Route Question

I've got a problem I've never seen, and I'm not even sure where to ask
the question, or what information to provide, so bear with me. I have
a firewall running OpenBSD 3.4, and a web server running FreeBSD 4.9.
The firewall's internal interface ia 10.0.1.254. The web server is
10.0.1.251. I can ping and traceroute to the 10.0.1.251 box from
machines inside the firewall, and I get normally expected results
(quick pings, and a route directly to 10.0.1.251). However, when I
traceroute to 10.0.1.251 from the firewall (10.0.1.254), it seems to
get hung up trying to get there through the localhost.

$ traceroute 10.0.1.251
traceroute to 10.0.1.251 (10.0.1.251), 64 hops max, 40 byte packets
1 localhost (127.0.0.1) 0.745 ms 0.618 ms 0.235 ms
2 localhost (127.0.0.1) 0.620 ms 0.642 ms 0.400 ms
3 localhost (127.0.0.1) 0.507 ms 0.735 ms 0.494 ms
4 localhost (127.0.0.1) 0.614 ms 0.859 ms 0.402 ms
5 localhost (127.0.0.1) 0.477 ms 0.947 ms 0.681 ms
6 localhost (127.0.0.1) 0.767 ms 1.8 ms 0.857 ms
7 localhost (127.0.0.1) 1.13 ms 1.142 ms 0.904 ms
8 localhost (127.0.0.1) 0.974 ms 1.164 ms^C

Routing table on firewall looks like this:
$ route show
Routing tables

Internet:
Destination Gateway Flags
default 204.128.254.254 UG
10.0.1.0 link#2 U
10.0.1.1 0:60:b0:4a:79:eb UH
10.0.1.6 0:30:6e:13:b6:bc UH
10.0.1.19 2:7:1:1c:5c:32 UH
10.0.1.23 0:4:76:f2:82:89 UH
10.0.1.45 0:1:3:c4:81:0 UH
10.0.1.73 0:4:76:b7:1f:b5 UH
gate localhost UGH
10.0.1.254 0:40:ca:19:dc:84 UH
127.0.0.0 localhost UG
localhost localhost UH
204.128.254.128 link#1 U
www 0:1:2:3b:8:47 UH
204.128.254.254 0:d0:58:a3:b2:b1 UH
BASE-ADDRESS.MCA localhost U



Why is that happening? Where should I look to correct it?
Thanks in advance.

Dan Bent <dbent@benefit-systems.com> wrote:

> $ traceroute 10.0.1.251
> traceroute to 10.0.1.251 (10.0.1.251), 64 hops max, 40 byte packets
> 1 localhost (127.0.0.1) 0.745 ms 0.618 ms 0.235 ms
> 2 localhost (127.0.0.1) 0.620 ms 0.642 ms 0.400 ms
> 3 localhost (127.0.0.1) 0.507 ms 0.735 ms 0.494 ms
> 4 localhost (127.0.0.1) 0.614 ms 0.859 ms 0.402 ms
> 5 localhost (127.0.0.1) 0.477 ms 0.947 ms 0.681 ms
> 6 localhost (127.0.0.1) 0.767 ms 1.8 ms 0.857 ms
> 7 localhost (127.0.0.1) 1.13 ms 1.142 ms 0.904 ms
> 8 localhost (127.0.0.1) 0.974 ms 1.164 ms^C

> Routing table on firewall looks like this:

> 127.0.0.0 localhost UG <--- Here is your problem
> localhost localhost UH

These route entries are saying "to get to localhost, send your packet
via localhost", ergo you have a routing loop.

You seem to have a lot of route entries. Are you using a routing
protocol, or doing this by hand.

I'm not familiar with OpenBSD, so I'm not entirely certain what that
would normally say, but I would normally expect it to say something like
the following (from my Linux box, I should get by FreeBSD box going
again)

$ /sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.18.0.1 0.0.0.0 UG 0 0 0 eth0

You will notice that there are NO entries mentioning the device lo, or
the anything in 127.0.0.0/8.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

Cameron Kerr <cameron.kerr@paradise.net.nz> wrote in message news:<401a24ea@news.maxnet.co.nz>...
> Dan Bent <dbent@benefit-systems.com> wrote:
>
> > $ traceroute 10.0.1.251
> > traceroute to 10.0.1.251 (10.0.1.251), 64 hops max, 40 byte packets
> > 1 localhost (127.0.0.1) 0.745 ms 0.618 ms 0.235 ms
> > 2 localhost (127.0.0.1) 0.620 ms 0.642 ms 0.400 ms
> > 3 localhost (127.0.0.1) 0.507 ms 0.735 ms 0.494 ms
> > 4 localhost (127.0.0.1) 0.614 ms 0.859 ms 0.402 ms
> > 5 localhost (127.0.0.1) 0.477 ms 0.947 ms 0.681 ms
> > 6 localhost (127.0.0.1) 0.767 ms 1.8 ms 0.857 ms
> > 7 localhost (127.0.0.1) 1.13 ms 1.142 ms 0.904 ms
> > 8 localhost (127.0.0.1) 0.974 ms 1.164 ms^C
>
> > Routing table on firewall looks like this:
>
> > 127.0.0.0 localhost UG <--- Here is your problem
> > localhost localhost UH
>
> These route entries are saying "to get to localhost, send your packet
> via localhost", ergo you have a routing loop.
>
> You seem to have a lot of route entries. Are you using a routing
> protocol, or doing this by hand.
>
> I'm not familiar with OpenBSD, so I'm not entirely certain what that
> would normally say, but I would normally expect it to say something like
> the following (from my Linux box, I should get by FreeBSD box going
> again)
>
> $ /sbin/route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 10.18.0.1 0.0.0.0 UG 0 0 0 eth0
>
> You will notice that there are NO entries mentioning the device lo, or
> the anything in 127.0.0.0/8.

There are a lot of route table entries on the firewall, because
there's a route for each of the machines on the network that use the
firewall as their internet gateway. The routing table is built
automatically, I have not done any manual manipulation.

I would agree that the traceroute results show a routing loop, where
the machine keeps routing the packets to itself, when I'd like it to
be looking for 10.0.1.251. However, I'm not sure how to resolve that.

There's another interesting wrinkle that has developed as I try to
work this out. I cannot ping the inside of the firewall (10.0.1.254)
from the webserver, and I cannot ping the webserver from the firewall.
I can ping both interfaces from other machines on the network.

Cameron Kerr <cameron.kerr@paradise.net.nz> wrote in message news:<401a24ea@news.maxnet.co.nz>...
> Dan Bent <dbent@benefit-systems.com> wrote:
>
> > $ traceroute 10.0.1.251
> > traceroute to 10.0.1.251 (10.0.1.251), 64 hops max, 40 byte packets
> > 1 localhost (127.0.0.1) 0.745 ms 0.618 ms 0.235 ms
> > 2 localhost (127.0.0.1) 0.620 ms 0.642 ms 0.400 ms
> > 3 localhost (127.0.0.1) 0.507 ms 0.735 ms 0.494 ms
> > 4 localhost (127.0.0.1) 0.614 ms 0.859 ms 0.402 ms
> > 5 localhost (127.0.0.1) 0.477 ms 0.947 ms 0.681 ms
> > 6 localhost (127.0.0.1) 0.767 ms 1.8 ms 0.857 ms
> > 7 localhost (127.0.0.1) 1.13 ms 1.142 ms 0.904 ms
> > 8 localhost (127.0.0.1) 0.974 ms 1.164 ms^C
>
> > Routing table on firewall looks like this:
>
> > 127.0.0.0 localhost UG <--- Here is your problem
> > localhost localhost UH
>
> These route entries are saying "to get to localhost, send your packet
> via localhost", ergo you have a routing loop.
>
> You seem to have a lot of route entries. Are you using a routing
> protocol, or doing this by hand.
>
> I'm not familiar with OpenBSD, so I'm not entirely certain what that
> would normally say, but I would normally expect it to say something like
> the following (from my Linux box, I should get by FreeBSD box going
> again)
>
> $ /sbin/route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 10.18.0.1 0.0.0.0 UG 0 0 0 eth0
>
> You will notice that there are NO entries mentioning the device lo, or
> the anything in 127.0.0.0/8.


Found the problem! I had a couple of bad entries in the /etc/hosts
file, that pointed the firewall back to itself on 10.0.1.251.

Thanks for your time and effort.

Dan Bent <dbent@benefit-systems.com> wrote:
> Cameron Kerr <cameron.kerr@paradise.net.nz> wrote in message
> news:<401a24ea@news.maxnet.co.nz>...

>> You seem to have a lot of route entries. Are you using a routing
>> protocol, or doing this by hand.

> There are a lot of route table entries on the firewall, because
> there's a route for each of the machines on the network that use the
> firewall as their internet gateway. The routing table is built
> automatically, I have not done any manual manipulation.

Oh, so on OpenBSD, I guess "route show" shows the route _cache_, rather
than the FIB.

I would have expected a route entry akin to

10.0.0.0/8 eth0 <-- of whatever eth0 would be in OpenBSD.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!