[SOLVED] Trying to rebuild a firewall system. Cannot connect/ping anything.

rnturn · 02-21-2024, 01:52 PM

Following a mysterious hardware glitch that rendered my Slackware 14.2 firewall unbootable, I re-installed using 15.0. Now... I find that I cannot get a connection from the firewall system to the LAN or to the Internet. I'm seeing a lot of connection failures that are likely default route problems. Unfortunately, the online FAQs and HOWTOs for Slackware appear to be woefully outdated. (Forget about TLDP---many/most links are 404 pages at iBiblio; some have been defaced and are porn sites).

Here's the configuration I have to work with:

eth0 is the internal net interface: 192.168.13.1
eth1 is the internet interface: 1.2.3.45 (static IP supplied by ISP; those first three octets are fake)

The information on the ISP's router specifies a gateway of: 1.2.3.1. There is no net mask information provided (I assume it's 255.255.255.254.

There is also a subnet address provided that, frankly, I have no idea what it's for (I don't recall from the 14.2 installation days -- a few years and two household moves since then -- any notes I made back then are not available) whether that played a part in Slackware's net configuration).

Where the network configuration stands right now is that eth0 has the 192.168.13.1/24 address assigned, eth1 has the 1.2.3.45/31 address (mask is an assumption on my part) and the default route is aimed at eth0. I cannot ping anything internally without getting a "Destination Unreachable" error message.

(Sorry I can't post actual config settings as I'm posting via the ISP's wifi connection and currently can't grab terminal output from the firewall.)

Anyone got any ideas where my configuration has gone awry? Or got a link to more up-to-date Slackware network configuration documentation?

Any pointers greatly appreciated.

bitfuzzy · 02-21-2024, 02:28 PM

Quote:

I cannot ping anything internally without getting a "Destination Unreachable" error message.

Is your firewall active? If so, try disabling it

My ip setup looks like

IPADDRS[0]="192.168.20.10"

...

IPADDRS[1]="xx.xx.xx.xx/29" (ISP STATIC)

...

GATEWAY="xx.xx.xx.xx" (ISP STATIC)

....

What does the output of

Code:

ifconfig

look like?

Windu · 02-21-2024, 02:32 PM

If you look here, you will see why a netmask of 31 is not going to work (room for zero hosts in your subnet): https://jodies.de/ipcalc?host=1.2.3.45&mask1=31&mask2=

I would also expect that the internet gateway is the default route, i.e. should be eth1 and not eth0.
If you want to route packets, are you running routed on that computer? By default this is commented out in /etc/rc.d/rc.inet2 :

Code:

# # Start the network routing daemon:
# if [ -x /usr/sbin/routed ]; then
#   echo "Starting network routing daemon:  /usr/sbin/routed"
#   /usr/sbin/routed -g -s
# fi

rnturn · 02-21-2024, 04:53 PM

Quote:

Originally Posted by bitfuzzy

Is your firewall active? If so, try disabling it

Haven't gotten that far yet. Still working on basic pingability.

Quote:

My ip setup looks like

IPADDRS[0]="192.168.20.10"

...

IPADDRS[1]="xx.xx.xx.xx/29" (ISP STATIC)

...

GATEWAY="xx.xx.xx.xx" (ISP STATIC)

....

What does the output of

Code:

ifconfig

look like?

Information on the ISP's router doesn't even let one know what netmask to use. I'll try /30 and see what I get. (I found an old thumbdrive so I can sneakernet screen output onto the laptop I'm using through the ISP's wifi.)

After tweaking the netmask for the ISP addresses and restarting rc.inet1 and enabling routed in rc.inet2 (and restarting), I get:

Code:

root@fw:/etc/rc.d# ifconfig -a
[?2004l
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.13.1  netmask 255.255.255.0  broadcast 192.168.13.255
        inet6 fe80::206:2bff:fe00:24d3  prefixlen 64  scopeid 0x20<link>
        ether 00:06:2b:00:24:d3  txqueuelen 1000  (Ethernet)
        RX packets 8535  bytes 756244 (738.5 KiB)
        RX errors 1  dropped 3916  overruns 0  frame 0
        TX packets 1142  bytes 51412 (50.2 KiB)
        TX errors 7  dropped 0 overruns 0  carrier 7  collisions 0

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 99.46.146.45  netmask 255.255.255.252  broadcast 99.46.146.47
        inet6 fe80::f2b4:d2ff:fe0c:9f55  prefixlen 64  scopeid 0x20<link>
        ether f0:b4:d2:0c:9f:55  txqueuelen 1000  (Ethernet)
        RX packets 1478  bytes 129551 (126.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 94  bytes 7356 (7.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 28  bytes 3034 (2.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28  bytes 3034 (2.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@fw:/etc/rc.d# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
1.2.3.44    0.0.0.0         255.255.255.252 U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.13.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
root@fw:/etc/rc.d# grep -v '#' rc.inet1.conf

IPADDRS[0]="192.168.13.1/24"
USE_DHCP[0]=""
IP6ADDRS[0]=""
USE_SLAAC[0]=""
USE_DHCP6[0]=""
DHCP_HOSTNAME[0]=""

IPADDRS[1]=""         # I was no long getting a link light on this interface so I
USE_DHCP[1]=""        # pulled that card from the system. External connection is
IP6ADDRS[1]=""        # now an old 10/100 interface.
USE_SLAAC[1]=""
USE_DHCP6[1]=""
DHCP_HOSTNAME[1]=""

IPADDRS[2]="1.2.3.45/30"
USE_DHCP[2]=""
IP6ADDRS[2]=""
USE_SLAAC[2]=""
USE_DHCP6[2]=""
DHCP_HOSTNAME[2]=""

IPADDRS[3]=""
USE_DHCP[3]=""
IP6ADDRS[3]=""
USE_SLAAC[3]=""
USE_DHCP6[3]=""
DHCP_HOSTNAME[3]=""

GATEWAY="1.2.3.1"
GATEWAY6=""

DEBUG_ETH_UP="no"

root@fw:/etc/rc.d# grep -v '#' rc.inet2

if [ -x /etc/rc.d/rc.firewall ]; then
  /etc/rc.d/rc.firewall start
fi

if [ -x /etc/rc.d/rc.ip_forward ]; then
  . /etc/rc.d/rc.ip_forward start
fi

if [ -x /etc/rc.d/rc.krb5kdc ]; then
  sh /etc/rc.d/rc.krb5kdc start
fi

if [ -x /etc/rc.d/rc.kadmind ]; then
  sh /etc/rc.d/rc.kadmind start
fi

if [ -x /etc/rc.d/rc.kpropd ]; then
  sh /etc/rc.d/rc.kpropd start
fi

  if [ -r /etc/rc.d/rc.rpc ]; then
    sh /etc/rc.d/rc.rpc start
  fi
  echo "Mounting remote (NFS) file systems:  /sbin/mount -a -t nfs"
  /sbin/mount -v -t nfs
fi

if [ -x /etc/rc.d/rc.rpc ]; then
  sh /etc/rc.d/rc.rpc start
fi

  echo "Mounting remote CIFS file systems:  /sbin/mount -a -t cifs"
  /sbin/mount -a -t cifs
  /sbin/mount -v -t cifs
fi

  echo "Mounting remote SMBFS file systems:  /sbin/mount -a -t smbfs"
  /sbin/mount -a -t smbfs
  /sbin/mount -v -t smbfs
fi

if [ -x /etc/rc.d/rc.syslog -a -d /var/log -a ! -r /var/run/syslogd.pid ]; then
  . /etc/rc.d/rc.syslog start
fi

if [ -x /etc/rc.d/rc.inetd ]; then
  /etc/rc.d/rc.inetd start
fi

if [ -x /etc/rc.d/rc.sshd ]; then
  echo "Starting OpenSSH SSH daemon:  /usr/sbin/sshd"
  /etc/rc.d/rc.sshd start
fi

if [ -x /etc/rc.d/rc.bind ]; then
  /etc/rc.d/rc.bind start
fi

if [ -x /etc/rc.d/rc.yp ]; then
  /etc/rc.d/rc.yp start
fi

if [ -x /etc/rc.d/rc.openvpn ]; then
  /etc/rc.d/rc.openvpn start
fi

if [ -x /etc/rc.d/rc.nfsd ]; then
  /etc/rc.d/rc.nfsd start
fi

if [ -x /usr/sbin/routed ]; then
  echo "Starting network routing daemon:  /usr/sbin/routed"
  /usr/sbin/routed -g -s
fi

root@fw:/etc/rc.d#

I'm still not able to ping anything externally or internally.

Ideas about where to go next?

TIA...

bitfuzzy · 02-21-2024, 05:02 PM

Quote:

RX errors 1 dropped 3916 overruns 0 frame 0
TX packets 1142 bytes 51412 (50.2 KiB)
TX errors 7 dropped 0 overruns 0 carrier 7 collisions 0

I doubt this is the issue, but just for grins and giggles

Switch cables between eth0 and eth1

If there's no change (I doubt there will be) switch them back and report please

michaelk · 02-21-2024, 06:18 PM

Quote:

IPADDRS[2]="1.2.3.45/30"

You need to ask your ISP what to use for the netmask. /30 is 255.255.255.252 and only allows for two hosts.
Your gateway address would have to be x.x.x.46

For reference /24 = 255.255.255.0 which allows for 253 hosts.

I would guess the ISP netmask is something <= /23

henca · 02-22-2024, 12:45 AM

Quote:

Originally Posted by rnturn

eth1 is the internet interface: 1.2.3.45 (static IP supplied by ISP; those first three octets are fake)

The information on the ISP's router specifies a gateway of: 1.2.3.1. There is no net mask information provided (I assume it's 255.255.255.254.

There is also a subnet address provided that, frankly, I have no idea what it's for

The assumption that the netmask is 255.255.255.254 is probably wrong. With such a netmask 1.2.3.45 and 1.2.3.1 would not be on the same subnet.

You should be able to read out your netmask from the subnet address.

Is your IP address static? If you ISP assigns your IP address using DHCP you will most likely also be able to get a correct netmask from DHCP.

Even if a guess of a netmask 255.255.255.0 would be wrong, it would at least probably be useful enough for you to be able to reach and route through 1.2.3.1. Guessing netmask 255.255.255.254 will not allow you to reach 1.2.3.1.

regards Henrik

pingu_penguin · 02-22-2024, 01:03 AM

Sounds like a network misconfiguration issue to me.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.2.3.44 0.0.0.0 255.255.255.252 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.13.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

I don't see any flags stating UG which is for the gateway.

I think you are missing a route.

Why don't you try :

# route add -net 0.0.0.0 netmask 0.0.0.0 gw <gw ip> dev eth2

allend · 02-22-2024, 01:09 AM

From the output of ‘ifconfig -a’ in post#4, the interfaces are present and up as eth0 and eth2.

Any chance that you have copied old config into the new setup? The interface naming is odd. Perhaps try deleting /etc/udev/rules.d/70-persistent-net.rules and rebooting.

rnturn · 02-22-2024, 12:53 PM

Quote:

Originally Posted by henca

The assumption that the netmask is 255.255.255.254 is probably wng. With such a netmask 1.2.3.45 and 1.2.3.1 would not be on the same subnet.

Ouch! If that's the case then the information on the router's web interface is bogus. I put in a call to the ISP to try and get some clarification on the information but all I could get was one of the script readers who didn't understand what I was asking about and insisted that they send a tech out who'd need access to the communications room (after I calmly explained that basic net access was working fine -- via wifi -- and that there was no need for the visit.) I declined the visit as being a waste of everyone's time. (And money as they wanted to charge if the tech did anything over and above the hardware check.)

Quote:

Is your IP address static? If you ISP assigns your IP address using DHCP you will most likely also be able to get a correct netmask from DHCP.

It's static. Servers on the LAN need that.

Quote:

Even if a guess of a netmask 255.255.255.0 would be wrong, it would at least probably be useful enough for you to be able to reach and route through 1.2.3.1. Guessing netmask 255.255.255.254 will not allow you to reach 1.2.3.1.

Worth a try though it feels like a random shot in the dark.

UPDATE: Modified rc.inet1 to use "/24" on the gateway.

The output of 'route -n' after following pingo_penguin's suggestion is now:

Code:

root@fw:/mnt# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         1.2.3.1         0.0.0.0         UG    0      0        0 eth2
1.2.3.0         0.0.0.0         255.255.255.0   U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.13.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
root@fw:/mnt#

rnturn · 02-22-2024, 12:59 PM

Quote:

Originally Posted by allend

From the output of ‘ifconfig -a’ in post#4, the interfaces are present and up as eth0 and eth2.

Any chance that you have copied old config into the new setup? The interface naming is odd. Perhaps try deleting /etc/udev/rules.d/70-persistent-net.rules and rebooting.

Not a problem. eth1 was a PCIe gigabit card that, apparently, failed and was removed. eth2 is a 10/100 (

) Tulip port on an older disk controller. The ISP supplied address is defined in the rc.inet1.conf file's section for eth2.

UPDATE:

I removed the udev/rules.d fie, rebooted and am now back to eth0 and eth1. No improvement. I have link lights on both interfaces so I'm reasonably confident that both interface are operable and the cabling is not faulty.

Bottom line is still: Can ping internally but not to external sites.

Sigh...

rnturn · 02-22-2024, 01:06 PM

Quote:

Originally Posted by pingu_penguin

I don't see any flags stating UG which is for the gateway.

I think you are missing a route.

Why don't you try :

# route add -net 0.0.0.0 netmask 0.0.0.0 gw <gw ip> dev eth2

Which gives me:

Code:

SIOCADDRT: Network is unreachable

rnturn · 02-22-2024, 01:17 PM

Quote:

Originally Posted by bitfuzzy

I doubt this is the issue, but just for grins and giggles

Switch cables between eth0 and eth1

If there's no change (I doubt there will be) switch them back and report please

Actually, swapping the cables allows pinging systems on the LAN. Pings to the outside world simply hang. So that's progress... sort of.

michaelk · 02-22-2024, 02:04 PM

I believe the idea of trying to use dhcp on the WAN side (eth2) is if it works would be that you would then know the actual netmask used by your ISP. You would also be able to confirm your ISP's gateway address.

bitfuzzy · 02-22-2024, 03:39 PM

If you have a static IP of *.*.*.45 with a gateway of *.*.*.1, assuming you have only 1 static IP, your netmask even might be 255.255.255.0