search

dragonresearch / rpki.net

Dragon Research Labs rpki.net RPKI toolkit
54 stars 26 forks source link

b0 b1 can no longer get to cache0.vmini #584

Open sraustein opened 11 years ago

sraustein commented 11 years ago

interface FastEthernet0/0 ip address 192.168.179.100 255.255.255.0 ip nat outside speed auto duplex auto

ip route 0.0.0.0 0.0.0.0 192.168.179.129

b0#ping 192.168.122.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.122.3, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5)

b0#sh ip route 192.168.122.3 % Network not in table

and adding

interface FastEthernet0/1 ip address 192.168.122.200 255.255.255.0 speed auto duplex auto

gets

b0#sh ip route 192.168.122.3 Routing entry for 192.168.122.0/24 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks:

b0#ping 192.168.122.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.122.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

Trac ticket #571 component testbed priority minor, owner randy, created by randy on 2013-07-01T06:58:25Z, last modified 2013-07-02T04:05:04Z

sraustein commented 11 years ago

back to vanilla config and find i can ping .1 but not .2 or .3

Sb0#ping 192.168.122.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.122.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/11/20 ms

b0#ping 192.168.122.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.122.2, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5) b0#ping 192.168.122.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.122.3, timeout is 2 seconds: UUU.U Success rate is 0 percent (0/5)

Trac comment by randy on 2013-07-01T07:50:51Z

sraustein commented 11 years ago

and, to confuse things further

b0#sh ip route 192.168.122.1 % Network not in table b0#sh ip route 192.168.122.2 % Network not in table b0#sh ip route 192.168.122.3 % Network not in table

Trac comment by randy on 2013-07-01T07:59:21Z

sraustein commented 11 years ago

b1#conf t Enter configuration commands, one per line. End with CNTL/Z. b1(config)#interface FastEthernet0/1 b1(config-if)#ip ad b1(config-if)#ip address 192.168.122.201 255.255.255.0 b1(config-if)#no shut b1(config-if)#end b1#sh ip ro b1#sh ip route 192.168.122.1 Routing entry for 192.168.122.0/24 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks:

Trac comment by randy on 2013-07-01T08:06:26Z

sraustein commented 11 years ago

b1#conf t Enter configuration commands, one per line. End with CNTL/Z. b1(config)#interface FastEthernet0/1
b1(config-if)#shut
b1(config-if)#no ip address
b1(config-if)#end b1#ping 192.168.122.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.122.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/20 ms b1#ping 192.168.122.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.122.3, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5)

Trac comment by randy on 2013-07-01T08:13:42Z

sraustein commented 11 years ago

created two added tap interfaces and attached them to fast 0/1

interface FastEthernet0/0 ip address 192.168.179.101 255.255.255.0 ip nat outside speed auto duplex auto ! interface FastEthernet0/1 ip address 192.168.122.201 255.255.255.0 speed auto duplex auto !

b1#ping 192.168.122.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.122.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

Trac comment by randy on 2013-07-01T10:15:21Z

sraustein commented 11 years ago

Don't know your NIO setup, but we had some issues that could look like what you're seeing [caveat: didn't read the whole thread yet!]

The way we do this is we define TAP interfaces in /etc/network/interfaces:

auto tap11 iface tap11 inet manual pre-up ip tuntap add dev tap11 mode tap up ifconfig tap11 up down ifconfig tap11 down

... then we attach the NIOs to the TAPs:

[[ROUTER r1]]
    console = 2101
    aux = 2021
    fa0/1 = NIO_tap:tap1
    fa0/0 = NIO_tap:tap11
    model = 7200

... and then attach the taps to the bridges:

iface br0 inet static address 10.10.0.241 # address of MacMini on the BB bridge_ports eth0 tap11 tapX tapY ...

Trac comment by regnauld on 2013-07-01T10:38:41Z

sraustein commented 11 years ago

we have pretty much that

auto tap00 iface tap00 inet manual pre-up ip tuntap add dev tap00 mode tap up ifconfig tap00 up down ifconfig tap00 down

auto tap01 iface tap01 inet manual pre-up ip tuntap add dev tap01 mode tap up ifconfig tap01 up down ifconfig tap01 down

auto br0 iface br0 inet static

iijlab

address 202.214.86.148 netmask 255.255.255.192 gateway 202.214.86.129 dns-nameservers 202.232.15.105 dns-search psg.com rg.net rpki.net bridge_ports eth0 tap00 tap01 tap02 tap03 bridge_stp off bridge_fd 0 bridge_maxwait 0

and

[[router b0]]
    console = 4000
    aux = 5000
    fa0/0 = NIO_tap:tap00

this works

the issue is that

o dynamips is in the base linux/kvm, which has the external ip as well as the vibr base, 192.168.122.1/24

o there are vms in 192.168.122.0/24

o the dynamips can not get to those vms

randy

Trac comment by randy on 2013-07-01T10:42:56Z

sraustein commented 11 years ago

to be a bit clearer

[[Image(130701.vmini.jpg)]]

Trac comment by randy on 2013-07-01T10:50:02Z

sraustein commented 11 years ago

i think what it comes down to is that we want to attach a dynamips interface to a vnet so it can get to the vms running inside the natted space on the mini.

either that, or hack forwrding back and forth from tap space and vnet space.

Trac comment by randy on 2013-07-01T11:00:34Z

sraustein commented 11 years ago

130701.vmini.jpg Trac attachment by randy on 2013-07-02T04:05:04Z

sraustein commented 11 years ago

the challenge is to have bgp up for b0 and b1 {{{ telnet vmini.rpki.net 5000 (cisco cisco cisco) sh ip bg | i 192.168 }}} and it should show 40-ish routes received

and for routers, in particular r1-r16, to be able to get to the cache at cache0.vmini.rpki.net (192.168.122.3)

Trac comment by randy on 2013-07-01T20:49:09Z

sraustein commented 11 years ago

phil saved my buns, threw away the 122 natted space and did it with iptables and br0:2

Trac comment by randy on 2013-07-01T22:21:19Z

sraustein commented 11 years ago

See https://thejimmahknows.com/nat-dynamic-nat-nat-overloadingmasquerade-with-iptables/

TODO: check why xinetd and libvirt-bin don't automatically start convert xinets mappings to iptables make iptables changes permanent

Enable serial consoles on the ca* machines would allow "virsh console hostname"

Trac comment by regnauld on 2013-07-01T22:31:23Z

sraustein commented 11 years ago

130702.vmini.jpg Trac attachment by randy on 2013-07-02T04:05:04Z

sraustein commented 11 years ago

convert xinets mappings to iptables

For the record, I am fine with moving that to iptables once things settle down. I was pushing xinetd because we were under time pressure and it looked like a faster path to something working, but I agree that it would make sense to consolidate, perhaps immediately after JANOG.

Two more TODO items (mine, unless somebody else wants them):

Esthetically, it might be better to use br0:0 for the NAT setup and br0:1 and br0:2 for the SSH tunnel, but that's not urgent.

Trac comment by sra on 2013-07-02T00:48:26Z

sraustein commented 11 years ago

agree. do the minimum to make it work now. plenty of time to play later. next wkshp is 26th in berlin.

Trac comment by randy on 2013-07-02T01:16:59Z

sraustein commented 11 years ago

Downgrading from "blocker" but leaving ticket open as there's some follow-up needed after JANOG.

Trac comment by sra on 2013-07-02T04:05:04Z