| View previous topic :: View next topic |
| Author |
Message |
Vieri
l33t
Joined: 18 Dec 2005
Posts: 877
|
 Posted: Fri Mar 26, 2021 1:34 pm Post subject: [SOLVED] IP address scope global secondary |
 |
|
Hi,
I configure a network interface in Gentoo with a setting like this one:
| Code: | # grep 'config_lan_1=' /etc/conf.d/net
config_lan_1="10.215.144.91/22 10.215.144.6/22 10.215.246.91/23 10.215.248.91/24 10.215.111.254/22 192.168.144.91/24 10.215.145.241/23 10.215.145.242/23 10.215.145.81/23 192.168.246.1/23 192.168.136.91/22"
|
That generates the following:
| Code: | # ip a s lan.1
12: lan.1@lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ac:1f:6b:f5:b7:1b brd ff:ff:ff:ff:ff:ff
inet 10.215.144.91/22 brd 10.215.147.255 scope global lan.1
valid_lft forever preferred_lft forever
inet 10.215.246.91/23 brd 10.215.247.255 scope global lan.1
valid_lft forever preferred_lft forever
inet 10.215.248.91/24 brd 10.215.248.255 scope global lan.1
valid_lft forever preferred_lft forever
inet 10.215.111.254/22 brd 10.215.111.255 scope global lan.1
valid_lft forever preferred_lft forever
inet 192.168.144.91/24 brd 192.168.144.255 scope global lan.1
valid_lft forever preferred_lft forever
inet 10.215.145.241/23 brd 10.215.145.255 scope global lan.1
valid_lft forever preferred_lft forever
inet 192.168.246.1/23 brd 192.168.247.255 scope global lan.1
valid_lft forever preferred_lft forever
inet 192.168.136.91/22 brd 192.168.139.255 scope global lan.1
valid_lft forever preferred_lft forever
inet 10.215.144.6/22 brd 10.215.147.255 scope global secondary lan.1
valid_lft forever preferred_lft forever
inet 10.215.145.242/23 brd 10.215.145.255 scope global secondary lan.1
valid_lft forever preferred_lft forever
inet 10.215.145.81/23 brd 10.215.145.255 scope global secondary lan.1
valid_lft forever preferred_lft forever |
What is the difference between "scope global" and "scope global secondary"?
Say a LAN host has an IP address of 10.215.144.38/23 and default gateway 10.215.144.91. If this host tried to ping 192.168.216.100 which is accessible thorugh another interface on the Gentoo router, I get the following message:
| Code: | # ping 192.168.216.100
PING 192.168.216.100 (192.168.216.100) 56(84) bytes of data.
From 10.215.145.241 icmp_seq=1 Destination Host Unreachable |
What I'd like to know is why the reply is from 10.215.145.241 instead of, say, 10.215.144.91.
Also, how can I set thigns up so that the reply alwasy comes from 10.215.144.91?
Should the settings be "scope global secondary" for all IP addr. except for 10.215.144.91 which should be "scope global"?
If so, how can I do this from /etc/conf.d/net?
Regards,
Vieri
Last edited by Vieri on Sat Mar 27, 2021 9:19 am; edited 1 time in total |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54234
Location: 56N 3W
|
| Posted: Fri Mar 26, 2021 2:12 pm Post subject: |
|
|
Veri,
None oi those IP addresses are global. They are all private
The difference is one of convention, more than anything. private IPs should never appear on the the internet.
Its a convention that boundary routers drop packets with destinations in these address ranges, hence they are private.
We need both the ifconfig and route output from the system sending the ping and the hos with IP 10.215.145.241 to know why it replied.
What happens is that the kernel loots at the routing table, from bottom to top and routs the ping to 192.168.216.100 to the first match.
The default gateway is used if there are no matches as that matches everything.
This process is repeated at every hop along the way until the time to live is reached, the packet is delivered or the host that has it is unable to route it any further.
In this case, that host is 10.215.145.241, so it returns Destination Host Unreachable.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Vieri
l33t
Joined: 18 Dec 2005
Posts: 877
|
| Posted: Fri Mar 26, 2021 2:57 pm Post subject: |
|
|
Hi Neddy,
I'll get the info you asked for asap. In the meantime, what does "secondary" mean? |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Fri Mar 26, 2021 9:39 pm Post subject: |
|
|
| Vieri wrote: | | [...] what does "secondary" mean? |
Its another (=the second or third) IP adress whithin the same subnet.
You are using network masks which are 22 or 23 bit long. I assume you know what this means; you will see it also when looking onto the resulted broadcast address. So these addresses are in the same subnet:
| Code: | inet 10.215.144.91/22 brd 10.215.147.255 scope global lan.1
valid_lft forever preferred_lft forever
[...]
inet 10.215.144.6/22 brd 10.215.147.255 scope global secondary lan.1
valid_lft forever preferred_lft forever
[...and ...]
inet 10.215.145.241/23 brd 10.215.145.255 scope global lan.1
valid_lft forever preferred_lft forever
[...]
inet 10.215.145.242/23 brd 10.215.145.255 scope global secondary lan.1
valid_lft forever preferred_lft forever
inet 10.215.145.81/23 brd 10.215.145.255 scope global secondary lan.1
valid_lft forever preferred_lft forever |
P.S.: Maybe ... maybe you wanted a 25 bit network mask and 26 bit (instead of 23 and 22 bit network mask) ...  |
|
| Back to top |
|
|
Vieri
l33t
Joined: 18 Dec 2005
Posts: 877
|
| Posted: Sat Mar 27, 2021 12:08 am Post subject: |
|
|
Hi,
Thanks for explaining what "secondary" means here. It's all as expected. The netmasks are as I need them to be for the moment.
Now I'd like to know why the ICMP "replier" is one of my Gentoo Linux router's IP addresses and not another one.
I ran this on the host sending the ping request:
| Code: | # ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:92:81:1e brd ff:ff:ff:ff:ff:ff
inet 10.215.144.38/23 brd 10.215.145.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe92:811e/64 scope link
valid_lft forever preferred_lft forever |
| Code: | # ip r s
default via 10.215.144.91 dev ens192 onlink
10.215.144.0/23 dev ens192 proto kernel scope link src 10.215.144.38 |
| Code: | # ping 192.168.216.100
PING 192.168.216.100 (192.168.216.100) 56(84) bytes of data.
From 10.215.145.241 icmp_seq=1 Destination Host Unreachable |
As noted in the first post, 10.215.145.241 is one of the IP addresses on the Gentoo router's "lan.1" interface. Why would the reply have that source IP addr. instead of another one?
Let me take an educated guess. Please correct me if I'm wrong.
The interface where the packets are going through on the router is lan.1, and the only possible IP addr. candidates considering the source host are:
| Code: | inet 10.215.144.91/22 brd 10.215.147.255 scope global lan.1
inet 10.215.145.241/23 brd 10.215.145.255 scope global lan.1
inet 10.215.144.6/22 brd 10.215.147.255 scope global secondary lan.1
inet 10.215.145.242/23 brd 10.215.145.255 scope global secondary lan.1
inet 10.215.145.81/23 brd 10.215.145.255 scope global secondary lan.1 |
The source netmask being /23 instead of /22 in 10.215.144.38/23 am I right if I state that the options trim down to the following list?
| Code: | inet 10.215.145.241/23 brd 10.215.145.255 scope global lan.1
inet 10.215.145.242/23 brd 10.215.145.255 scope global secondary lan.1
inet 10.215.145.81/23 brd 10.215.145.255 scope global secondary lan.1 |
Finally, the last two being "secondary" the first one (10.215.145.241) prevails?
If all this is true then is there a real difference if the "source" host's default gateway is 10.215.144.91 instead of 10.215.145.241?
BTW please ignore the "Destination Host Unreachable" message. It's not important.
I just want to understand if there are any drawbacks network-wise in the above scenario.
Surely I could change the source host's default gateway to 10.215.145.241 or leave it as 10.215.144.91 and change the netmask to /22, but I'd like to know if I could be facing network issues if I leave things as they are for now (long network migration issue).
Just to be clear, if the destination host with IP addr. 192.168.216.100 were online then the ping replies would come back just fine. I'm not experiencing a network issue right now. However, I would like to fully understand how the packets are handled so I don't get bitten later if I'm overlooking something now.
Regards,
Vieri |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Sat Mar 27, 2021 2:49 am Post subject: |
|
|
Vieri,
what you are doing is called "multihome". Multihoming is no problem if you have no overlapping subnets. But your subnet 10.215.145.0/23 is part of your bigger subnet 10.215.144.0/22.
Linux is using a "weak host model" by default (WikiPedia tells you more); this means your host can send packets on an interface that has not assigned the source IP address of the packet being sent (weak host send behavior). I dont know exactly how the kernel internally deals with more than one possible source address for a reply; but I assume he will take the address with the "closest" netmask to the netmask of the destination address, or maybe - in other words - with the smallest possible. I dont know how to change this behavier by configuration (because you cannot work with routing priorities); it could be possible by using a second ethernet adapter in this host. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Sat Mar 27, 2021 2:56 am Post subject: |
|
|
| Vieri wrote: | | If all this is true then is there a real difference if the "source" host's default gateway is 10.215.144.91 instead of 10.215.145.241? |
Yes. You should always take as default gw the one of your own subnet (if there is one; only if you do supernetting then you should use this gw, because you dont have one in your own; but with your configuration you have two gateways in ONE subnet 10.215.144.0/22; and these two gws is ONE host ... I dont recommend this ). |
|
| Back to top |
|
|
Vieri
l33t
Joined: 18 Dec 2005
Posts: 877
|
| Posted: Sat Mar 27, 2021 9:19 am Post subject: |
|
|
My network is in a transient state as I'm trying to prune some netmasks off, but it's delicate when in a very large corporate network so I need to take it one step at a time.
My goal is to change the Gentoo router's IP addr. 10.215.144.91/22 to 10.215.144.91/23.
There are plenty of hosts however that are still not within the right mask, hence the use of /22 to "easily and lazily" cover them.
It might not be best practice so I guess I'll change the strategy now either by changing the LAN hosts' network settings to 10.215.144.0/23 (if my local addr. pool allows me to) or adding another IP address+netmask on the Gentoo router and adjusting the clients.
Thank you very much for the helpful information.
It's greatly appreciated.
Vieri |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
| Posted: Sat Mar 27, 2021 11:42 am Post subject: |
|
|
| Vieri wrote: | | My network is in a transient state as I'm trying to prune some netmasks off, [...] |
This was my guess also
| Vieri wrote: | | Thank you very much for the helpful information. |
You are very welcome,
Peter |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4148
Location: Bavaria
|
|
| Back to top |
|
|
|
Networking & Security
