Solaris routing problem

[jnothinghead]

Hello all,
I have a Solaris 7 box that is running Checkpoint firewall.
I am having a problem with routing.

I have routing set up as such.

10.0.1.0 255.255.255.0 10.0.2.1
default 0.0.0.0 192.168.2.1

When I try to ping an address 10.0.1.5 I get no answer, when I do a traceroute to the address I get
traceroute: Warning: Multiple interfaces found; using 192.168.2.1 @ hme0
and the trace to 10.0.1.5 completes on 1 hop.

Has anyone run into this problem before? As I understand it any traffic to 10.0.1.0 should route through 10.0.2.1.

Any suggestions or ideas of what I can do to solve this problem?

Thank you!!!

 

[wstepnio]

how many interfaces do you have?
i have had a similar problem running solaris 7 and checkpoint 4.1...

let me know more specifics..
who does your dns and whom do you use for an ISP

 

[Annihilannic]

I don't think traceroute looks at the local routing table at all (hence the warning message). Try using the -i option to specify the interface name of the interface on the 10.0.1.0 network. Annihilannic.

 

[jnothinghead]

Annihilannic

I tried the -i option and was still reaching my destination (in this case my management console) in one hop.

I have 5 interfaces on this box. I am trying to route out qfe0 which in this case has an IP of:

10.0.2.0 255.255.255.0 10.0.2.3 qfe0
10.0.1.0 255.255.255.0 10.0.2.1
default 0.0.0.0 192.168.2.1 hme0

any other suggestions?
Thanks

 

[Annihilannic]

Why is the fact that it's reaching the destination in one hop a problem? Or is that fine, but the problem is that you still can't ping it?

Could you please supply the output of ifconfig -a and netstat -rn? Annihilannic.

 

[jnothinghead]

I have attached the ifconfig and netstat below, but I have eliminated the second to last set of numbers.

In the real situation I am attempting to get to 66.100.XXX.38 from this maching 151.200.XXX.3. Here is the output of the traceroute -i

# traceroute -i qfe0 66.100.XXX.38
traceroute to 66.100.XXX.38 (66.100.XXX.38), 30 hops max, 40 byte packets
1 66.100.XXX.38 (66.100.XXX.38) 0.553 ms 0.182 ms 0.156 ms


This trace should hit a router before it completes.


# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.1 netmask ffffff00 broadcast 192.168.2.255
ether 8:0:20:e7:46:94
qfe0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 151.200.xxx.3 netmask ffffff00 broadcast 151.200.xxx.255
ether 8:0:20:e7:46:94
qfe1: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.1 netmask ffffff00 broadcast 192.168.3.255
ether 8:0:20:e7:46:94

# netstat -rn

Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
151.200.XXX.15 192.168.3.2 UGH 0 18135
66.100.XXX.0 151.200.XXX.1 UG 0 4
66.100.XXX.0 151.200.XXX.1 UG 0 54
192.168.2.0 192.168.2.1 U 2 13308 hme0
66.100.XXX.0 151.200.XXX.1 UG 0 2506
192.168.3.0 192.168.3.1 U 2 9713 qfe1
165.13.XXX.0 151.200.XXX.1 UG 0 88397
66.100.XXX.0 151.200.XXX.1 UG 0 3898
151.200.XXX.0 151.200.XXX.3 U 2 186810 qfe0
64.241.XXX.0 151.200.xxx.1 UG 0 208081
default 192.168.2.2 UG 03479104
127.0.0.1 127.0.0.1 UH 0 4795 lo0

 

[Annihilannic]

Like I said, traceroute will ignore the local routing rules, so will go to the destination IP address by the shortest route available, so it's not a good test.

If ping isn't reaching the destination, perhaps it's matching one of the 66.100.XXX.0 rules, going to 151.200.XXX.1, and that gateway doesn't know where to send it next? Annihilannic.

 

[Edcrosbys]

Are you running routed or any other routing protocol?

 

[markman42]

If your still having a problem, check the status of the ip forwarding.
you will not be able to ping from the outside interface on the server to an inside machine without a translation ip. (NAT) You will not be able to reach the outside host interface directly even though the server knows about both of the networks. Make sure your netmask is 255.0.0.0 and this should accept anything going through priviate network and to the outside. Your network masks for both networks needs to be on the server with the firewall. The inside machine will need to be routed through the inside network server ip address. The last thing would be to place a executable file in the rc2.d that when the server starts it assigns the translation ip (NAT) to the machine HOST ID number NOT the IP Address but the machines hardware ID.