[ solved ] how to route default hub to another hub with L3 switch

[shakibamoshiri]

I am testing this scenario.
On a same machine (local) and a single SE server with two hubs:
- SW0 (default)
- SW1
I would like to router SW0 traffic to SW1. Actually connecting two HUBs. So when I connect to SW0, I can ping Internet though SW1

### Configuration ###

SW0 (default)

Code: Select all

SecureNatHostSet /MAC:none /IP:192.168.30.2 /MASK:255.255.255.0
DhcpEnable
DhcpSet /START:192.168.30.10 /END:192.168.30.200 /MASK:255.255.255.0 /EXPIRE:7200 /GW:192.168.30.254 /DNS:  /DNS2: /DOMAIN: /LOG:yes
NatDisable
SecureNatEnable

The ip "192.168.30.254 " will be added for L3 virtual interface

SW1

Code: Select all

SecureNatHostSet /MAC:none /IP:192.168.40.2 /MASK:255.255.255.0
DhcpEnable
DhcpSet /START:192.168.40.10 /END:192.168.40.200 /MASK:255.255.255.0 /EXPIRE:7200 /GW:192.168.40.1 /DNS:8.8.8.8  /DNS2: /DOMAIN: /LOG:yes
NatDisable
SecureNatEnabl

The ip "192.168.40.1" will be for gateway and is bridged to the host
+

Code: Select all

BridgeCreate SW1 /DEVICE:sw1 /TAP:yes
ip addr add 192.168.40.1/24 brd + dev tap_sw1
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 192.168.40.0/24 ! -d 192.168.40.0/24 -o enp3s0 -j SNAT --to-source 192.168.1.22

At this point using my phone can connect to SE server hub SW1 via L2TP and can ping 8.8.8.8
While connecting to SW0 cannot ping 8.8.8.8 since there is not Bridge

### Layer 3 Switch ###

Code: Select all

RouterAdd R1
RouterIfAdd R1 /HUB:SW0 /IP:192.168.30.254/24
RouterIfAdd R1 /HUB:SW1 /IP:192.168.40.254/24
RouterTableAdd R1 ???
RouterStart R1

The issue is what should be added to routing table?
My thought was that if I add route from SW0 to SW1 gateway , it works, it did not

Code: Select all

RouterTableAdd  R1 /NETWORK:192.168.30.0/24 /GATEWAY:192.168.40.1  /METRIC:1

Then I tested default route, which did not work either

Code: Select all

RouterTableAdd R1 /NETWORK:0.0.0.0/0 /GATEWAY:192.168.40.1  /METRIC:1

and other possibilities.
Please let me know what is the right routing table? and why that way is the right way so I can correct my understanding
btw I read this section
3.8 Virtual Layer 3 Switches
Regards

[solo]

The issue is what should be added to routing table?

Nothing, clear everything you have added to RouterTable R1,
then add iptables' nat for 192.168.30.0/24 too,
and this OS routing: ip route add 192.168.30.0/24 via 192.168.40.254

What would be a practical purpose for this L3 application?

BTW, I am all for CLI where necessary but why aren't you using Windows SE GUI to remotely manage this Linux SE server?

[shakibamoshiri]

Nothing, clear everything you have added to RouterTable R1,

This is the part which confuses me :|
The L3 switch routeing table why is added by the OS :|

Code: Select all

and this OS routing: ip route add 192.168.30.0/24 via 192.168.40.254

Sometimes code/text cannot be as readable as images, so here are two screenshots

SE server


Phone shell (via adb while connected to SW0 using L2TP)


I should mention that adding route for SW0 (192.168.30.0/24) has not effect. In any case (added or not) the result is

Code: Select all

m51:/ $ ping -c4 8.8.8.8                                                                                
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.30.254: icmp_seq=1 Destination Net Unreachable
From 192.168.30.254: icmp_seq=2 Destination Net Unreachable
From 192.168.30.254: icmp_seq=3 Destination Net Unreachable
From 192.168.30.254: icmp_seq=4 Destination Net Unreachable

Also connecting to SW1 (192.168.40.0/24) using L2TP, the SW0 (192.168.30.0/24) network is not available e.g

Code: Select all

ping -c4 192.168.30.2
ping -c4 192.168.30.254

What would be a practical purpose for this L3 application?

I started learning CCNA and preferred any part was possible testing in real world real cases. Since my focus in on SE , so thought why not L3 switch with SE server.

BTW, I am all for CLI where necessary but why aren't you using Windows SE GUI to remotely manage this Linux SE server?

I am a keyboard guy (Mechanical Keyboard + Arch based + I3wm + +70wpm (10 finger type speed) + etc )
+
working on my previews CLI (secli) slowed down because of RPC-JSON API bugs and for a second CLI I am developing "vpncmd" API is the only choice. I dislike it but the result could worth it.

[solo]

I am a keyboard guy (Mechanical Keyboard + Arch based + I3wm + +70wpm (10 finger type speed) + etc )

Awesome!

Please post "iptables -t nat -L"

[shakibamoshiri]

Please post "iptables -t nat -L"

iptables -t nat -S

Code: Select all

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 192.168.40.0/24 ! -d 192.168.40.0/24 -j SNAT --to-source 192.168.1.22
-A POSTROUTING -s 192.168.30.0/24 ! -d 192.168.30.0/24 -j SNAT --to-source 192.168.1.22

iptables -t nat -L

Code: Select all

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.40.0/24     !192.168.40.0/24      to:192.168.1.22
SNAT       all  --  192.168.30.0/24     !192.168.30.0/24      to:192.168.1.22

[solo]

Very well, give me some time, I'll recreate your scenario in a VM.

[solo]

The issue is what should be added to routing table?

Usually L3 interconnects LAN subnets and nothing is needed but in your scenario a DG must be entered there:

Code: Select all

RouterList command - Get List of Virtual Layer 3 Switches
Layer 3 Switch Name|Running Status |Interfaces|Routing Tables
-------------------+---------------+----------+--------------
R1                 |Start (Running)|         2|             1

RouterIfList command - Get List of Interfaces Registered on the Virtual Layer 3 Switch
IP Address    |Subnet Mask  |Virtual Hub Name
--------------+-------------+----------------
192.168.30.254|255.255.255.0|SW0
192.168.40.254|255.255.255.0|SW1

RouterTableList command - Get List of Routing Tables of Virtual Layer 3 Switch
Network Address|Subnet Mask|Gateway Address|Metric
---------------+-----------+---------------+------
0.0.0.0        |0.0.0.0    |192.168.40.1   |     1

then add iptables' nat for 192.168.30.0/24 too,
and this OS routing: ip route add 192.168.30.0/24 via 192.168.40.254

All OK now, need my logs?

[shakibamoshiri]

Usually L3 interconnects LAN subnets and nothing is needed but in your scenario a DG must be entered there:

I read this part 3.8.4 Adding Virtual Interfaces to connect to Virtual Hubs

Multiple virtual interfaces can be created on a virtual layer 3 switch. Normally two or more virtual interfaces are added (only one serves almost no purpose). Register all of the Virtual Hubs to be subject to routing by the virtual layer 3 switch.
The only Virtual Hubs which can be directly connected to the virtual layer 3 switch are those running on the same VPN Server.

It states that Inter-hub IP communication no need to use L3.
Not sure but I think if there was a bridge for SW0 then this was right, and since I do not have it, I though there should be a route in R1 routing table, and the first thing I added was a default gateway.
What I did not know was OS layer routing should be added

Code: Select all

ip route add  192.168.30.0/24 via 192.168.40.254

My thought was anything on SW0 would go though SW1 which already has a bridge with 192.168.40.1 + iptables for 192.168.40.0/24 has been set.

Even it is working now I feed route for SW0 to SW1 should have been added to R1 routing table :|

All OK now, need my logs?

No all good
Thank you dear @solo checking it out and found the cause.