# Understanding routing

## greanie

I have a linux box running a vpn server which is bridged with eth0.  The vpn-server tap0 is assigned 10.8.0.1.  I can ping one tap device from the command line from the server box (of course). 

The linux box as has a wireless access point (172.16.1.1).  I have a windows machine that has logged onto the wireless access point, acquiring address 172.16.1.10.  I can ping the hostap (172.16.1.1) from the windows box, no problem.  I would like to be able to ping the tap device from the windows machine.  I added the following route to my routing table

> route add -net 172.16.1.0 netmask 255.255.255.0 gw 10.8.1.1

> route -n

Kernel IP routing table

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.1     0.0.0.0         UG    2      0        0 eth0

10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

172.16.1.0      10.8.0.1        255.255.255.0   UG    0      0        0 tap0

172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 wlan0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
```

When I try to ping 10.8.0.1 from the windows box, 172.168.1.10, nothing happens.  Can anyone tell me why this isn't working?

Code tags added by NeddySeagoon to make for easier reading

----------

## NeddySeagoon

greanie,

 *greanie wrote:*   

> ... windows box, 172.168.1.10, ... 

  I guess you really mean 172.16.1.10

Do you have 

```
net.ipv4.ip_forward = 1
```

in your /etc/sysctl.conf and support for packet forwarding in your kernel?

Provided your kernel is good, its also controllable via  /proc/sys/net/ipv4/ip_forward, which needs to contain 1

----------

## greanie

Yes, sorry, meant 172.16.1.10

I have packet forwarding as follows:

> sysctl net.ipv4.ip_forward

> net.ipv4.ip_forward = 1

But I didn't see any particular packet forwarding support option using menuconfig under Network Support -> Network Options. Is it somewhere else?  I am on kernel v3.1.10

Thanks!

----------

## greanie

Looked again in the kernel config using make menuconfig.  I found the following options relating to routing already enabled:

Under Networking Support -> Networking Options ->

* TCP/IP networking

  * IP: Multicasting

  * IP: advanced router

  * IP: verbose route monitoring

I found nothing relating to Netfiltering as mentioned in several Gentoo Howto's.  

Again, are there any other kernel configurations I need to set that I haven't?

----------

## greanie

Still struggling with this.  Not having much luck with the kernel routing table to redirect messages from 172.16.1.10 through the hostap (wlan0) across the VPN (10.8.0.10), and not having much luck finding a good explanation of routing on the web, I saw that many people use iptables for routing so I thought I would try that.  

Fired up iptables and added the following rules

> iptables -A INPUT -p all -j ACCEPT

> iptables -t nat -A PREROUTING -i wlan0 -j DNAT --to-destination 10.8.0.10 (openvpn client address)

> iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE

With this, my understanding is that messages on the wireless network (172.16.1.x) should have their destination address re-written to 10.8.0.10 and their source address re-written to 10.8.0.1 before they go across the vpn bus, and iptables would handle the reverse path automatically.

Now, with this, I can send ping command from windows client (172.16.1.10):

> ping 172.168.1.1

And in /var/log/messages for my hostap & vpn server (172.168.1.1 & 10.8.0.1) I see:

Apr 26 14:58:30 fpcSlim1 kernel: [616563.166372] IN=wlan0 OUT=tap0 MAC=00:0d:f0:5a:e4:ee:00:21:6a:04:bb:62:08:00 SRC=172.16.1.10 DST=10.8.0.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17502 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=18178

Apr 26 14:58:30 fpcSlim1 kernel: [616563.172530] IN=tap0 OUT=wlan0 MAC=c6:3c:ad:4a:70:23:0e:a2:e6:04:d0:cf:08:00 SRC=10.8.0.10 DST=172.16.1.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29593 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=18178

Apr 26 14:58:31 fpcSlim1 kernel: [616564.166754] IN=wlan0 OUT=tap0 MAC=00:0d:f0:5a:e4:ee:00:21:6a:04:bb:62:08:00 SRC=172.16.1.10 DST=10.8.0.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17515 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=18434

Apr 26 14:58:31 fpcSlim1 kernel: [616564.172375] IN=tap0 OUT=wlan0 MAC=c6:3c:ad:4a:70:23:0e:a2:e6:04:d0:cf:08:00 SRC=10.8.0.10 DST=172.16.1.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29594 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=18434

Apr 26 14:58:32 fpcSlim1 kernel: [616565.166629] IN=wlan0 OUT=tap0 MAC=00:0d:f0:5a:e4:ee:00:21:6a:04:bb:62:08:00 SRC=172.16.1.10 DST=10.8.0.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17530 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=18690

Apr 26 14:58:32 fpcSlim1 kernel: [616565.172250] IN=tap0 OUT=wlan0 MAC=c6:3c:ad:4a:70:23:0e:a2:e6:04:d0:cf:08:00 SRC=10.8.0.10 DST=172.16.1.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29595 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=18690

Apr 26 14:58:33 fpcSlim1 kernel: [616566.169538] IN=wlan0 OUT=tap0 MAC=00:0d:f0:5a:e4:ee:00:21:6a:04:bb:62:08:00 SRC=172.16.1.10 DST=10.8.0.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17543 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=18946

Apr 26 14:58:33 fpcSlim1 kernel: [616566.175505] IN=tap0 OUT=wlan0 MAC=c6:3c:ad:4a:70:23:0e:a2:e6:04:d0:cf:08:00 SRC=10.8.0.10 DST=172.16.1.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29596 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=18946

iptables is doing some routing, finally!!

I was surprised that pings to 172.16.1.1, the hostap, where being redirected rather than being handled by the wireless access point directly, but at least it is something.  

Now, if I ping from the windows client any other ip address on the 172.16.1.x subnet, I expect the result would be the same, so:

> ping 172.16.1.3

Unfortunately, this yields nothing!  I expect, based on my routing table, these packets are being sent to the gateway at 192.168.1.1 rather than out onto the vpn bus.  Why isn't this working?

----------

## NeddySeagoon

greanie, 

A drawing of your network topology with the IP addresses of each host and the VPN would be good.

ASCII art works.

----------

## greanie

Not exactly an expert in ASCII art, but I'll do my best  :Smile: .  

This is my attempt, but it seems html is ignoring multiple spaces and using &nbsp; doesn't work either.  Any suggestions? 

```
 

                                                                     WAN

                                                                      |        

                                                                      |

                                                          --------------------

                                                          | Linksys Router   |

                                                          |  default gw      |

                                                          | 192.168.1.1      |

                                                          --------------------

                                                                   ||

    -------------------------------                                ||                                  -----------------------------

    | S2                           |                               ||                                  | S1                        | 

    |   eth0 192.168.1.206         |                           ----------                              |  eth0 192.168.1.205       | 

    |   tap0 10.8.0.10             |===========================| switch |==============================|  tap0 10.8.0.1            | 

    |   wlan0 172.16.1.2           |                           ----------                              |  wlan0 172.16.1.1         | dhcpd

    |   ssid site_1_ap             |   openvpn (client)                                                |   ssid site_2_ap          | openvpn (server)

    -------------------------------                                                                    -----------------------------

                                                                                                                         +

                                                                                                                         +

                                                                                                                         +

                                                                                                                         +

                                                                                                                         +

                                                                                                         ----------------------------

                                                                                                         | Win1                     |

                                                                                                         |   wlan0 172.168.1.10     |

                                                                                                         |          (on  site_1_ap) |

                                                                                                         ----------------------------
```

= || are hard lines

+ is wifi

 This is my set up for now. Please let me know if you have questions.

Code tags added and ASCII art prettied up by NeddySeagoon

----------

## NeddySeagoon

greanie,

Going back to the original problem, if I understand it correctly, you want to ping tap0 in S1 from Win1.

What is the routing table on Win1?

It needs to send packets destined for 10.8.0.1 to somewhere for the ping, how does it know to do that?

Ping needs a round trip.  If your first post is the routing table from S1, you need a static route from 10.8.0.0/24 to 172.16.1.0/24 with a gateway of 172.16.1.1

Something like 

```
route add -net 172.16.0.0/24 gw 172.16.1.1 wlan0 
```

Think about your routing table as if you were the kernel.

```
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.1     0.0.0.0         UG    2      0        0 eth0

10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

172.16.1.0      10.8.0.1        255.255.255.0   UG    0      0        0 tap0

172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 wlan0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
```

Apply each rule to the destination IP in the packet from the bottom of the table up until you find a match.  The packet is then sent to the interface listed on the matching rule.

First a packet that gets to the rule at the top because there were no matches, thats your default route, is sent to eth0 and on to 192.168.1.1 as the gateway address in the rule says.

```
172.16.1.0      10.8.0.1        255.255.255.0   UG    0      0        0 tap0
```

gets you from wlan0 to tap0

but I don't see the rule routing the other way, from tap0 to wlan0.

IPTables does not do routing, it does packet filtering and mangling, like NAT.

----------

## greanie

NeddySeagoon,

Thank you for your reply. Telling me how the kernel decides on the path (starting from the bottom of the routing table and working its way up) was helpful.

> Going back to the original problem, if I understand it correctly, you want to ping tap0 in S1 from Win1

Though that was the goal I stated in my first post, my overall goal is to be able to communicate across the whole 172.16.1.0 subnet as below transparently such that Win1 and Win2 associate with the their wireless access point but do not know they are not physically on the same network.

```

                                                 WAN

                                                  |       

                                                  |

                                          --------------------

                                          | Linksys Router   |

                                          |  default gw      |

                                          | 192.168.1.1      |

                                          --------------------

                                                 ||

    -----------------------------                ||                   -----------------------

    | S2                        |                ||                   | S1                   |

    |   eth0 192.168.1.206      |            ----------               |  eth0 192.168.1.205  |

    |   tap0 10.8.0.10          |============| switch |===============|  tap0 10.8.0.1       |

    |   wlan0 172.16.1.65       |            ----------               |  wlan0 172.16.1.1    | dhcpd

    |   ssid site_1_ap          |   openvpn (client)                  |   ssid site_2_ap     | openvpn (server)

    -----------------------------                                     ----------------------------

                  +                                                              +

                  +                                                              +

                  +                                                              +

    -----------------------------                                      -----------------------------

    | Win2                      |                                     | Win1                       |

    | wlan0 172.16.1.70         |                                     |   wlan0 172.16.1.10        |

    |    (on site_2_ap)         |                                     |          (on  site_1_ap)   |

    -----------------------------                                     ------------------------------

```

Fixed typos in IP addresses in Win1 and Win2.  Changed 168, to 16 in both places - NeddySeagoon 2 May 2013

I don't know if this is possible but it seemed to me that routing was the way to do this.  However, as above, I still don't understand much about routing.

I have left iptables and mangling aside and have focused only on routing, I have adjusted the routing table as such:

```

> S1 # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.1     0.0.0.0          UG    2      0        0    eth0

10.8.0.0        10.8.0.1        255.255.255.0    UG    0      0        0    tap0  (this enables ping from 172.16.1.1 to 172.16.1.65 to work)

127.0.0.0       127.0.0.1       255.0.0.0        UG    0      0        0    lo

172.16.1.0      172.16.1.1      255.255.255.192  UG    0      0        0    wlan0 (this netmask allows pings to 172.16.1.65 to be routed through 10.8.0.1)

172.16.1.0      10.8.0.1        255.255.255.0    UG    0      0        0    tap0

192.168.1.0     0.0.0.0         255.255.255.0    U     0      0        0    eth0

```

With this:

   - S1 (172.16.1.1) can ping S2 @ 172.16.1.65

   - Win1 (172.16.1.10) can ping S1 @ 172.16.1.1

   - S1 cannot ping 172.16.1.10 (Win1) even though S1 is the access point; 172.16.1.1 says the destination host is unreachable

> S1 # ping 172.16.1.10

PING 172.16.1.10 (172.16.1.10) 56(84) bytes of data.

From 172.16.1.1: icmp_seq=1 Destination Host Unreachable

I thought perhaps the ping from S1 to Win1 request was going out to 10.8.0.1 but I removed the route it made no difference. So not sure if it isn't getting there or isn't getting back.

```

> S2 # route -n

Kernel IP routing table

Destination     Gateway         Genmask          Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.1      0.0.0.0           UG    20     0        0     eth0

10.8.0.0        10.8.0.10        255.255.255.0     UG    0      0        0     tap0 (this enables ping from 172.16.1.65 to 172.16.1.1)

127.0.0.0       127.0.0.1        255.0.0.0         UG    0      0        0     lo

172.16.1.0      10.8.0.10        255.255.255.192   UG    0      0        0     tap0 (this netmask allows pings to 172.16.1.1 to be routed thru 10.8.0.10)

172.16.1.0      172.16.1.65      255.255.255.0     UG    0      0        0     wlan0

192.168.1.0     0.0.0.0          255.255.255.0     U     0      0        0     eth0

```

With this routing table, S2 can ping S1 @ 172.16.1.1.  I don't have the site_2_ap set up yet so I cannot ping out to a client there.

What am I missing to be able to ping Win1 @ 172.16.1.10?  Is there any easy way to log packets on wlan0?  I haven't found much on how to increase the logging level for the kernel routing table.

----------

## NeddySeagoon

greanie,

Run tcpdump on the interface under investigation.

Its a packet logger.

Do not try to run it remotely, at least not without some practice, as it will log the packets from ssh, which causes more traffic which it logs ...

You can tell it to ignore some traffic if you need to.

----------

## greanie

NeddySeagoon,

Thanks for the tip.  I had looked at tcpdump briefly before but its name is a bit of a misnomer; from the name I assume it only spit out tcp packets and I thought ICMP packets were UDP so I didn't look into it further.  But effectively, it is very helpful.  Using tcpdump, I was able to see that the ping requests were coming into wlan0 but no answer was going out wlan0.  I was also able to see that there were no messages going out tap0 so the ping requests were not being sent out tap0.  I deduced that they just weren't being processed as there is no path to 0.0.0.0.  I added a route to 0.0.0.0:

> route add -net 172.16.1.0/31 wlan0

...and voila, ping requests from S1 (172.16.1.1) to Win1 (172.16.1.10 were returned.  

Ping requests from S2 (172.16.1.65) through S2:tap0 (10.8.0.10) and S1:tap0 (10.8.0.1) to Win1 (172.16.1.10) however are not getting through.  So I added the route from 10.8.0.0 to 172.16.1.1 as follows:

> route add -net 10.8.0.0/26 gw 172.16.1.1 wlan0

However, this is not enough to get messages out onto wlan0. Using tcpdump -i tap0, I see:

> ARP, Request who-has 172.16.1.12 tell 10.8.0.10

but there is no response.  Using tcpdump -i wlan0, the ping causes no messages to go onto the bus.

My routing table looks like this now:

```

> S1 ~ # route -n

0.0.0.0         192.168.1.1     0.0.0.0         UG    2      0        0 eth0

10.8.0.0        0.0.0.0         255.255.255.192 U     0      0        0 tap0

10.8.0.0        172.16.1.1      255.255.255.192 UG    0      0        0 wlan0

10.8.0.0        10.8.0.1        255.255.255.0   UG    0      0        0 tap0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

172.16.1.0      0.0.0.0         255.255.255.254 U     0      0        0 wlan0

172.16.1.0      172.16.1.1      255.255.255.192 UG    0      0        0 wlan0

172.16.1.0      10.8.0.1        255.255.255.0   UG    0      0        0 tap0

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

```

I can however ping from one client on site_1_ap to another client on site_1_ap so clients can talk to each other (although it doesn't seem to be that reliable).

Any ideas on what I am missing to get messages from S1:tap0 onto S1:wlan0?  Any reason the ARP message wouldn't get passed on?

----------

## NeddySeagoon

greanie,

In your first post all of your netmasks were 255.255.255.0, or /24. I've provided some commentary on your routing table

```
> S1 ~ # route -n

0.0.0.0         192.168.1.1     0.0.0.0         UG    2      0        0 eth0 sed every packet that reaches here to 192.168.1.1, it know what to do

10.8.0.0        0.0.0.0         255.255.255.192 U     0      0        0 tap0 cannot be used as packets that match this rule also match the rule below.

10.8.0.0        172.16.1.1      255.255.255.192 UG    0      0        0 wlan0 [1]

10.8.0.0        10.8.0.1        255.255.255.0   UG    0      0        0 tap0 this rule should not be needed as routing around 10.8.0.0/24 does not need a rule.

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo talk to myself  

172.16.1.0      0.0.0.0         255.255.255.254 U     0      0        0 wlan0 this rule can never be used for the same reason

172.16.1.0      172.16.1.1      255.255.255.192 UG    0      0        0 wlan0 this rule cannot be used. Packets that match this rule match the previous rule and have already been sent to tap0

172.16.1.0      10.8.0.1        255.255.255.0   UG    0      0        0 tap0 to reach 172.16.1.0/24 send the packet to 10.8.0.1 - it knows how to get to 172.16.1.0/24 

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0 to reach 192.168.1.0/24 no gateway is needed, send the packet out of eth0
```

[1] your 255.255.255.192 netmask only allows a part of your 10.8.0.0 subnet to be routed here. 192 is 1100 0000, only 10.8.0.1 to 10.8.0.63 will match this rule, is that intentional ?

Lets look at S1 in isolation.

```
S1  

eth0 192.168.1.205

tap0 10.8.0.1

wlan0 172.16.1.1
```

In your first post, they were all /24, I'll use that below.  In the syntax of /etc/conf.d/net

```
config_eth0="192.168.1.205/24 brd 192.168.100.255"

config_tap0="10.8.0.1/24 brd 10.8.0.255"

config_wlan0="172.16.1.1/26 brd 172.16.1.63"
```

This is the easy bit. It sets up the IP addresses on the interfaces plus the three routes of the form X.Y.Z.W/24, so that each interface can talk to the other devices in its subnet.  None of these routes need a gateway, other devices in the same subnet are by definition on the same interface. The gateway will show as 0.0.0.0, meaning none required.

A default route is always a good idea. Thats provided by

```
routes_eth0="default via 192.168.1.1"
```

 that was a little harder but now you have three separate subnets that can reach your router but still not talk among themselves. Its likely that only 192.168.1.0/24 can reach the internet unless your router is doing NAT for 10.8.0.0/24 and 172.16.1.0/26 too.  Routing does not provide Network Address Translation (NAT).

To allow the systems on tap0 and wlan0 to communicate you need static routes in each direction.

```
routes_tap0="172.16.1.0/26 via 172.16.1.1"
```

 Which says, for packets arriving on tap0, send them to 172.16.1.1 to reach 172.16.1.0/26

Ahhh but thats not true because wlan0 172.16.1.1 on S1 is in the same subnet as wlan0 172.16.1.65 in S2 ... which explains your 255.255.255.192 netmasks. So, 172.16.1.0/24 becomes 172.16.1.0/26 (corrected above) 

```
routes_wlan0="10.8.0.0/24 via 10.8.0.1"
```

does the reverse routing.

Its still not clear what your subnet sizes are everywhere. I've tried to deduce them but its not reliable

Setting up S2 is harder as S1 appears to have /24 subnets everywhere but it can't as it would have IP address collisions with S1.  If you want to do your own subnetting you must split ranges in powers of two. 172.16.1.0/25  and 172.16.1.128/25 , then 172.16.1.0/26  172.16.1.64/26, 172.16.1.128/26  172.16.1.192/26

----------

## greanie

NeddySeagoon,

Yes, I had planned to split the subnet based on location.  I only need upto 20 addresses at each site.  I split it such that 1-63 are S1 and 64-254 are S2.  dhcpd running on each server would distribute addresses accordingly.  And yes, that is the reason for the netmask of .192.  Also, I am not planning on having 172.16.1.0 or 10.8.0.0 subnets have access to the internet.

I agree with your comments on my routing table.  However, I ended up there empirically through a lot of trial and error.  I think the different netmask (.192 vs .0) makes a difference in the rule order processing.  While I don't understand it, I can say it works better than anything I have done so far.  S1 (172.16.1.1) can ping W1 (172.16.1.10) and S2 (172.16.1.65).  Wireless clients attached to S1 such as Win1 (172.16.1.10) can ping other clients on S1 such as Win1.1 (172.16.1.11).  If I take out any of the rules, I break something.

However, S2 cannot ping Win1 and that is where I am stuck.  Taking out any routing rule makes no difference on that.  So I assumed I was missing a route or something else.

All that said, your method for adding routes looks easier.  I will give it a try.  One question on your last suggestion:

 *Quote:*   

> 
> 
> config_wlan0="172.16.1.1/26 brd 172.16.1.63"
> 
> 

 

Why do you have the broadcast address as .63?

----------

## NeddySeagoon

greanie,

In each (sub)net there are two addresses that cannot be used for hosts.

These are the network address, which is the lowest IP address in the (sub)net assuming that an IP address is an unsigned integer and the highest address is the (sub)net which is traditionally the broadcast address.  The broadcast address can actually be anywhere, its just custom and practice to use the last IP in the range.

Therefore in the 172.16.1.1/26 subnet the network address is  172.16.1.0 and the broadcast address is 172.16.1.63, that being the last IP in the subnet.172.16.1.64/26 is the next subnet up, as each /26 has 64 IP addresses.

For S2 to ping Win1, the routing table in S2 has to be right too, as well as that in S1. 

If you only need 20 IPs at each end, either use a /25 at each end and has subnets with 128 IPs each or continue your existing plan to use a /26 at each end, 0..63 on S1, 64..127 on S2 and the other two /26 spare.  You cannot use 64..255 as a single subnet because its not. 

S2 needs a route to 172.168.1.0/26 to be able to ping Win1 (the gateway will be 10.8.0.1)

It also needs 172.16.1.64/26 set up as a subnet or packets will be sent to the wlan0 on S2.

Hmm S1 and S2 wlans are in 172.16.x.x and Win1 and Win2 are on 172.168.x.x  Which is correct .16. or .168. ?

----------

## greanie

NeddySeagoon,

If you see 172.168.1.x, it is a typo.  It should be 172.16.1.x.

I have restarted the router thereby eliminating all previously added routes.  I have updated /etc/conf.d/net as suggested:

```
routes_tap0="172.16.1.0/26 via 172.16.1.1"
```

When restarting tap0:

> S1 # /etc/init.d/net.tap0 start

 * Bringing up interface tap0

 *   Running preup ...

 *   10.8.0.1 ...                                                               [ ok ]

 *   Adding routes

 *     172.16.1.0/26 via 172.16.1.1 ...

RTNETLINK answers: Network is unreachable                                       [ !! ]

 *   Waiting for IPv6 addresses ...       

When I try manually, same result:

> route add -net 172.16.2.0/26 gw 172.16.2.1 tap0

SIOCADDRT: Network is unreachable

The route is not added to the routing table.  If I add the route from 172.16.1.0/24 via 10.8.0.1 for tap0 first, then try again with 172.16.1.0/26 via 172.16.1.1 for tap0, still doesn't work.

I get a similar result for wlan0:

```
routes_wlan0="10.8.0.0/24 via 10.8.0.1"
```

> S1 ~ # /etc/init.d/net.wlan0 start

 * Bringing up interface wlan0

 *   Running preup ...

 *   172.16.1.1/24 ...                                                          [ ok ]

 *   Adding routes

 *     10.8.0.0/24 via 10.8.0.1 ...

RTNETLINK answers: Network is unreachable

Did I implement this as you intended?

----------

## NeddySeagoon

greanie,

Lets start with an overview of routing, based on your diagram that I have copied below.

```
                                                 WAN

                                                  |       

                                                  |

                                          --------------------

                                          | Linksys Router   |

                                          |  default gw      |

                                          | 192.168.1.1      |

                                          --------------------

                                                 ||

    -----------------------------                ||                   -----------------------

    | S2                        |                ||                   | S1                   |

    |   eth0 192.168.1.206      |            ----------               |  eth0 192.168.1.205  |

    |   tap0 10.8.0.10          |============| switch |===============|  tap0 10.8.0.1       |

    |   wlan0 172.16.1.65       |            ----------               |  wlan0 172.16.1.1    | dhcpd

    |   ssid site_1_ap          |   openvpn (client)                  |   ssid site_2_ap     | openvpn (server)

    -----------------------------                                     ----------------------------

                  +                                                              +

                  +                                                              +

                  +                                                              +

    -----------------------------                                      -----------------------------

    | Win2                      |                                     | Win1                       |

    | wlan0 172.16.1.70         |                                     |   wlan0 172.16.1.10        |

    |    (on site_2_ap)         |                                     |          (on  site_1_ap)   |

    -----------------------------                                     ------------------------------

```

This overview discusses the private address ranges you are using.

The key takeaway is that 10.0.0.0/24 is defined to be a class A network by default, so unless you specify the netmask everywhere, you will get a free route with a netmask of 255.0.0.0 which will probably break your routing. 

Similarly with 172.16.0.0 - 172.31.255.255.  Thats intended to be used as 16 class B networks, so you get a free /16 route everywhere, thats netmask  255.255.0.0.  This will break your routing too. 

This only address range you are using in its default configuration is 192.168.1.0/24, which gets you an implied 255.255.255.0 netmask route, which is what you want.

Routing only describes how to get to the next hop in the route.  Think about the example of your router at 192.168.1.1.  It does not know how to get to every node on the internet, it just passes packets to your ISP, using its default route. It does Network Address Translation (NAT) too, since packets with private IP addresses should never appear on the internet.  They will be dropped by your ISP if yours get that far.

On Win1, only a default route via 172.16.1.1 is required but you should not use the default /16 netmask as your 172.16.x.x is not a /16.

It may work here as the only place packets are going is 172.16.1.1 but its not correct and may confuse you later.

You are using 172.16.1.0 as a number /26 subnets

Win1/S1 is on 172.16.1.0/26 ... thats the subnet 172.16.1.0 to 176.16.1.63

Win2S2 is on 172.16.1.64/26 ... thats the subnet 172.16.1.64 to 176.16.1.127

Each subnet has 64 IP addresses of which 61 may be used hosts.

Setup is simpler if you choose net ranges that allow the default netmasks to work as you don't have to pay such attention to detail to the routes with no gateway but what you are doing can be made to work.

e.g. 172.16.0.0/16 on S1 and 172.17.0.0 on S2.

Now the route with no gateway you get for free, on Win1 and S1 is 172.16.0.0/16 is correct.

Likewise on Win2 and S2.  You only need to get the default gateways and static routes correct.  That you have a large amount of IP addresses spare does not matter.

Win1 therefore needs a 172.16.1.0/26 route with no gateway, so it can communicate with other nodes on its subnet and a default route via 172.16.1.1 for everything else. If you have a 172.16.1.0/16 route with no gateway on Win1, which is what you get by default it will not be able to reach. S2 as packets for 172.16.1.64/26 will not be sent to 172.16.1.1

Please post the routing table from Win1.

S2 needs something similar.  It needs a 172.16.1.0/26 route without a gateway so it can communicate with Win1 and friends on the 172.16.1.0/26 subnet.

It needs a 172.16.1.64/26 route via 10.8.0.10 because 10.8.0.10 knows how to get to 172.16.1.64/26

Win2 and S2 need setups for following similar reasoning for the return path.

Win2 needs a route without a gateway for 172.16.1.64/26 and a default route via 172.16.1.65/26.  Again, the /26 is not the defualt.

----------

## _______0

just a question, as I can see here is possible to have a route that differs from the ip pattern??

client 172.16.1.10

route 10.8.0.1

I thought when numbers don't match in this case with different address classes you get the classic 'no route to host' message.

Also, what's the reasoning of having three different address classes in your set up?

192.168.1.1

10.8.0.1

172.16.1.10

Why no stick to one?

----------

## greanie

NeddySeagoon,

Thank you for the information about the classifications of the various net ranges.  I know I have a lot left to learn.  I picked the various net ranges to make it easier to think about.  I do want two separate ranges for my vpn / wifi network so that it doesn't have access to the internet.  But I could also do that in the 192.168.x.x range, you are right, and may be I should transition to that.  

As to your question

 *Quote:*   

> I thought when numbers don't match in this case with different address classes you get the classic 'no route to host' message.

 

I don't know what it should be. I only reported what the server spit back out at me.

What I have been reading is that even if I get my routes right, the routing table only dictates IP packets and therefore my ARP packets will never find the right destinations when trying to reach one end of the network to the other with this network setup.  What I read was recommended instead is an ethernet bridge.  I have bridged wlan0 & tap0 on both S1 & S2.  So far, this seems to work very well with minimal adjustment to the routing tables on S1 & S2.  I still have to get the hostap working on S2 (wifi adapter seems not to be so stable at the moment) to be sure I can ping from one end of the network to the other.  Otherwise, I have the same functionality as with my very complicated routes some time ago.

Is it correct what I have read about the ARP messages?

----------

## NeddySeagoon

greanie,

I'm not sure about ARP.  In my experience, once the routing is right, it just works.

The hard bit for me has always been getting the routing right in both directions at the same time, so ping can work.

A network that only works in one direction isn't very useful.

You can still use the Class A, B and C network ranges but use them with their default settings, so that 10.0.0.0/8, 172.16.0.0/16 and 192.168.x.0/24

If you do want to change then  192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 are all separate networks.

To help me keep my networks separate in my mind I use 192.16.100.0/24 for wired, 192.168.54.0/24 for wireless and 192.168.10.0/24 for my servers.  At one time the 100, 54 and 10 denoted the network speeds. The wired is now all 1G but my AP is still on 54Mbit.

Bridging should work for you since the tap interfaces are just provided as tunnel endpoints for the two parts of the wireless network.

Think of a bridge like a hub - all packets go to every port.  Getting a bridge that involves a wireless interface to work reliably can be a problem but you seem to have cracked that.

----------

## AngelKnight

 *greanie wrote:*   

> Though that was the goal I stated in my first post, my overall goal is to be able to communicate across the whole 172.16.1.0 subnet as below transparently such that Win1 and Win2 associate with the their wireless access point but do not know they are not physically on the same network.
> 
> ```
> 
>                                                  WAN
> ...

 

Hi greanie,

You want to keep WLAN0 using 172.16.1.0/24 (It appears).  You have four separate adapters that are using 172.16.1.0/24 addresses.  There is no indication you rigged S1 and S2 to bridge between each other.  This is what you're missing.

IPv4 forwarding/switching isn't what you want.  You want to assemble a bridge and arrange for it to speak across your switch.

It looks like S1 and S2 are L2-adjacent to each other.  What you might do is filch the 192.168.1.0/24 addresses, put them on a bridge device br0 on each of S1 and S2.  On each of S1 and S2, the physical members for the bridge will be the local eth0 and the local wlan0.  The bridge interface will get two L3 assignments: eth0's former 192.168.1.0/24 addresses and wlan0's former  172.16.1.0/24 addresses.

----------

