 154.8.139.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.99.122.172 0.0.0.0/0 reject-with icmp-port-unreachable
2477 183K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0


None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.



ip addr on the debian host shows:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever


Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.










share|improve this question

























  • Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

    – grawity
    Dec 27 '18 at 10:23











  • @grawity, thanks for the tip. Replaced ifconfig output in edit above.

    – Nate
    Jan 4 at 1:06
















1















I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.



On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.



However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via



root@debian$ route -v 
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1

root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1

root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.1.0 router 255.255.255.0 UG 1 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1


At this point, I can successfully connect to a HTTP host on the other virtual LAN:



root@debian$ telnet 192.168.1.24 80
Trying 192.168.1.24...
Connected to 192.168.1.24.
Escape character is '^]'.


I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:



Trying 192.168.1.24...
telnet: Unable to connect to remote host: No route to host


The route -v still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?



I have seen this related question, and tried all three current answers, none of which worked for me.



I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.



Update



Per questions below, iptables shows:



root@debian$ iptables -vnL
Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)
pkts bytes target prot opt in out source destination
2490 184K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
13 1016 REJECT all -- * * 154.8.139.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.99.122.172 0.0.0.0/0 reject-with icmp-port-unreachable
2477 183K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0


None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.



ip addr on the debian host shows:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever


Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.










share|improve this question

























  • Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

    – grawity
    Dec 27 '18 at 10:23











  • @grawity, thanks for the tip. Replaced ifconfig output in edit above.

    – Nate
    Jan 4 at 1:06














1












1








1








I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.



On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.



However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via



root@debian$ route -v 
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1

root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1

root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.1.0 router 255.255.255.0 UG 1 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1


At this point, I can successfully connect to a HTTP host on the other virtual LAN:



root@debian$ telnet 192.168.1.24 80
Trying 192.168.1.24...
Connected to 192.168.1.24.
Escape character is '^]'.


I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:



Trying 192.168.1.24...
telnet: Unable to connect to remote host: No route to host


The route -v still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?



I have seen this related question, and tried all three current answers, none of which worked for me.



I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.



Update



Per questions below, iptables shows:



root@debian$ iptables -vnL
Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)
pkts bytes target prot opt in out source destination
2490 184K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
13 1016 REJECT all -- * * 154.8.139.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.99.122.172 0.0.0.0/0 reject-with icmp-port-unreachable
2477 183K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0


None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.



ip addr on the debian host shows:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever


Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.










share|improve this question
















I have a situation with a Debian Jessie server where I am manually creating an IP route, and after the first time I use it, it stops working.



On my network, I have 192.168.2.0/24 and 192.168.1.0/24 subnets which are mostly isolated. However, in my Cisco RV325 router, I allow an exception for 192.168.2.* traffic to 192.168.1.* hosts (but not vice versa). This works fine for all other clients (MacOS, Win10) on my 192.168.2.* subnet, without additional configuration.



However, on my 192.168.2.* Debian server, I cannot reach 192.168.1.* hosts. So, I tried manually adding a route (on the Debian box) via



root@debian$ route -v 
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1

root@debian$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 metric 1

root@debian$ route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router 0.0.0.0 UG 1024 0 0 eth1
192.168.1.0 router 255.255.255.0 UG 1 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1


At this point, I can successfully connect to a HTTP host on the other virtual LAN:



root@debian$ telnet 192.168.1.24 80
Trying 192.168.1.24...
Connected to 192.168.1.24.
Escape character is '^]'.


I can manually ask for a webpage, for example, and the content gets returned. The connection is then closed, and any subsequent attempt fails:



Trying 192.168.1.24...
telnet: Unable to connect to remote host: No route to host


The route -v still shows the route I added, but it's essentially unusable. What is going wrong here? Is some other piece of software likely actively shutting down what it thinks are illegitimate routes?



I have seen this related question, and tried all three current answers, none of which worked for me.



I tried disabling Network Manager altogether, but that broke my default route, which is a much more serious problem. So, I am posing this question as "how to add a route to another subnet on a system with Network Manager"? Manually, or automatically on boot, are both fine.



Update



Per questions below, iptables shows:



root@debian$ iptables -vnL
Chain INPUT (policy ACCEPT 5376 packets, 1052K bytes)
pkts bytes target prot opt in out source destination
2490 184K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3041 packets, 1187K bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
13 1016 REJECT all -- * * 154.8.139.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 192.99.122.172 0.0.0.0/0 reject-with icmp-port-unreachable
2477 183K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0


None of those IPs seem relevant. Before posing the question, I did try disabling the fail2ban service, with no effect.



ip addr on the debian host shows:



1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:26:55:db:36:fa brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:26:55:db:36:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.2.34/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever


Note: I do have a second NIC (eth2) on the machine, but it's unplugged and DOWN. Not present in routing table.







debian routing debian-jessie networkmanager






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 4 at 1:05







Nate

















asked Dec 27 '18 at 1:51









NateNate

17415




17415













  • Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

    – grawity
    Dec 27 '18 at 10:23











  • @grawity, thanks for the tip. Replaced ifconfig output in edit above.

    – Nate
    Jan 4 at 1:06



















  • Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

    – grawity
    Dec 27 '18 at 10:23











  • @grawity, thanks for the tip. Replaced ifconfig output in edit above.

    – Nate
    Jan 4 at 1:06

















Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

– grawity
Dec 27 '18 at 10:23





Please use ip addr and ip route on Linux instead of the outdated route/ifconfig tools, which in many cases can be found omitting critical information.

– grawity
Dec 27 '18 at 10:23













@grawity, thanks for the tip. Replaced ifconfig output in edit above.

– Nate
Jan 4 at 1:06





@grawity, thanks for the tip. Replaced ifconfig output in edit above.

– Nate
Jan 4 at 1:06










1 Answer
1






active

oldest

votes


















1














This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)






share|improve this answer
























  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387990%2fmanual-ip-routes-getting-disabled-by-network-manager%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)






share|improve this answer
























  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38
















1














This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)






share|improve this answer
























  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38














1












1








1







This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)






share|improve this answer













This is almost likely not a routing issue on your client - rather it is likely to be a firewall issue or issue on the server.



My guess would be incorrect routing on the server due to an incorrect netmask there (Maybe 255.255.0.0 which is fairly common), combined with reverse path filtering on the client. You can check this by, for example, disabling reverse path filtering on the client with a command like echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter - but the solution is to fix the networking on the server because the packets are not being sent back to the router. (This may also involve allowing "RELATED" traffic back in the router).



If that fails, Look at the iptables rules to see if it is being blocked there - you can see these by typing iptables -vnL. (You may want to post these for us to have a look at). It could also be related to the router, conceivably even a NAT related issue.



Generally, where possible, the next step is to do some packet sniffing to see what is leaving the computer and what is being received by the web server and vv. You can use tcpdump (in a seperate window and then make a request) with a command like



tcpdump -n -i eth1 tcp src or dst 192.168.1.24



(I note that the route command you have added is redundant - and I suspect you misunderstand its purpose. This is not the cause of your issue though. If the problem relates to Reverse path filtering, you might be able to bypass the router alltogether with a command like route add -net 192.168.1.0 netmask 255.255.255.0 eth1)







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 27 '18 at 2:32









davidgodavidgo

43.6k75291




43.6k75291













  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38



















  • I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

    – Nate
    Dec 27 '18 at 2:52











  • The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

    – Nate
    Dec 27 '18 at 2:55











  • Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

    – Nate
    Dec 27 '18 at 3:07











  • That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

    – Nate
    Dec 27 '18 at 3:23











  • Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

    – davidgo
    Dec 27 '18 at 8:38

















I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

– Nate
Dec 27 '18 at 2:52





I do get that adding the route should be redundant. The default route should pick up anything in 192.168.1.x, right? I only tried it because it wasn't working originally. Can you clarify which machine you're calling the "client"? Is it my Debian box (in 192.168.2.x)? A reason I'm skeptical that it's a problem on the 192.168.1.x server side is that, as I said, this all works fine from other 192.168.2.x hosts.

– Nate
Dec 27 '18 at 2:52













The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

– Nate
Dec 27 '18 at 2:55





The route add -net 192.168.1.0 net mask 255.255.255.0 eth1 does not work, BTW. I'll look into installing tcpdump. I'll put iptables output in an edit above ...

– Nate
Dec 27 '18 at 2:55













Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

– Nate
Dec 27 '18 at 3:07





Here are the IP settings on 192.168.1.24. Consumer device w/ built-in web server. Nothing more configurable. The router 192.168.1.1 is the same device as 192.168.2.1. These are virtual LANs.

– Nate
Dec 27 '18 at 3:07













That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

– Nate
Dec 27 '18 at 3:23





That precise tcpdump command isn't valid for me, but removing the TCP protocol filter, tcpdump -n -i eth1 src or dst 192.168.1.24 yields only this, repeating: 19:20:55.019622 ARP, Request who-has 192.168.1.24 tell 192.168.2.34, length 28. 2.34 is my Debian "client". Anyway, this is a problem at the IP layer, so I'm not sure what TCP traffic would reveal here.

– Nate
Dec 27 '18 at 3:23













Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

– davidgo
Dec 27 '18 at 8:38





Why are ARP requests being generated for an IP address on another network? What does "ifconfig" show? Is the netmask on your Debian client correctly set?

– davidgo
Dec 27 '18 at 8:38


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1387990%2fmanual-ip-routes-getting-disabled-by-network-manager%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?