Google Answers: Networking Problem (Subnet Mask)

View Question

Q: Networking Problem (Subnet Mask) ( Answered 5 out of 5 stars

, 0 Comments )

Question

Subject: Networking Problem (Subnet Mask)
Category: Computers > Internet
Asked by: meixler-ga
List Price: $20.00

Posted: 01 May 2003 14:24 PDT
Expires: 31 May 2003 14:24 PDT
Question ID: 198111

Networking Problem
See diagram at http://168.103.136.217/~meixler/

Box 1 has a dedicated Internet IP address. It can see the internet,
computers on the internet can see it. Box 2 has a LAN IP address. It
can see computers on the internet, computers on the internet cannot
see it (which is right). Box 2 can see box 1. All of the above is the
way it should be. Now, the problem is, I need box 1 to see box 2. When
I ping box 2 from box 1 (ping 10.0.0.2) box 2 cannot see box 1.

I suspect that box 1 is looking for box 2 on the internet instead of
on the LAN. From my limited understanding of subnet masks, I believe
the subnet mask should be set in such a way that box 1 will look for
box 2 on the LAN. If so, my question is how should the subnet mask on
box 1 be set?

FYI: The subnet mask on box 1 is currently set to 255.255.255.0, and
the gateway is the Internet IP Address of the router, which is
168.103.217.222. The subnet mask on box 2 is 255.255.255.0 and the
gateway is the LAN IP address of the router, which is 10.0.0.1.

Thanks in advance if you can be of any help. 

Mike Meixler
mike@meixler-tech.com

Answer

Subject: Re: Networking Problem (Subnet Mask)
Answered By: dogbite-ga on 01 May 2003 16:54 PDT
Rated: 5 out of 5 stars

Hello meixler-ga, Thanks for the picture -- that helped clarify what was going on. The problem definitely cannot be fixed with subnet masks. Subnet masks specify which address are on the same LAN as you, and can therefore be reached without an intermediate hop through a gateway. Because the IP addresses of box 1 and box 2 are completely different, in order to make box 1 think box 2 is on the same LAN, you would have to set a subnet mask of 0.0.0.0 on box 1. This would make box 1 think it was local to every possible IP address, so no traffic would get routed through the router and your Internet connection from box 1 would stop working. The reason pings from box 2 to box 1 work is because they are using the standard network address translation process that the Cisco router is expecting: 1) Box 2 sends a ping with a destination IP of box 1 to the router. 2) The router rewrites the packet so it appears to be coming from the router's external IP address (168.103.136.222) and makes a note in its internal tables to remember that it rewrote this packet on behalf of box 2 (10.0.0.2). 3) The router forwards the ping to box 1, which responds to 168.103.136.222. 4) The router consults its internal tables, finds the note it made, and rewrites the packet so it has a destination of 10.0.0.2. 5) The router forwards the message to box 2, which receives it. All is well. Now, let's consider the reverse direction. 1) Box 1 sends a packet destined for 10.0.0.2 to the router. 2) The router gets this packet, and throws it away. This is because the router is actually never expecting to receive traffic destined for an internal address (10.x.y.z); it expects only traffic from internal addresses destined for Internet addresses or from the Internet destined for 168.103.136.222 (which it rewrites to the appropriate internal destination). So, assuming your router supports it, you need to set up a route that tells the router to send all traffic destined for 10.0.0.x (with subnet mask 255.255.255.0) to the internal interface ("interface" is network-speak that's roughly equivalent to "port", so this means the port that faces the hub rather than the port that faces the Internet). This is pretty secure, as your ISP will never route a packet destined for 10.x.y.z to you from outside (and, in fact, no router anywhere on the Internet will, as this is an address space reserved for private networks). If your router lets you set it up so that only traffic coming from box 1 is forwarded, that would be even better. Your router manual should tell you how to setup new routes. Note that this new route won't have a gateway attached to it; it will just specify the network address (10.0.0.x), the subnet mask (255.255.255.0), and the interface. Finally, 10.x.y.z is a class A private network address, which means you can actually use 255.0.0.0 as the subnet mask on the router and on your internal computers. This would let you use any IP of the form 10.x.y.z for an internal IP. The way you have it configured now, with 255.255.255.0, is fine and will work, but it forces you to have the "x" and "y" the same for all computers on the network (e.g., 10.0.0.x). This last paragraph isn't necessary for your current problem, though, so you can safely ignore it if you want or if you're confused by it. dogbite-ga
Clarification of Answer by dogbite-ga on 01 May 2003 19:17 PDT Hi meixler-ga, I looked at your picture again and realized that you have the Cisco 678 router. I can help you with the settings necessary to route the packets properly. Do you know how to telnet to the router (assuming telnet is enabled)? If so, can you run the command "show filter"? dogbite-ga
Request for Answer Clarification by meixler-ga on 02 May 2003 05:39 PDT dogbite-ga, First, thanks for the very informative answer to my question. I really appreciate the depth of your explanation. Also, thanks for your offer to help with modifying the router setting in order to solve the problem. I'll gladly take you up on your offer. Below are the results from the show filter command. Once again, thanks in advance. Mike cbos>show filter IP Filtering is currently disabled on/ deny/ source dest. source/ dest/ # off int direction allow prot ports ports mask mask 0 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 1 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 2 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 3 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 4 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 5 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 6 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 7 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 8 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 9 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 10 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 11 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 12 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 13 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 14 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 15 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 16 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 17 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 18 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 19 OFF eth0 incoming ALLOW 0.0.0.0/ 0.0.0.0 0.0.0.0 0.0.0.0 cbos>
Clarification of Answer by dogbite-ga on 02 May 2003 10:07 PDT Hi meixler-ga, That filter output shows that there are no filters, so my guess was wrong. I think we should try for another solution. I think you should set up an IP alias on Box 1. Then box 1 could hit box 2 on the 10.x.y.z network. What operating system is box 1 running? dogbite-ga
Request for Answer Clarification by meixler-ga on 02 May 2003 10:36 PDT dogbite, I'm open to trying anything. Box 1 is running Red Hat Linux 7.3, Box 2 is running Windows 2000 Professional. Thanks. Mike
Clarification of Answer by dogbite-ga on 02 May 2003 10:55 PDT Hey meixler-ga, We'll get this working. Try running ifconfig eth0:1 10.0.0.1 on box 1, your linux box. dogbite-ga
Clarification of Answer by dogbite-ga on 02 May 2003 11:12 PDT I'm sorry meixler-ga, Please do ifconfig eth0:1 10.0.0.3 because 10.0.0.1 is taken by the router. dogbite-ga
Request for Answer Clarification by meixler-ga on 02 May 2003 11:41 PDT dogbite, I really appreciate your persistance. I logged in as root, and ran /sbin/ifconfig eth0:1 10.0.0.3 . Then, I restarted the network: /etc/init.d/network restart . But, when I attempted to ping 10.0.0.2, I got: [root@p166 root]# ping 10.0.0.2 PING 10.0.0.2 (10.0.0.2) from 168.103.136.217 : 56(84) bytes of data. --- 10.0.0.2 ping statistics --- 5 packets transmitted, 0 received, 100% loss, time 4013ms Mike
Request for Answer Clarification by meixler-ga on 02 May 2003 11:44 PDT If this is any help, the output from ifconfig is: [root@p166 root]# /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:00:C5:B3:03:2A inet addr:168.103.136.217 Bcast:168.103.136.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:745 errors:0 dropped:0 overruns:0 frame:0 TX packets:205 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0xec00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
Clarification of Answer by dogbite-ga on 02 May 2003 12:19 PDT Hey meixler-ga, Try not doing the network restart. I think that does an ifdown and then an ifup, which might kill the alias. So do the ifconfig and then try pinging. If that doesn't work, I suspect there is something wrong with your hub. Let me know what happens. dogbite-ga
Request for Answer Clarification by meixler-ga on 02 May 2003 12:43 PDT That did it! Thanks a million.
Clarification of Answer by dogbite-ga on 02 May 2003 14:35 PDT Awesome -- I'm very happy that you got it working. And thanks for the tip!! dogbite-ga
Request for Answer Clarification by meixler-ga on 18 Jul 2003 06:49 PDT dogbite, Perhaps you can help with my latest linux problem: http://answers.google.com/answers/main?cmd=threadview&id=232066 Mike

meixler-ga rated this answer: 5 out of 5 stars

and gave an additional tip of: $10.00

He solved the problem, although it was way outside the scope of the
initial question.  Very knowledgable, and very informative
explanations.  I highly recommend this researcher.  Truly an expert in
his field.

Comments

There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy