Originally posted by: himacs

Hi Admins,

Server : AIX 5.2

Issue in Detail :

I have 2 nic configured with 2 vlans.

en0 - 10.50.60.10 gw 10.50.60.1
en1 - 10.50.65.10

10.50.60.1 is the default gateway for the server. I have added a static route for 10.50.65.10 with gw 10.50.65.1

Server is inside firewall. The incoming packets for 10.50.65.10 uses 10.50.65.1 as gateway or route.But the outgoing packets uses 10.50.60.1 ,which is the gateway for en0.

As i said server is inside firewall.The firewall will register a session when a user sending packets to 10.50.65.10.The session includes details like destination ip 10.50.65.10. Route to be used to reach that ip which is 10.50.65.1 . But the outgoing packets or acknowledgement packets from 10.50.65.10 uses 10.50.60.1 of en0 instead of 10.50.65.1. Here firewall will check the session, which it registered initially and finds no entry of 10.50.60.1. So firewall will think this situation as a threat and drops the packets.

Now my goal is to restrict the system to use 10.50.65.1 with outgoing packets.

In simple words: System should use route 10.50.65.1 with outgoing packets of en1.

OR

packets to be sent to en0 should use gateway of en0 for incoming/outgoing.
packets to be sent to en1 should use gateway of en1 for incoming/outgoing.
Please guide me to achieve the same.

Regards
Pavan
#AIX-Forum

Originally posted by: himacs

Hi Admins,

Any suggestions..?

Regards
Pavan
#AIX-Forum

Originally posted by: Holgervk

>In simple words: System should use route 10.50.65.1 with outgoing packets of en1.

It does not work like this. Based on your routing tables, the system decides which route to use and therewith decides which interface to use.

post the output of
netstat -rn
ifconfig -a

and make a more clear description of what you are trying to achieve.

You really need 2 gateways?
#AIX-Forum

Originally posted by: himacs

Hi Holgervk,

Thanks for the response :)

requested outputs as foloows

1. netstat -nr

Routing tables
Destination Gateway Flags Refs Use If PMTU Exp Groups

Route Tree for Protocol Family 2 (Internet):
default 10.50.102.1 UGc 0 0 en0 - -
10.50.102.0 10.50.102.25 UHSb 0 0 en0 - - =>
10.50.102/24 10.50.102.25 U 5 334 en0 - -
10.50.102.25 10.50.102.1 UGH 0 0 en0 - -
10.50.102.255 10.50.102.25 UHSb 0 56 en0 - -
10.50.103.0 10.50.103.25 UHSb 0 0 en4 - - =>
10.50.103/24 10.50.103.25 U 1 0 en4 - -
10.50.103.25 127.0.0.1 UGHS 0 0 lo0 - - =>
10.50.103.25/32 10.50.103.1 UGc 0 0 en4 - -
10.50.103.255 10.50.103.25 UHSb 0 0 en4 - -
10.50.111.200 10.50.102.1 UGHW 2 5385 en0 - -
127/8 127.0.0.1 U 4 357 lo0 - -

Route Tree for Protocol Family 24 (Internet v6):
::1 ::1 UH 0 0 lo0 16896 -
#

1. ifconfig -a

en0: flags=4e080863,80<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,PSEG,CHAIN>
inet 10.50.102.25 netmask 0xffffff00 broadcast 10.50.102.255
en4: flags=4e080863,80<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,PSEG,CHAIN>
inet 10.50.103.25 netmask 0xffffff00 broadcast 10.50.103.255
lo0: flags=e08084b<UP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
inet 127.0.0.1 netmask 0xff000000 broadcast 127.255.255.255
inet6 ::1/0
tcp_sendspace 65536 tcp_recvspace 65536
#
I dont need two gateways.I keep my default and added a static route to 10.5.103.25 like as follows.
route add -net 10.50.103.25 10.50.103.1

So goal is the outgoing packets should use 10.50.103.1 instead of default gateway.

My finding is with AIX 5L servers, the outgoing packets are always use default gateway to reach addresses, which are not on local VLANs.I don’t know how it works with 6.1 and 7 .

Now i would like to know, whether TL upgradation or service pack upgradation will help ?
Regards
Pavan
#AIX-Forum

Originally posted by: Holgervk

Pavan, I still fail to understand what you are trying to achieve. Some notes:

>I dont need two gateways.I keep my default and added a static route to 10.5.103.25 like as follows.
>route add -net 10.50.103.25 10.50.103.1
Here you are telling aix to use the gateway 10.50.103.1 for pakets to the net 10.50.103/24. As the gw 10.50.103.1 is reachable by en4 aix will use en4.
However, 10.50.103.x is reachable directly - without a gateway. So that command does not make sense.
When you get en4 up AIX already adds a route
10.50.103/24 10.50.103.25 U 1 0 en4 - -
So, aix will use en4 for outgoing pakets to 10.50.103.1 - 10.50.103.255

>So goal is the outgoing packets should use 10.50.103.1 instead of default gateway.
Outgoing pakets to 10.50.103.x will use en4 and not use the default gateway.

Maybe post your desired "routing-table"
f.e.
en0: 10.50.102.x
en4: 10.50.103.x
all other nets: default gateway
#AIX-Forum

Originally posted by: himacs

Even after adding static route, outgoing packets from en4 use default gateway to reach outside world.

I have checked with security team and also i am not able to access 10.50.103.25 from my system, due to first level handshaking itself failing.

What is my finding is with AIX 5L servers, the outgoing packets are always use default gateway to reach addresses, which are not on local VLANs.I don’t know how it works with 6.1 and 7 .

So any upgradation of TL can solve my problem.
Regards
Pavan
#AIX-Forum

Originally posted by: SystemAdmin

you are confusing yourself and others by mistaking your inaccurate imagination of networking for reality.
I suggest you use the command "route get <ip>" and an introductory article about IP to find out how things work. start with single interface, not more.
#AIX-Forum

Originally posted by: himacs

Hi Admins,

This is not my imagination.I have attached security log from firewall.

There are 2 vlans FLEX_DB(vlan102) and FLEX_APPS(vlan103) configured here.

Packets from my pc will use vlan02 to reach 10.50.103.25.But outgoing packets from 10.50.103.25 use vlan103 .
Here firewall will drops the packet.

My goal is to make outgoing packets from 10.50.103.25 to use vlan103

Regards
Pavan
#AIX-Forum