Dual Router (routing problem)

matteo · September 4, 2015, 12:10pm

This is the network configuration I have:

          +-------------------------------------------------+   +===========+   
          |                                                 |   |           |   
          |                     INTERNET                    |---| LINUXBOX2 |   
          |                                                 |   |           |   
          +-------------------------------------------------+   +===========|   
               |                                       |                        
               |                                       |                        
          +=========+                             +=========+                   
          |         |                             |         |                   
          | ROUTER1 |                             | ROUTER2 |                   
          |         |                             |         |                   
          +=========+                             +=========+                   
 10.10.100.1|     |10.10.201.254       10.10.202.254|     |10.10.101.1          
            |     |                                 |     |                     
  +-----------+   |                                 |   +-----------+           
  |   VPN1    |   |                                 |   |   VPN2    |           
  |           |   |                                 |   |           |           
  |10.10.100.0|   |                                 |   |10.10.101.0|           
  +-----------+   |     +=====================+     |   +-----------+           
                  |     |      LINUXBOX1      |     |                           
                  |     |                     |     |                           
                  +-----|eth1             eth2|-----+                           
             10.10.201.1|                     |10.10.202.1                      
                        |         eth0        |                                 
                        +=====================+                                 
                                   |10.10.200.1                                
                                   |                                           
                                   |                                           
                             +-----------+                                     
                             | LOCAL NET |                                     
                             |           |                                     
                             |10.10.200.0|                                     
                             +-----------+

where VPN1 and VPN2 are two VPNs managed by the corresponding routers.

Each router has its own public and private IP and they both are gateways to the internet.

LINUXBOX1 is connected to three private networks, and it is itself a gateway to the internet for any LOCALNET machine.

Finally, connected to the internet we also have a road warrior machine (LINUXBOX2).

##########
### Goal ###
##########

My goal is to be able to:

1) ssh from LINUXBOX2 to any of the two routers and be forwarded to LINUXBOX1 in both cases,

2) ping any private IP from a machine connected to any private subnetwork (VPN1, VPN2, LOCALNET).

######################
### Network Configuration ###
######################

# ROUTER1 (asus rtn66u) #

routing table:

10.10.200.0 via 10.10.201.1
10.10.202.0 via 10.10.201.1
10.10.101.0 via 10.10.201.1

port forwarding:

incoming SSH connections forwarded to 10.10.201.1

# ROUTER2 (asus rtac3200) #

routing table:

10.10.200.0 via 10.10.202.1
10.10.201.0 via 10.10.202.1
10.10.100.0 via 10.10.202.1

port forwarding:

incoming SSH connections forwarded to 10.10.202.1

# LINUXBOX1 #

cat /etc/iproute2/rt_tables

#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep
1 rtac3200

cat /etc/network/interfaces.d/eth0.cfg

allow-hotplug eth0
iface eth0 inet static
  address 10.10.200.1
  netmask 255.255.255.0

cat /etc/network/interfaces.d/eth1.cfg

allow-hotplug eth1
iface eth1 inet static
  address 10.10.201.1
  netmask 255.255.255.0
  gateway 10.10.201.254

cat /etc/network/interfaces.d/eth2.cfg

allow-hotplug eth2
iface eth2 inet static
  address 10.10.202.1
  netmask 255.255.255.0

  ### static routing (part 1) ###
  post-up route add -net 10.10.101.0 netmask 255.255.255.0 gw 10.10.202.254
  pre-down route del -net 10.10.101.0 netmask 255.255.255.0 gw 10.10.202.254

  ### static routing (part 2) ###
  post-up ip route add 10.10.202.0/24 dev eth2 src 10.10.202.1 table rtac3200
  post-up ip route add default via 10.10.202.254 dev eth2 table rtac3200
  post-up ip rule add from 10.10.202.1/32 table rtac3200
  post-up ip rule add to 10.10.202.1/32 table rtac3200

############
### Results ###
############

If I enable "static routing (part 2)" I can ssh into LINUXBOX1 from LINUXBOX2 via either router but any ping coming from VPN1 or LOCALNET to 10.10.202.1 does not get answered.

If I disable "static routing (part 2)" I cannot ssh into LINUXBOX1 from LINUXBOX2 via ROUTER2 but any ping coming from VPN1, VPN2 or LOCALNET to 10.10.202.1 does get answered.

#############
### Question ###
#############

How can I fully achieve my goal?

Corona688 · September 4, 2015, 12:20pm

First, thank you. You've taken the time to document your network, show your problems, and describe your goal quite clearly.

I'm not sure you can forward ssh in that fashion, it has many checks to prevent this kind of diversion since that can be done for insidious purposes as well as benign ones.

I would like to see the output of route -n from the linux boxes and routers.

matteo · September 4, 2015, 12:36pm

Here it is:

admin@RTN66U:/tmp/home/root# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
231.111.7.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.10.202.0     10.10.201.1     255.255.255.0   UG    1      0        0 br0
10.10.100.0     0.0.0.0         255.255.255.0   U     0      0        0 tun21
10.10.200.0     10.10.201.1     255.255.255.0   UG    1      0        0 br0
10.10.201.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
10.10.101.0     10.10.201.1     255.255.255.0   UG    1      0        0 br0
231.111.7.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         231.111.7.1     0.0.0.0         UG    0      0        0 eth0


admin@RTAC3200:/tmp/home/root# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
231.111.7.1     0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
10.10.202.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
10.10.100.0     10.10.202.1     255.255.255.0   UG    1      0        0 br0
10.10.200.0     10.10.202.1     255.255.255.0   UG    1      0        0 br0
10.10.201.0     10.10.202.1     255.255.255.0   UG    1      0        0 br0
10.10.101.0     0.0.0.0         255.255.255.0   U     0      0        0 tun21
231.111.7.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         231.111.7.1     0.0.0.0         UG    0      0        0 vlan2


root@LINUXBOX1:/home/root# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.201.254   0.0.0.0         UG    0      0        0 eth1
10.10.101.0     10.10.202.254   255.255.255.0   UG    0      0        0 eth2
10.10.200.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.10.201.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.10.202.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

BTW, can you suggest me a book/online course where I can learn how to investigate and solve this kind of problems?

matteo · September 9, 2015, 12:22pm

Well, I solved it myself by adding an extra network (10.10.200.0/24) to the rtac3200 table:

cat /etc/network/interfaces.d/eth2.cfg

allow-hotplug eth2
iface eth2 inet static
  address 10.10.202.1
  netmask 255.255.255.0

  ### static routing (part 1) ###
  post-up route add -net 10.10.101.0 netmask 255.255.255.0 gw 10.10.202.254
  pre-down route del -net 10.10.101.0 netmask 255.255.255.0 gw 10.10.202.254

  ### static routing (part 2) ###
  post-up ip route add 10.10.200.0/24 dev eth0 src 10.10.200.1 table rtac3200
  post-up ip route add 10.10.202.0/24 dev eth2 src 10.10.202.1 table rtac3200
  post-up ip route add default via 10.10.202.254 dev eth2 table rtac3200
  post-up ip rule add from 10.10.202.1/32 table rtac3200
  post-up ip rule add to 10.10.202.1/32 table rtac3200

fpmurphy · September 11, 2015, 7:22am

Thanks for letting us know the solution!