I want to try routing on routers. Router does not show me my static routing commands.
I used this static routing command on Router0
ip route 192.168.1.0 255.255.255.0 1.1.1.2
I used this static routing command on Router1
ip route 192.168.2.0 255.255.255.0 1.1.1.1
Router0
Router#
Router#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip route 192.168.1.0 255.255.255.0 1.1.1.2
Router(config)#end
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet0/0
L 1.1.1.1/32 is directly connected, GigabitEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.3/32 is directly connected, GigabitEthernet0/1
Router#
Router1
Router>en
Router#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip route 192.168.2.0 255.255.255.0 1.1.1.1
Router(config)#end
Router#
%SYS-5-CONFIG_I: Configured from console by console
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, GigabitEthernet0/0
L 1.1.1.2/32 is directly connected, GigabitEthernet0/0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/1
L 192.168.2.3/32 is directly connected, GigabitEthernet0/1
Router#
192.168.1.0 255.255.255.0 is the same route as 192.168.1.0/24, and 192.168.2.0 255.255.255.0 is the same route as 192.168.2.0/24. Since these routes are already in the routing tables as "connected" which has a lower administrative distance (= 0) than "static" (= 1), the static route is not installed in the routing tables. (commingling this notation was a bad design decision by crisco imo)
This is usually because the next hop is unreachable. Can you ping 1.1.1.2|1 from Router0|1? Post the show ip route outputs. Also, ensure you are in config mode. (maybe you need to commit too as on a Juniper, if cisco has added that needed concept yet)
Related
I'm trying to configure IPSEC tunnel between two virtual machines (R2 R3) in the same network where one of them would work as a router (R2) so I can send data from third virtual machine (R1) over the IPSEC tunnel to R3.
I have made the following topology:
I changed IP addresses wrong but the VM's are in the same network so it could be like R3: 1.2.3.4, R2: 1.2.3.5, R1: 1.2.3.6
Configuration of R3 VM /etc/ipsec.d/mytunnel.conf:
config setup
protostack=netkey
#conn mysubnet
# also=mytunnel
# leftsubnet=10.0.1.1/24
# rightsubnet=10.0.0.1/24
# auto=start
conn mytunnel
left=4.6.7.8
right=1.2.3.4
authby=secret
leftsubnet=10.0.1.1/24
rightsubnet=10.0.0.1/24
auto=start
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti03
# do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
vti-routing=yes
# If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
leftvti=10.0.7.1/24
Configuration of R2 /etc/ipsec.d/mytunnel.conf:
config setup
protostack=netkey
#conn mysubnet
# also=mytunnel
# leftsubnet=10.0.1.1/24
# rightsubnet=10.0.0.1/24
# auto=start
conn mytunnel
left=4.6.7.8
right=1.2.3.4
authby=secret
leftsubnet=10.0.1.1/24
rightsubnet=10.0.0.1/24
auto=start
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti03
# do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
vti-routing=yes
# If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
leftvti=10.0.7.1/24
With the configuration above I can ping from R2 to R3 with ping -I 10.0.1.1 10.0.0.1
On the R1 machine I configured static routing which is:
root#9.10.11.12:~# ip route
default via 9.10.11.1 dev ens18 onlink
10.0.0.0/24 via 5.6.7.8 dev ens18
10.0.1.0/24 via 5.6.7.8 dev ens18
But when I want to ping 10.0.0.1 from R1 via R2 it gives me icmp_seq=1 Destination Host Unreachable
What should I change so R1 could see R3 via R2 dummy0 interface which is 10.0.1.1 ?
Thanks for any help!
I changed the topology and now I send ping to R2 VTI vti03 interface 10.0.7.1/24 via R3 with the slight difference in the .conf files:
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
For debugging purpose I need to set up a MITM proxy between 2 devices.
All devices have static IP (example) and are directly connected each other:
Device 1 : 192.168.10.50
Device 2 : 192.168.10.60
Proxy computer have 2 nic on the same subnet and is between other devices :
D1 .50 <=> [.60 PROXY .50] <=> D2 .60
My problem is, from the proxy if one of the 2 nic is disabled, D1 or D2 can reach the proxy.
Once I bring up the 2 nic, no one can see any other device.
D1 and D2 ip can't be changed.
Proxy is linux centos 8.
Already tested :
adding log on iptables : if 2 nic are up no more input / output log
Drop all input / output then accept only right ip from right interface => no result
Changing arp_filter = 1 and arp_announce = 2 => no result
Testing multiple SO post about 2 nic on same subnet
If anyone can help.
Thanks .
I've found a solution which consist in creating a transparent proxy and intercept some packets.
1- Create a bridge with the 2 NIC :
nmcli connection add type bridge autoconnect yes con-name "br0" ifname "br0"
nmcli connection modify "br0" ipv4.addresses "192.168.10.10/24" ipv4.method manual
nmcli connection delete enp0s3
nmcli connection delete enp0s8
nmcli connection add type bridge-slave autoconnect yes con-name enp0s3 ifname enp0s3 master br0
nmcli connection add type bridge-slave autoconnect yes con-name enp0s8 ifname enp0s8 master br0
2 Add correct rules to intercept specific traffic
nft add table bridge mitm
nft add chain bridge mitm filter { type filter hook prerouting priority 0\; }
nft add rule bridge mitm filter tcp dport 10000 ip saddr 192.168.10.50 meta pkttype set host ether daddr set xx:xx:xx:xx:xx:xx # br0 mac address
nft add rule ip nat PREROUTING tcp dport 10000 ip saddr 192.168.10.50 dnat to 192.168.10.10
It worked for me.
I want to create a Private network in google compute platform where I will be able to enter only using a vpn.
So, I create a machine in GCE and I install openvpn. This machine has an static IP, the ssh port open and the default network configuration from GCE.
Then, I create a second machine (call it MachineA) , in the same network, but without external IP.
Then I create the route rule in order to redirect traffic from vpn-machine to another internal instances.
I'm able to connect from my machine to the vpn.
I'm able to ping to vpn machine.
I'm able to ping to MachineA.
I'm able to ssh to vpn machine.
I'm able to ssh to MachineA.
but...
When I connect to ssh vpn machine and run gsutil it works, also ping to 8.8.8.8
When I connect to ssh MachineA and run gstult or ping 8.8.8.8 does not work.
Any Idea what Im doing wrong ?
Some information
from VPN-machine
xxx#dev-vpn:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.240.10.1 0.0.0.0 UG 0 0 0 eth0
10.16.0.0 10.16.0.2 255.255.255.0 UG 0 0 0 tun0
10.16.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.240.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
xxx#dev-vpn:~$ traceroute 10.240.10.3
traceroute to 10.240.10.3 (10.240.10.3), 30 hops max, 60 byte packets
1 * * instance-1.c.project.internal (10.240.10.3) 1.188 ms
from MachineA
traceroute to 10.240.10.2 (10.240.10.2), 30 hops max, 60 byte packets
1 * * *
2 * * dev-vpn.c.project.internal (10.240.10.2) 0.899 ms
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.240.10.1 0.0.0.0 UG 0 0 0 eth0
10.240.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
In google networking I add this rule
vpn-routing 10.16.0.0/24 1001 None dev-vpn (Zone us-central1-a)
I have a working system that does this. The innovation I made was to add an alias IP range and make the OpenVPN server use that Google IP range.
So for a router instance, that has an external IP address and will run the OpenVPN server on GCE, you need to create the instance with just one interface and a small IP Alias range. This would then permit IP forwarding from the main interface to the small Alias range. Let's say you are on default network 10.156.0.10/20 and you have added an Alias range of 10.156.1.0/28, you then add as the server line in your OpenVPN server configuration: server 10.156.1.1.
So the tun0 interface of OpenVPN (server-side) will come up on 10.156.1.1 and the tunnel endpoint on 10.156.1.2.
You have to push the routes to the OpenVPN clients (so push 10.156.0.0/20 in the server configuration). You will also need iroute statements in the server's ccd/client.
Here's an excerpt from the OpenVPN server's configuration file:
server 10.156.1.0 255.255.255.240
push "route 10.156.0.0 255.255.240.0"
push "route 10.164.0.0 255.255.240.0"
push "route 10.132.0.0 255.255.240.0"
route 192.168.127.0 255.255.255.0
If your site network is 192.168.127.0/24 and you use 3 Google networks. The ccd/client file has this
route 192.168.127.0 255.255.255.0
iroute 192.168.127.0 255.255.255.0
And you may need to add others, if you have other routes. (There's a section in the OpenVPN manuals about ccd/ and iroute.)
Back on the Google cloud, you will need to add a Google route via the OpenVPN gateway on 10.156.0.10 to get back to 192.168.127.0/24.
And there's lots of firewalling that you should do to make your hosts safe, but you must at least open the 1194 port for OpenVPN.
On your site, if you want to access the Google Cloud private networks, you will need to use RIPd from Quagga. That's a relatively easy configuration:
router rip
network eth0
passive-interface tun0
no default-information originate
redistribute kernel route-map GMAP
access-list GCE permit 10.156.0.0/20
access-list GCE permit 10.164.0.0/20
access-list GCE permit 10.132.0.0/20
access-list GCE deny any
route-map GMAP permit 10
match ip address GCE
This is the RIPd configuration for the OpenVPN client gateway, which is a router. This configuration propagates any routes for the three Google Cloud networks 10.{156,164,132}.0.0/20.
The RIPd configuration on the other hosts in your site network doesn't require any special configuration, just name the "router rip" and the "network eth0", your host's network interface and start RIPd. (The configuration on the VPN client gateway should be easier than this, but I found that "no default-information originate" didn't work for me, so I had to just propagate the Google routes.)
Can this two hosts ping/access each other without routing?
Host A:
172.17.1.1
255.255.255.0
N-ID: 172.17.1.0
BC: 172.17.1.255
Host B:
172.17.1.10
255.255.0.0
N-ID: 172.17.0.0
BC: 172.17.255.255
Yes, both machines think they are on same network, as the subnet mask includes both addresses on both hosts.
Using the following IP Range can anyone break this down into 3 subnets for me displaying IP's in each range and their subnet masks please
Current setting below needs breaking into 3 the start off the range needs to be the smallest subnet.
IP Range 192.168.1.128 - 192.168.1.159
Gateway 192.168.1.129
Subnet 255.255.255.224
Usable 192.168.1.132 - 192.168.1.158
Many thanks
Using the SubNetMask 255.255.255.248 you should quarter the IP-Range. So the new nets are:
1) IP: 192.168.1.128
Usable: 192.168.1.129 - 192.168.1.134 (.135 is Broadcast)
2) IP: 192.168.1.136
Usable: 192.168.1.137 - 192.168.1.142 (.143 is Broadcast)
3) IP: 192.168.1.144
Usable: 192.168.1.145 - 192.168.1.150 (.151 is Broadcast)
4) IP: 192.168.1.152
Usable: 192.168.1.153 - 192.168.1.158 (.159 is Broadcast)