Problem mit Linux-HA und Wireless Bridge

Serow · Feb 7, 2010

Hi,

folgendes Szenario: Ich hab ein Cluster aus 3 VMware ESX 4.0, die getrennt durch eine Wireless Bridge (openwrt) in meinem Netzwerk hängen. Die Rechner benutze ich zum Testen von einigen Dingen, u.a. Linux HA.

Linux-HA kennt eine Resource "IPaddr", die beim starten eine bestimmte konfigurierte IP Adresse zu einem Interface hinzufügt. Mit "ip addr show" kann man das auch schön sehen. Nur pingen kann ich die Adresse kaum:

Code:

mathias@mini:~$ ssh root@linux-ha-01 ip addr show eth0
root@linux-ha-01's password: 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:b1:7a:f2 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.210/24 brd 10.0.0.255 scope global eth0
    inet 10.0.0.254/24 brd 10.0.0.255 scope global secondary eth0
    inet6 fe80::250:56ff:feb1:7af2/64 scope link 
       valid_lft forever preferred_lft forever


mathias@mini:~$ ssh root@linux-ha-02 ip addr show eth0
root@linux-ha-02's password: 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:b1:0d:86 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.211/24 brd 10.0.0.255 scope global eth0
    inet6 fe80::250:56ff:feb1:d86/64 scope link 
       valid_lft forever preferred_lft forever


mathias@mini:~$ ping 10.0.0.254
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq=9 ttl=64 time=175 ms
^C
--- 10.0.0.254 ping statistics ---
44 packets transmitted, 1 received, 97% packet loss, time 43308ms
rtt min/avg/max/mdev = 175.981/175.981/175.981/0.000 ms


mathias@mini:~$ ping 10.0.0.211
PING 10.0.0.211 (10.0.0.211) 56(84) bytes of data.
64 bytes from 10.0.0.211: icmp_seq=1 ttl=64 time=2.87 ms
^C
--- 10.0.0.211 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.874/2.874/2.874/0.000 ms


mathias@mini:~$ ping 10.0.0.210
PING 10.0.0.210 (10.0.0.210) 56(84) bytes of data.
64 bytes from 10.0.0.210: icmp_seq=1 ttl=64 time=1.45 ms
64 bytes from 10.0.0.210: icmp_seq=2 ttl=64 time=3.30 ms
^C
--- 10.0.0.210 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.459/2.379/3.300/0.921 ms
mathias@mini:~$

Die DNS Namen "linux-ha-01" und "linux-ha-02" resolven auf die "ursprüngliche" IP der zwei Linux HA Nodes. Wie ihr seht gehen die ersten 9 Pings erstmal verloren. Der 10te kommt dann mal zurück. Die "ursprünglichen" IPs pingen wunderbar.

Das passiert aber _nur_ wenn ich von einem Rechner aus pinge, der nicht auf der Seite der Bridge ist, wie z.B. der "mini" im obigen Beispiel. Jetzt pinge ich mal von einem Rechner aus, der sich "hinter" der Bridge befindet, also auf der gleichen "Seite" wie die HA nodes:

Code:

mathias@storage:~$ ping -c 2 10.0.0.210
PING 10.0.0.210 (10.0.0.210) 56(84) bytes of data.
64 bytes from 10.0.0.210: icmp_seq=1 ttl=64 time=3.95 ms
64 bytes from 10.0.0.210: icmp_seq=2 ttl=64 time=0.383 ms

--- 10.0.0.210 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.383/2.169/3.955/1.786 ms


mathias@storage:~$ ping -c 2 10.0.0.211
PING 10.0.0.211 (10.0.0.211) 56(84) bytes of data.
64 bytes from 10.0.0.211: icmp_seq=1 ttl=64 time=2.51 ms
64 bytes from 10.0.0.211: icmp_seq=2 ttl=64 time=0.386 ms

--- 10.0.0.211 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 0.386/1.452/2.518/1.066 ms


mathias@storage:~$ ping -c 2 10.0.0.254
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq=1 ttl=64 time=1.06 ms
64 bytes from 10.0.0.254: icmp_seq=2 ttl=64 time=1.40 ms

--- 10.0.0.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 1.064/1.233/1.403/0.173 ms
mathias@storage:~$

Hier ist alles wunderbar. Jetzt bin ich grad irgendwie überfordert ... Was ist da los? Wie kann ich das "debuggen"?

cu
serow

bitmuncher · Feb 7, 2010

Geht denn ein traceroute bis zum gewünschten Rechner durch?

Serow · Feb 7, 2010

Hi,

das traceroute sieht etwas seltsam auf dafür, dass es nur 1 hop ist / sein sollte:

Code:

mathias@mini:~$ traceroute 10.0.0.254
traceroute to 10.0.0.254 (10.0.0.254), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
mathias@mini:~$

bitmuncher · Feb 8, 2010

Irgendeine Firewall dazwischen, die das traceroute blocken könnte?

Serow · Feb 8, 2010

Hi,

im Prinzip könnte der andere openwrt router, der der die PPP Verbindung aufmacht und das WLAN bereitstellt da was vermurksen:

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   21  2903 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 246K   16M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
   22  1452 ACCEPT     all  --  lo     any     anywhere             anywhere            
 5969  335K syn_flood  tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
 3451  201K ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:22 
 115K   13M input_rule  all  --  any    any     anywhere             anywhere            
 115K   13M input      all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
  14M   13G ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
47575 3317K forwarding_rule  all  --  any    any     anywhere             anywhere            
47575 3317K forward    all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 497K  495M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
   22  1452 ACCEPT     all  --  any    lo      anywhere             anywhere            
 8450 1182K output_rule  all  --  any    any     anywhere             anywhere            
 8449 1182K output     all  --  any    any     anywhere             anywhere            

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
47566 3317K zone_lan_forward  all  --  br-lan any     anywhere             anywhere            
    9   540 zone_wan_forward  all  --  ppp0   any     anywhere             anywhere            

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 113K   13M zone_lan   all  --  br-lan any     anywhere             anywhere            
 2311  139K zone_wan   all  --  ppp0   any     anywhere             anywhere            

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 8449 1182K zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere            
 5900  411K zone_wan_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5345  298K RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 
  624 37440 DROP       all  --  any    any     anywhere             anywhere            

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 113K   13M input_lan  all  --  any    any     anywhere             anywhere            
 113K   13M zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_lan_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 113K   13M ACCEPT     all  --  br-lan any     anywhere             anywhere            
 2549  771K ACCEPT     all  --  any    br-lan  anywhere             anywhere            

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  br-lan any     anywhere             anywhere            
    0     0 DROP       all  --  any    br-lan  anywhere             anywhere            

Chain zone_lan_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  any    br-lan  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain zone_lan_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-lan any     anywhere             anywhere            
    0     0 reject     all  --  any    br-lan  anywhere             anywhere            

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
47566 3317K zone_wan_ACCEPT  all  --  any    any     anywhere             anywhere            
    0     0 forwarding_lan  all  --  any    any     anywhere             anywhere            
    0     0 zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2311  139K input_wan  all  --  any    any     anywhere             anywhere            
 2311  139K zone_wan_DROP  all  --  any    any     anywhere             anywhere            

Chain zone_wan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  ppp0   any     anywhere             anywhere            
53466 3727K ACCEPT     all  --  any    ppp0    anywhere             anywhere            

Chain zone_wan_DROP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 2311  139K DROP       all  --  ppp0   any     anywhere             anywhere            
    0     0 DROP       all  --  any    ppp0    anywhere             anywhere            

Chain zone_wan_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  any    ppp0    anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain zone_wan_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  ppp0   any     anywhere             anywhere            
    0     0 reject     all  --  any    ppp0    anywhere             anywhere            

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  any    any     anywhere             10.0.0.240          udp dpts:27000:27050 
    0     0 ACCEPT     tcp  --  any    any     anywhere             10.0.0.240          tcp dpts:27000:27050 
    0     0 ACCEPT     udp  --  any    any     anywhere             10.0.0.240          udp dpt:1200 
    0     0 ACCEPT     tcp  --  any    any     anywhere             vcenter.mathias-ewald.invalid. tcp dpt:3389 
    0     0 ACCEPT     tcp  --  any    any     anywhere             storage.mathias-ewald.invalid. tcp dpt:22 
    5   300 ACCEPT     tcp  --  any    any     anywhere             www.mathias-ewald.invalid. tcp dpt:8080 
    4   240 ACCEPT     tcp  --  any    any     anywhere             www.mathias-ewald.invalid. tcp dpt:80 
    0     0 forwarding_wan  all  --  any    any     anywhere             anywhere            
    0     0 zone_wan_DROP  all  --  any    any     anywhere             anywhere

Und die Bridge kann ja eigentlich auf was filtern wenn sie lustig ist:

Code:

Chain INPUT (policy ACCEPT 4 packets, 330 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 2755  194K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    1    69 ACCEPT     all  --  lo     any     anywhere             anywhere            
   21  1260 syn_flood  tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
27967 2405K input_rule  all  --  any    any     anywhere             anywhere            
27967 2405K input      all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 forwarding_rule  all  --  any    any     anywhere             anywhere            
    0     0 forward    all  --  any    any     anywhere             anywhere            
    0     0 reject     all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 4707  691K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    1    69 ACCEPT     all  --  any    lo      anywhere             anywhere            
    2   136 output_rule  all  --  any    any     anywhere             anywhere            
    2   136 output     all  --  any    any     anywhere             anywhere            

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_forward  all  --  br-lan any     anywhere             anywhere            
    0     0 zone_wan_forward  all  --  eth0.1 any     anywhere             anywhere            

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
27963 2404K zone_lan   all  --  br-lan any     anywhere             anywhere            
    0     0 zone_wan   all  --  eth0.1 any     anywhere             anywhere            

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   136 zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere            
    0     0 zone_wan_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   21  1260 RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
27963 2404K input_lan  all  --  any    any     anywhere             anywhere            
27963 2404K zone_lan_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_lan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
27963 2404K ACCEPT     all  --  br-lan any     anywhere             anywhere            
    2   136 ACCEPT     all  --  any    br-lan  anywhere             anywhere            

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  br-lan any     anywhere             anywhere            
    0     0 DROP       all  --  any    br-lan  anywhere             anywhere            

Chain zone_lan_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  any    br-lan  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain zone_lan_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-lan any     anywhere             anywhere            
    0     0 reject     all  --  any    br-lan  anywhere             anywhere            

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_wan_ACCEPT  all  --  any    any     anywhere             anywhere            
    0     0 forwarding_lan  all  --  any    any     anywhere             anywhere            
    0     0 zone_lan_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_wan  all  --  any    any     anywhere             anywhere            
    0     0 zone_wan_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_wan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0.1 any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    eth0.1  anywhere             anywhere            

Chain zone_wan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  eth0.1 any     anywhere             anywhere            
    0     0 DROP       all  --  any    eth0.1  anywhere             anywhere            

Chain zone_wan_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  any    eth0.1  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  eth0.1 any     anywhere             anywhere            
    0     0 reject     all  --  any    eth0.1  anywhere             anywhere            

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan  all  --  any    any     anywhere             anywhere            
    0     0 zone_wan_REJECT  all  --  any    any     anywhere             anywhere

Für meine ungeübten Augen sieht das aber nicht so aus ...

cu
serow

Chromatin · Feb 10, 2010

Hast du einfach mal ein anderes Geraet/System als Bridge probiert?

Serow · Feb 10, 2010

Hi,

nein hab ich nicht. Meinst du z.B. dd-wrt? Die Original-Firmware kann kein bridging.

cu
serow

Chromatin · Feb 10, 2010

ich meinte eher mal etwas komplett anderes. wireless bridging scheint ja offensichtlich nicht die Staerke des Systems zu sein.

Serow · Feb 10, 2010

Hi,

was stellst du dir vor? Was kann man denn noch tun um PCs, die für ein Kabel unerreichbar sind in ein Netzwerk zu holen?

cu
serow

Problem mit Linux-HA und Wireless Bridge

Serow

0

bitmuncher

Senior-Nerd

Serow

0

bitmuncher

Senior-Nerd

Serow

0

Chromatin

0

Serow

0

Chromatin

0

Serow

0