# Why Do I Need a Default Route [solved]

## NeddySeagoon

Hi,

I have a very minimal hardware install with 5 real ethernet ports. One is not used.

The other 4 are donated to bridges. The only purpose of the bare metal install is to support Kernel Virtual Machiens.

This bare metal install works with no defualt route as all traffic goes through the bridges to a router VM.

The router VM runs shorewall, which is supposed to have rules defining how packets move between the 4 interfaces, get NATed and so on.

This description should be complete, in that anything that is not routed according to shorewall rules is deliberately dropped.

In theory, no packets should ever reach a defualt route in the kernels routing table.

My internet is PPPoE, so ppp0 is bound to one of the interfaces in the router. 

If I remove the defualt route from the router, dns no longer works. It sounds like my firewall is 'leaking'. If the defualt route is needed for dns, what else might it be needed for?

Any ideas why I need a default route in the router?

----------

## Veldrin

default route (or as cisco calls it the gateway of last resort) is used if no other route matches. the default route usually points to the 'internet'. 

if you are using a default dns setup, then if the local dns server does not know the host or the zone, it pokes the root dns servers or forwarding dns servers, which are located somewhere on the internet. basically you have 2 possibilities to reach them (via layer 3), by using the default route, or by providing a route to each of the root/forwarding dns servers. 

dns is a good indicator if your routing beyond the first host is working.

HTH

V.

PS. I am not quite sure how linux handles ppp link, and the basically only compose of 2 endpoints, therefore instead of a ip, an exiting interface could be enough (again quoting cisco).

----------

## NeddySeagoon

Veldrin,

I understand what you say and I do indeed use my ISPs dns.

My shorewall setup should route dns requests to the internet without the defualt route.

Heres the activity on my wired network.

```
Chain green2net (1 references)

 pkts bytes target     prot opt in     out     source               destination         

 291K   15M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

 1193 68172 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

 1941  124K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

  332 25232 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

    5   268 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3690

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:11371

    7   420 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995

   23  1252 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:43

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9418

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:873

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9418

   11   548 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

    9   468 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:green2net:REJECT:"

    9   468 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

```

Note the Reject and log at the end, so there should be nothing left for a defualt route.

----------

## Veldrin

 *Quote:*   

> My shorewall setup should route dns requests to the internet without the defualt route. 
> 
> Heres the activity on my wired network. 

 why would shorewall route it to the internet without a default route? overly simplified, a firewall is router, that does some additional filtering. 

I see a firewall rule, that allows dns queries from you internal zone to the internet (or that is how i interpret green2net), so from point of view filtering, the connection should be allowed.

or asked differently, are you able to ping the internet (e.g 8.8.8. :Cool:  if you remove the default route?

one additional rule you might want to add is tcp/53 which is (although rarely required) for large dns queries. 

the "last two lines" are logged; what does you log show? 

V.

----------

## NeddySeagoon

Veldrin,

Correct, I'm an ex Smoothwall user, so green is wired, blue is wireless dmz is for my servers and net is the internet.

Shorewall has an extra zone called fw, for the firewall itself.

Everything going to the internet is first filtered then, if its allowed, NATed so a default route should not be required.

The response is allowed by the following 

```
Chain net2green (1 references)

 pkts bytes target     prot opt in     out     source               destination         

 678K  957M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:net2green:DROP:"

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
```

With no defualt route, the log is full of UDP DNS queries to my ISP being dropped.

----------

## papahuhn

You seem to think that netfilter rules are the same as routing table entries? Have a look at http://www.shorewall.com.au/misc/netfilterflow.pdf. Unless you drop every packet in the prerouting-chain (which is very uncommon), your routing table is part of the overall routing process. So we should rather have a look at your routing table if we want to know which packets fall under the default route.

----------

## NeddySeagoon

papahuhn

```
# route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         losubs.subs.dsl 0.0.0.0         UG    4007   0        0 ppp0

losubs.subs.dsl *               255.255.255.255 UH    0      0        0 ppp0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

192.168.10.0    *               255.255.255.0   U     0      0        0 eth1

192.168.54.0    *               255.255.255.0   U     0      0        0 eth2

192.168.100.0   *               255.255.255.0   U     0      0        0 eth3

router shorewall # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         62.3.83.27      0.0.0.0         UG    4007   0        0 ppp0

62.3.83.27      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.54.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth3

router shorewall # 
```

Ahhh ... Penny dropped with no defualt route, I can't reach any IP not explicity listed in my routing table.

The defualt route in effect says I can't deliver this packet because I don't know how but I know a host that does.

Thats a very useful diagram.  

Thank you both for your help.

----------

## Veldrin

why does this remind me of my job:

The firewall is usually the first suspect, but after some checking, it is the problem is somewhere in the network/routing.

glad you solved it. 

V.

----------

