I'm in a situation where I have an existing network with two linux gateways. Originally this was setup as a non-production and production gateway, basically with mirror configs. Having the ability to bring up the interfaces from one on the other in case of problems or maintenance etc. This works fine and has for several years.
Recently there has been a desire to switch IP subnet from 192.168.0.0/24 to something else as it is causing conflicts with VPN users who happen to connect to networks that share that common subnet. There are many servers and devices involved so instead of doing a mass change of IPs I decided to add a third interface in each gateway on a new subnet (10.11.0.0/24) with the intention that both subnets could talk to each other and then I could start switching devices one by one over to the new subnet and eventually drop the 192 subnet down the road.
I have this mostly working. Devices on 192.168 or 10.11 can communicate back and forth. There are two problems however which I am trying to solve:
-
When a device on 10.11.0.0/24 using 10.11.0.254 gatewayB cannot ping the other gateway 192.168.0.1 or 192.168.0.2 (it can however ping 10.11.0.1 and 10.11.0.2 which are IPs on the same server, different device). It can also ping 10.11.0.254 and 10.11.0.253. The reverse happens if I set a device to use the "non-prod" gatewayA 10.11.0.1 it cannot ping the opposite gateway 192.168.0.254 or 192.168.0.253.
-
GatewayA has openVPN configured with two subnets 10.8.0.0 for TCP server and 10.9.0.0 for udp server. When connected to VPN both of these subnets can reach anything on 192.168.0.0 but cannot ping 10.11.0.0/24 ips that are using the GatewayB gateway. I've added a route to the openVPN configuration for 10.11.0.0 (exactly the same as the 192.168.0.0) route.
On gatewayB we handled this originally using a static route /etc/sysconfig/network-scripts/route-eth1:
10.8.0.0/24 via 192.168.0.1
10.9.0.0/24 via 192.168.0.1
But I cannot seem to do the same for 10.11.0.0 on eth2. It doesn't add, I'm thinking perhaps because that subnet is all ready routed through another interface.
Forwarding is enabled on both gateways.
Configuration:
gatewayA:
eth0 = internet
eth1 = 192.168.0.2
eth1:1 = 192.168.0.1
eth2 = 10.11.0.2
eth2:1 = 10.11.0.1
192.168.0.1 dev eth1 scope link src 192.168.0.1 10.11.0.1 dev eth2 scope link src 10.11.0.1 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 192.168.234.236 dev ppp0 proto kernel scope link src 192.168.234.235 10.9.0.2 dev tun1 proto kernel scope link src 10.9.0.1 10.8.0.0/24 via 10.8.0.2 dev tun0 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2 10.9.0.0/24 via 10.9.0.2 dev tun1 10.11.0.0/24 dev eth2 proto kernel scope link src 10.11.0.2 169.254.0.0/16 dev eth2 scope link metric 1002 169.254.0.0/16 dev eth0 scope link metric 1003 169.254.0.0/16 dev eth1 scope link metric 1004 10.0.0.0/8 dev eth2 proto kernel scope link src 10.11.0.1 # iptables -nvL | egrep "eth1|eth2" 0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth2 * 10.11.0.0/24 192.168.0.0/24 71 3692 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 57M 185G ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- eth2 * 192.168.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 10.11.0.0/24 0.0.0.0/0 19159 2045K ACCEPT all -- eth2 * 10.11.0.0/24 0.0.0.0/0
gatewayB:
eth0 = internet
eth1 = 192.168.0.253
eth1:254 = 192.168.0.254
eth2 = 10.11.0.253
eth2:254 = 10.11.0.253
192.168.0.254 dev eth1 scope link src 192.168.0.254 192.168.234.236 dev ppp0 proto kernel scope link src 192.168.234.235 10.11.0.254 dev eth2 scope link src 10.11.0.254 10.8.0.0/24 via 192.168.0.1 dev eth1 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.253 10.11.0.0/24 dev eth2 proto kernel scope link src 10.11.0.253 10.9.0.0/24 via 192.168.0.1 dev eth1 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.0.0/16 dev eth1 scope link metric 1003 169.254.0.0/16 dev eth2 scope link metric 1004 10.0.0.0/8 dev eth2 proto kernel scope link src 10.11.0.254 987K 154M ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 664K 171M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 39 2028 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 174M 271G ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- eth2 * 192.168.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 10.11.0.0/24 0.0.0.0/0 12M 6300M ACCEPT all -- eth2 * 10.11.0.0/24 0.0.0.0/0
No comments:
Post a Comment