source address woes

hcclnoodles · December 18, 2002, 10:49am

I have checkpoint firewall-1 running on a solaris 7 sparc box with two physical working networks interface cards hme0, qfe0,

(please note these are false addresses)

qfe0 = 195.111.222.178 internet ISP
hme0 = 172.19.12.58 /24 internal Lan which has a router to france on it

I want to add a route to a machine in france (194.222.222.222). It will need to go out of interface hme0 and be routed to france via a router which sits on the internal lan (172.19.12.4) So the packets I send out should have a source address of 172.19.12.58 (hme0), which the french network understands and can route back to. I used command

route add -host 194.222.222.222 172.19.12.4

but I get "not responding" error when I try to ping the destination machine

NoTE: I can get to this machine via this router from any other single nic box on the lan, so the box and router are fine

I then run a snoop on hme0 for anything with 194.222.222.222 in it

# snoop -t a -d hme0 194.222.222.222
Using device /dev/hme (promiscuous mode)
12:42:26.54446 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:27.54073 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:28.54070 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:29.54069 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:30.54097 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:31.54080 195.111.222.178 -> 194.222.222.222 ICMP Echo request

As you can see the request is going out of the correct interface (hme0) because I am snooping it, but for some reason the packets have assumed the source address that has been assigned to the qfe0 card. Subsequently, ICMP is making requests but there are no replies coming back because the source address of the request packet is the public internet address (external address of the firewall, qfe0) and the destination french network cannot route the packet back. I have printed an exerpt from netstat -rn below (address's have been changed)

Routing Table:
  Destination           Gateway           Flags  Ref   Use   Interface
-------------------- -------------------- ----- ----- ------ ---------
194.222.222.222      172.19.12.4           UGH      0      1  
195.111.222.176      195.111.222.178       U        2   5796  qfe0
172.19.8.0           172.19.12.58          U        3  42257  hme0
224.0.0.0            172.19.12.58          U        3      0      hme0
default              195.111.222.177     UG       01431154 
127.0.0.1            127.0.0.1                UH       03366951  lo0

I was wondering whether or not the blank space on the interface column for the route I have added (1st line) has any impact on the source address used when I ping directly from the firewall/solaris box directly

I have been looking into the -interface switch of the route command but cannot see how to incorporate this into the route add command - I have tried

route add 194.222.222.222 -interface hme0 172.19.12.4

.....and various other combinations, but to no avail. The man page for route is very confusing when it comes to the -interface switch..

Does anybody know how I can resolve this issue. All I want is the source address to be 172.19.12.58 so that the packets can find their way back to the firewall

any help on this would be greatly appreciated

thanks
Gary

Kelam_Magnus · December 18, 2002, 1:52pm

First I see what may be a discrepancy. You have 194.x.x.x defined and 195.x.x.x defined. That may be your problem right away. If not keep reading.

I recently had problems with my lan and a router in the company. I found that one of my problems was that my broadcast address was incorrect. You may need to open up that for your second IP. Something like 195.255.255.255 and your broadcast to be 255.0.0.0. or possibly move it one more octet to the right 195.111.255.255 and 255.255.0.0.

May not be it but I would check. Print your Ifconfig output for each lan card maybe that would help as well.

Also, you should have an interface for 195.222.222.222. you may have to do a route add gateway again for this. I see you did set it up as a gateway.

Perderabo · December 18, 2002, 3:29pm

If the subnet mask on hme0 is correct so that 172.19.12.4 and 172.19.12.58 are in the same subnet, then the routing table looks good to me.

I don't have access to Solaris 7 box, but I have access to a Solaris 8 box. Looking at the -interface option, I think it would specify that the address is local and an ethernet address can be obtained via arp. That is clearly not your situation.

There is some interesting language on the ifconfig man page: "IP uses an interface group to rotate source address selection when the source address is unspecified." I don't see where it says how long each source address is used, but there may be a way to induce the behavior you're seeing via complex options to the ifconfig command.

The fact that running a firewall on this box really introduces a wrinkle here. Firewalls do strange things with tcp/ip. Can you reproduce the problem without the firewall softwae?

This patch is for Solaris 8, but it claims to fix an interesting bug: "4333995 IPv4 source address should be obtained from the destination route."

RTM · December 18, 2002, 3:41pm

Kelam is correct about your broadcast...and I'll add that netmasks can mess you up to.

As far as the command you have - you don't specify going out hme0. Since you don't, it takes the default route (from qfe0). Your snoop shows that the ping is going from

(even though you snooped hme0...that part is confusing me)

I believe one of the following will work (although your netmask and broadcast can still mess you up):
route add 194.222.222.222 172.19.12.58 0
OR
route add net 194.222.222.0 172.19.12.58 0