routing question

[dwater]

Hi,

I would like to use the en0 and en1 on my PowerBook G4/800 DVI running OS X 10.1.5 at the same time.

One of the ports is connected to the internet via various switches etc, and the other is connected to the intranet at work via various pieces of h/w.

The ports work fine individually, but the routing doesn't work properly when I enable them both.

I would like accesses to internet address and addresses on our local lan to go via en0, and all work related addresses to go via en1.

Obviously, despite firewalls etc, I need to make sure that my PowerBook doesn't route external traffic from one port to the other (in either direction), but simply knows which port to go to for which addresses.

Can anyone guide me on what 'route' commands I need to add and what 'netstat -rn' should look like?

Thanks.

Max.

 

[Camelot]

You don't need any routing commands or tweaks to use both NICs simultaneously as long as each NIC is on a different subnet.

Just make sure you only have a default gateway address assigned for the 'public' interface, and NO default gateway address set for the intranet NIC.

The system will automatically route intranet traffic over the intranet link and all other traffic over the public link (since that's the only one that has a default gateway set).

 

[lethe]

i agree with camelot. default gateway is where your external traffic will go. now to ensure that work related traffic goes on en1, you have to figure out the network number(s) of your work subnet, and give en1 an IP address on that subnet.

so give en0 an IP address like 192.168.0.10. maybe you have dhcp on your network, so you can let its IP get set that way.

according to route man pages:

If the destination is directly reachable via an interface requiring no
intermediary system to act as a gateway, the -interface modifier should
be specified; the gateway given is the address of this host on the common
network, indicating the interface to be used for transmission.

so i think you use this command to specify an interface (here i assume that your in office subnet is 10.0.0.0, and the network with your gateway for external traffic is 192.168.0.0):

# route add 10.0.1.1 -interface en1

you can view your routing table with netstat -nr. the output of that command is fairly self-explanatory.

now i m not sure if you can specify a whole subnet in there, or if it has to be a host. the man pages have me believing that it is the latter case. if so, then you would have to specify every host on your in office subnet. depending on the size and stasis of your network, this might or might not be practical. it seemed to work for me, when i specified a network number, rather than a host IP number, but having only one network, i can t really verify. then it looks like this:

# route add 10.0.0.0 -interface en1

one more point. if your external subnet and internal subnet are in fact the same subnet, having the same network number, then the latter trick would certainly not work, because it would be directing traffic that is headed to your external gateway out en1 (if you also have a default gateway specified on en0, then your routing table would be ambiguous. i don t know what would happen in that case), which is exactly what you don t want. the former trick should still work, because you are specifying the interface to use on a host by host basis. you will just make sure not to include the external gateway in the list of in office internal hosts which will be routed out en1.

 

[dwater]

Thanks very much for trying to help me.

I've been playing with this some more, so let me tell you the latest.

This is the routing table when it is working via the intranet :

Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 134.15.18.121 UGSc 3 78 en1
127.0.0.1 127.0.0.1 UH 8 3057 lo0
134.15.18.120/29 link#3 UC 0 0 en1
134.15.18.121 0:5:31:a0:2f:9e UHLW 2 0 en1 1159
134.15.18.124 127.0.0.1 UHS 0 0 lo0

And this is what it is like when it is working via the internet :

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 0 0 en0
127.0.0.1 127.0.0.1 UH 8 3694 lo0
192.168.1 link#2 UC 0 0 en0
192.168.1.1 link#2 UHLW 1 0 en0
192.168.1.101 127.0.0.1 UHS 0 0 lo0

And when I enable them both :

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 1 0 en0
127.0.0.1 127.0.0.1 UH 10 3836 lo0
134.15.18.120/29 link#3 UC 0 0 en1
134.15.18.124 127.0.0.1 UHS 0 0 lo0
192.168.1 link#2 UC 0 0 en0
192.168.1.1 0:4:5a:20:15:ad UHLW 2 0 en0 1191
192.168.1.101 127.0.0.1 UHS 0 0 lo0

The routing tables seem to make sense to me, but if I ping a machine on the intranet, and switch between intranet and both, it does this :

PING blighty.csd.sgi.com (130.62.73.53): 56 data bytes
64 bytes from 130.62.73.53: icmp_seq=0 ttl=246 time=70.725 ms
64 bytes from 130.62.73.53: icmp_seq=1 ttl=246 time=39.019 ms
64 bytes from 130.62.73.53: icmp_seq=2 ttl=246 time=40.15 ms
64 bytes from 130.62.73.53: icmp_seq=3 ttl=246 time=42.211 ms
64 bytes from 130.62.73.53: icmp_seq=4 ttl=246 time=39.404 ms
64 bytes from 130.62.73.53: icmp_seq=5 ttl=246 time=39.824 ms
64 bytes from 130.62.73.53: icmp_seq=6 ttl=246 time=38.554 ms
64 bytes from 130.62.73.53: icmp_seq=7 ttl=246 time=47.634 ms
ping: sendto: No route to host
ping: wrote 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote 64 chars, ret=-1
64 bytes from 130.62.73.53: icmp_seq=19 ttl=246 time=42.788 ms
64 bytes from 130.62.73.53: icmp_seq=20 ttl=246 time=53.667 ms
64 bytes from 130.62.73.53: icmp_seq=21 ttl=246 time=41.832 ms
64 bytes from 130.62.73.53: icmp_seq=22 ttl=246 time=41.92 ms

How can I tell it that it needs to go to 134.15.18.121 for 130.62.73.53?

How can it tell which networks are accessible via en1 and which are via en0?

Also, what about DNS? There are different sets of DNS servers for the two networks. Perhaps I should just use the intranet ones, since they know about both intra- and internet hosts.

And, how would I set up netscape to go through en0 for internet sites, and to go through en1 for intranet sites? I guess I would have the proxy set at 'direct', since everything is now direct....

(still confused)

Max.

 

[lethe]

1. you don t need to give netscape a proxy; netscape, like any network application, will use whatever the IP protocol stack of the OS tells it to. so if ping works correctly, then so will netscape.

2. that routing table seems correct. can you post the results of a traceroute to that address from the intranet? then we will see exactly whats going on there, and hopefully explain this schizophrenic behaviour. in general, you will want to use traceroute with every setup, to make sure that your traffic is using the routes you told it to. just run 'traceroute hostname or IP'

3. this is especially important for formatted code with columns, like the output of netstat -nr. for other forms of code it is not important, but for netstat, can you put it in code brackets? that will ensure that the output stays in its columns.

 

[dwater]

Here's netstat -rn when it's working (just en1 enabled):

Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif Expire
default            134.15.18.121      UGSc        0        0      en1
127.0.0.1          127.0.0.1          UH          9     6785      lo0
134.15.18.120/29   link#3             UC          0        0      en1
134.15.18.121      link#3             UHLW        1        0      en1
134.15.18.124      127.0.0.1          UHS         0        0      lo0
traceroute to 130.62.73.53 (130.62.73.53), 30 hops max, 40 byte packets
 1  134.15.18.121  5.888 ms  2.837 ms  2.819 ms
 2  192.48.172.10  41.341 ms  37.875 ms  35.909 ms
 3  198.149.200.129  36.288 ms  39.126 ms  37.533 ms
 4  198.149.200.1  39.139 ms  36.313 ms  46.199 ms
 5  155.11.108.126  37.35 ms  38.12 ms  38.18 ms
 6  192.48.192.1  36.222 ms  38.082 ms  36.813 ms
 7  192.48.193.13  39.19 ms  45.162 ms  48.314 ms
 8  192.132.154.1  50.009 ms  49.321 ms  38.057 ms
 9  192.132.155.77  62.244 ms  37.756 ms  37.599 ms
10  130.62.73.53  53.534 ms  38.583 ms  37.966 ms

and this is with both en1 and en0 enabled (internet works, intranet doesn't) :

Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use     Netif Expire
default            192.168.1.1        UGSc        2        0      en0
127.0.0.1          127.0.0.1          UH          9     6939      lo0
134.15.18.120/29   link#3             UC          0        0      en1
134.15.18.124      127.0.0.1          UHS         0        0      lo0
192.168.1          link#2             UC          0        0      en0
192.168.1.1        0:4:5a:20:15:ad    UHLW        3        0      en0   1200
192.168.1.101      127.0.0.1          UHS         0        0      lo0
traceroute to 130.62.73.53 (130.62.73.53), 30 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *...

What I notice from the netstat output is the specific reference to 134.15.18.121 (the h/w gateway to the intranet) in the en1 only table, while there is no such entry in the en0+en1 table. I tried to add such an entry but couldn't replicate the 'link#1' in the Gateway column (it put a mac address in that column), the flags were UHLS (instead of UHLW), and it didn't seem to make any difference.

Any ideas?

Max.

 

[Camelot]

Are you sure your networks are setup correctly?

Your "intranet" is using a /29 network (255.255.255.248 subnet mask).

This would mean your 'intranet' consists of the IP addresses 134.15.18.120 through 134.15.18.128. Is that right?

In addition, 'intranets' usually use private class addresses whereas the block you're using is assigned to SGI.


Secondly the traceroute in your 'internet' mode doesn't show any responses which would imply your default gateway is unavailable. Can you ping the default gateway address 192.168.1.1 in internet mode?

 

[dwater]

Originally posted by Camelot
Are you sure your networks are setup correctly?

I beleive so.

Your "intranet" is using a /29 network (255.255.255.248 subnet mask).

This would mean your 'intranet' consists of the IP addresses 134.15.18.120 through 134.15.18.128. Is that right?

That's right, though 134.15.18.120 is not available, I think and ...128 is the broadcast, so in this subnet of the intranet, 134.15.18.121 (the router/gateway) to 134.15.18.127 are the addressed available.

In addition, 'intranets' usually use private class addresses whereas the block you're using is assigned to SGI.

That's right - it's the SGI intranet (though they definely wouldn't like me trying this for security reasons - actually, I want to be able to talk to another mechine which is behind the firewall,s o I can disconnect the modem when in dual network mode).

Secondly the traceroute in your 'internet' mode doesn't show any responses which would imply your default gateway is unavailable.

I was tracerouting something on the intranet, and the default gateway doesn't provide a route to that, only to the internet.

Can you ping the default gateway address 192.168.1.1 in internet mode?

If I have en0 enable (which is connected to 192.168.1.1), then, yes, I can ping it; irrespective of if en1 (connected to the intranet) is active or not.

Any clearer?

Max.