Weird (to me) networking issue - can you help?

Submitted ⁨⁨1⁩ ⁨month⁩ ago⁩ by ⁨talkingpumpkin@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

I have two subnets and am experiencing some pretty weird (to me) behaviour - could you help me understand what’s going on?

Scenario 1

PC:                        192.168.11.101/24
Server: 192.168.10.102/24, 192.168.11.102/24

From my PC I can connect to .11.102, but not to .10.102:

ping -c 10 192.168.11.102 # works fine
ping -c 10 192.168.10.102 # 100% packet loss

Scenario 2

Now, if I disable .11.102 on the server (ip link set <dev> down) so that it only has an ip on the .10 subnet, the previously failing ping works fine.

PC:                        192.168.11.101/24
Server: 192.168.10.102/24

From my PC:

ping -c 10 192.168.10.102 # now works fine

This is baffling to me… any idea why it might be?

Here’s some additional information:

The two subnets are on different vlans (.10/24 is untagged and .11/24 is tagged 11).
The PC and Server are connected to the same managed switch, which however does nothing “strange” (it just leaves tags as they are on all ports).
The router is connected to the aformentioned switch and set to forward packets between the two subnets (I’m pretty sure how I’ve configured it so, plus IIUC the second scenario ping wouldn’t work without forwarding).
The router also has the same vlan setup, and I can ping both .10.1 and .11.1 with no issue in both scenarios 1 and 2.
In case it may matter, machine 1 has the following routes, setup by networkmanager from dhcp:

default via 192.168.11.1 dev eth1 proto dhcp              src 192.168.11.101 metric 410
192.168.11.0/24          dev eth1 proto kernel scope link src 192.168.11.101 metric 410

In case it may matter, Machine 2 uses systemd-networkd and the routes generated from DHCP are slightly different (after dropping the .11.102 address for scenario 2, of course the relevant routes disappear):

default via 192.168.10.1 dev eth0 proto dhcp              src 192.168.10.102 metric 100
192.168.10.0/24          dev eth0 proto kernel scope link src 192.168.10.102 metric 100
192.168.10.1             dev eth0 proto dhcp   scope link src 192.168.10.102 metric 100
default via 192.168.11.1 dev eth1 proto dhcp              src 192.168.11.102 metric 101
192.168.11.0/24          dev eth1 proto kernel scope link src 192.168.11.102 metric 101
192.168.11.1             dev eth1 proto dhcp   scope link src 192.168.11.102 metric 101

source

Comments

Sort:hotnew top

teslasaur@lemmy.world ⁨1⁩ ⁨month⁩ ago
My guess is that the server receives the packet from the client with src .11.101 dst .10.102 and tries to respond over the interface that has .11.102 assigned. The client expects a response from src .10.102 and drops the packet. But I would turn on a packet sniffer in the gateway to see if the returning traffic even passes the Firewall in scenario 1.

source
- talkingpumpkin@lemmy.world ⁨1⁩ ⁨month⁩ ago
  So the request goes trough but the replies are discarded ? That could actually be it!
  
  I think there was an option to allow martian packets… I’ll search it and give it a try. Thanks!
  
  source
  - teslasaur@lemmy.world ⁨1⁩ ⁨month⁩ ago
    It has to do with link priority on the server. You’d imagine that a server that receives a packet that has a return address on the same subnet as it self logically would use that interface instead.
    
    A similar thing happens in switches. For example if you have two vlans on a switch and both vlans have an ip assigned, connect a computer to one of the vlans. You will only be able to reach the switch on the non-routed connection. Even if you also are allowed to reach the second vlan through a router/Firewall.
    
    source
just_another_person@lemmy.world ⁨1⁩ ⁨month⁩ ago
You have two NICs in a machine and two networks, one untagged and one tagged? This is a mess for a number of reasons. You have two routes and two adapters that don’t route to the default gateway of each subnet because you’re also tagging one portion of the VLAN traffic, and not tagging the other. That’s your problem.

How you’re going to fix it: learn about VLANs and submitting, then let your router do the job it’s designed to do. You’ve already defeated the purpose of the VLANs by having them bridged with this one machine anyway. There’s literally no point except this confusing setup.

source
- talkingpumpkin@lemmy.world ⁨1⁩ ⁨month⁩ ago
  I don’t think I quite explained the situation well enough: my server only has 1 ethernet port (same as my PC), otherwise I wouldn’t have bothered with vlans (well, I would still have bothered, since my house still only has one “backbone” cable running through it, but I would have configured it on the switches only).
  
  Anyway… a few of the things you say/imply go against my understanding of networking, so one of us would better go back RTFM as you suggest :) (just kidding - most probably I just don’t understand what you mean)
  
  source
Shdwdrgn@mander.xyz ⁨1⁩ ⁨month⁩ ago
This sounds familiar. Can you verify if you’ve enabled net.ipv4.ip_forward=1 in /etc/sysctl.conf? If you have to make a change, then issue sysctl --system to reload the updates.

source
- talkingpumpkin@lemmy.world ⁨1⁩ ⁨month⁩ ago
  Thanks! Forwarding is disabled. I don’t want the server to steal the router’s job :)
  
  source
  - Shdwdrgn@mander.xyz ⁨1⁩ ⁨month⁩ ago
    If you already have a router tying these two networks together then you should NOT also have two NICs in one machine tied to both networks. Pick one or the other, you can’t have both. If you think you need both then you haven’t correctly considered your network topology.
    
    source
scott@lem.free.as ⁨1⁩ ⁨month⁩ ago
The reason is “asymmetric routing”. The return ping packets are traveling a different route on the way out than on the way back.

source
piper11@feddit.org ⁨1⁩ ⁨month⁩ ago
In scenario 1, the server is technically a router between the 11 and the 10 subnet. There is a sysctl that enables forwarding (i’m on the phone and can’t look it up right now). This must be enabled.

In your second scenario, the server appears to regard its subnet 11 address as just another address it has and replies.

source
fmstrat@lemmy.nowsci.com ⁨1⁩ ⁨month⁩ ago
The PC is on .11

It pings server on .10

Since PC is on .11, server tries to respond on .11

This will fail

Disabling .11 on the server works because it can no longer try to respond in that direction

I bet it will work if you disable the .11 default route
source
possiblylinux127@lemmy.zip ⁨1⁩ ⁨month⁩ ago
Why is your network like this? Wouldn’t is be easier to put the server and the devices that need to access server on the same subnet?

Anyway I suspect the treason is that ping is using the wrong source IP. If you run ping --help there should be an option to change the source address.

source
- talkingpumpkin@lemmy.world ⁨1⁩ ⁨month⁩ ago
  
  why is your network like this?
  
  Well, at the moment my network is actually flat :)
  
  This is an experiment I’m doing because I wanted to have all the management stuff on a different subnet (eg. adguard dns is on the “regular” subnet everyone uses, but its web interface is on the special subnet only select devices can talk to).
  
  Of course (like with most stuff in my homelab), it’s not like I really have a super-compelling security reason to that, it’s mostly that I wondered “what if?” :D
  
  Oh. the ping option you are referring to is -I (upper case) and takes either an interface name or an ip. I did try giving a .10/24 IP to the PC and the results were consistent with scenario 1 (pings where source and destination are on the same subnet work, pings acrrss subnets don’t), so I didn’t mention that in the OP
  
  source
sj_zero ⁨1⁩ ⁨month⁩ ago
Having a pair of default gateways could be an issue. On Windows (which I know, isn't the OS here), you have to be pretty careful because if you're straddling two networks, you need to pick one network to be the dominant one, that's the one whose default gateway will get packets heading onto outbound networks.
- talkingpumpkin@lemmy.world ⁨1⁩ ⁨month⁩ ago
  I tried dropping the default routes (one at a time) and it doesn’t make a difference, which isn’t (I think) surprising as all traffic is local as far as the server in scenario 1 is concerned. Also IIUC only the default gateway with the lowest metric actually counts.
  
  source
SnotFlickerman@lemmy.blahaj.zone ⁨1⁩ ⁨month⁩ ago
Have you considered adding a manually added path for each of these networks to find each other?

If the auto-generated paths aren’t able to find it, I would personally manually add the path on both ends (give 192.168.11.0/24 a path to 192.168.10.0/24 and vice versa) to see if that changes anything.

source
Decronym@lemmy.decronym.xyz ⁨1⁩ ⁨month⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

IP Internet Protocol

NAS Network-Attached Storage

NAT Network Address Translation

[Thread #934 for this sub, first seen 23rd Aug 2024, 13:05] [FAQ] [Full list] [Contact] [Source code]

source
hungover_pilot@lemmy.world ⁨1⁩ ⁨month⁩ ago
Another solution is to use NAT on the router. NAT all traffic from the client network 11.0/24 to the routers IP on the server network 10.0/24.

That way when the server sees the ICMP echoes on its 10.102 network it will look like it came from the router and send the reply back together router instead out its other interface.

source

Fewer Letters	More Letters
IP	Internet Protocol
NAS	Network-Attached Storage
NAT	Network Address Translation