Forwarding not work in FC9 but ip forward is turn on

Tue Sep 23 16:58:37 UTC 2008

ppps wrote:
>> First off, what is that extra netstat -rn entry for eth6
>> (169.254.0.0...looks like some Windows default garbage)? Can't help but
>> wonder what that's doing to routing to the 192.168.10 network on the
>> machine.
>>     
> I have tried to eliminate that route with the command
> route del -net 169.254.0.0 netmask 255.255.0.0
> This eliminates the route but on reboot again and lift it
> I do not know which file to modify to be removed.
>
>   
Ok, this has been answered by Mr. Wright.
> I think that you really don't need to worry about this route. 
> It's used for default networking when your system is set to DHCP but does not get an address from a DHCP server 
> (NIC self-assigns a 169.254.x.x address to itself). This also happens on Windows.
> I think that, the route itself will have no effect on your connectivity or networking.
>
>   
>> Next, why do you get two different traceroute results when you
>> traceroute host 192.168.10.20 as shown below (doesn't make any sense)?:
>>     
>
> In the first tcpdump command,    
> ping from 192.168.10.250 to 192.168.10.20
>
> |firewall |--x-->|switch |----> | host 192.168.10.20 |
>
> In de Second tcpdump command
> ping from 192.168.10.20 to 192.168.5.1
>
> |host 192.168.10.20 |---->|switch |----> | FIRWALL |--x-->| switch |-----> | HOST 192.168.5.1 |
>
>   
Ah, ok, my bad for not noticing that.

Let's take this from the top (please correct me if I'm wrong):

Your firewall has the 3 interfaces with 192.168.1.231/24,
192.168.5.254/24, and 192.168.10.250/24 as the interface addresses. 
You have 3 machines off-firewall with addresses 192.168.1.201,
192.168.5.1, and 192.168.10.20 (all in the /24 bit network, right?).

1).From the firewall, if you ping/traceroute to the 3 off firewall
addresses, do they all work or only some of them?

2).From the off firewall addresses, does ping/traceroute to the 3
firewall addresses *on the same network* (so from ...1.201 to ...1.231,
...5.1 to ...5.254, and ...10.20 to ...10.250) work?

3).On the off firewall machines, what does a tcpdump show about the
traffic coming from the firewall in (1) (when it works and when it
doesn't work)?

4).From the off firewall machines, what are the results of
pings/traceroutes from those machines to the other machines (so from
1.201 to 5.1, 1.201 to 10.20, 5.1 to 10.20, 5.1 to 1.201, 10.20 to 5.1,
and 10.20 to 1.201...you need to do all of them to verify that the
traceroutes are all using the same paths coming and going...I've seen
networking weirdness where a traceroute from a -> b shows 5 hops on 5
routers while a traceroute from b -> a shows different routers/hops ).

5).On the off firewall machines, what do the routing tables look like? 
And what are the results of the command "arp"?  Are all of the off
firewall machines Linux boxes or are there Windows or other O.S.
machines (and is the 5.1 box just a router?)?

FWIW, it's often handy from a troubleshooting point of view and the sake
of consistency to, if possible, have your firewall interfaces have the
same ending octet (again, if possible in the network(s) that you are
working with).  If the firewall interfaces *always* have .254 as the
last octet (or .110 or .1 or whatever as long as they are the same on
each interface) then it makes it easier to understand your
routing/network setup.

<snip>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080923/ba8229f1/attachment-0001.htm>