Having a Network Gateway with a Foreign IP Address on Debian systems
|Created:||30th July, 2006|
|Last Modified:||15th August, 2006|
Table of Contents
I was recently installing Ubuntu for my fiancee when I came across a strange little network configuration problem where the IP address of the gateway was outside the network. Ubuntu (and later, Debian) cried out loud about the gateway IP not being inside the network and thus would refuse to let me proceed. I had posted this on the Mumbai GLUG mailing list as well. As you could see from the thread, there was no conclusive result to the debate either, although I finally got it to work well.
I could not find any articles or Howtos aiding me for such configurations. Also, I noticed that even Windows 98 would accept such configurations readily. Since I got this to work easily (not really rocket science at all as you will see), I decided to share it.
1.1 What is a foreign gateway anyway?
The term "foreign gateway" has been coined by me for the lack of an accepted term. If you come across the term for this configuration, please let me know.
We need to define the phrase "within the network" before we proceed. "Within the network" as I gather from my discussions with some people means that the IP address belongs to the same family. For example, 192.168.1.27 belongs to the network 192.168.1.0. So in that sense, a "foreign gateway" would be a gateway whose IP is not from the network family. For example, if a network 192.168.1.0 has the gateway host IP as 10.10.10.1, the gateway is a "foreign gateway".
1.2 Article Layout
- A Quick Howto to simply show the user how to set up a foreign gateway. You may read only this if you simply want to get the interface up and are not interested in how I arrived at it.
- A short explanation of what the configuration actually means
- My final notes on what I think of these configurations
For convenience, I have considered an example network with the following configuration:
- IP: 192.168.1.13
- Netmask: 255.255.255.0
- Network: 192.168.1.0
- Gateway: 10.10.10.1
Also, I have assumed that the audience has only elementary or zero knowledge of networking on GNU/Linux systems and have thus taken time out to explain how certain commands (ifup, route) work. This explanation is also the figment of my observation and assumption of how these commands work. I have not taken the pains of actually running through the source to find out. It is mostly reverse engineered in my head.
I am not a Networking Guru; not even close to being one. What I put forward here are a result of my observations and past studies and references. In case of any errors or discrepancies you may email me at siddhesh dot poyarekar at gmail dot com.
2. The Quick Howto
Not everyone would want to know exactly what a certain configuration element would do. This section is for those. Here is what you do when setting up networking on Debian based systems:
- Set up networking as usual on the box. Do not enter the gateway IP at this moment.
Open the file /etc/network/interfaces. In this file you will see the line that says:
iface eth0 inet static
Below this line insert the following lines:
up route add -host <gateway IP> dev $IFACE up route add -net 0.0.0.0 netmask 0.0.0.0 gw <gateway IP> dev $IFACE down route del -net 0.0.0.0 netmask 0.0.0.0 gw <gateway IP> dev $IFACE down route del -host <gateway IP> dev $IFACE
- Restart the interface. You should then be good to go.
3. The Explanation
The idea of a foreign gateway doesn't go down well with many. In many ways it is seen as bad design. We'll discuss this in the end. Also, I was told that a foreign gateway shouldn't even work. But it does. The configuration, as you may have seen, is quite straightforward.
3.1 A typical configuration
Normally a typical interface will look like this:
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # The loopback interface auto lo iface lo inet loopback # The first network card - this entry was created during the Debian installation # (network, broadcast and gateway are optional) auto eth0 iface eth0 inet static address 192.168.x.x netmask 255.255.x.x network 192.168.x.0 broadcast 192.168.x.x gateway 192.168.x.1
Here's the sequence that ifup follows to initialize the interface:
- Initialize Interface using the given IP, netmask and broadcast address
- Add a default gateway route to the routing table. With this entry add unknown network addresses (in this case, everything other than nodes in 192.168.x.0) will go through the gateway IP
3.2 The basics behind the foreign gateway configuration
In our case it is not possible to provide the gateway as the computer in our example does not know how to get to our foreign gateway. So before we tell the interface that our default gateway is 10.10.10.1, we need to tell it how to connect to 10.10.10.1. In other words, we need to specify a route to 10.10.10.1. Do note that you need to have the interface up in the first place so that the interface name (eth0 for eg.) to be recognized. So the sequence to get our gateway working is simple:
- Add a route to the gateway host
- Add the default gateway route for all foreign networks
We normally use the following command to add a direct route to a host. in our case it is 10.10.10.1:
route add -host 10.10.10.1 eth0
The above command tells the node that if a packet has to be sent to 10.10.10.1 then don't sweat, it's directly connected to you via the interface eth0. So now that we have a connection to 10.10.10.1, we can add it as our default gateway. We use the following command for that:
route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.10.1 eth0
The above command tells the computer that for all other nodes except my own network, send the packets to 10.10.10.1 on interface eth0. This is the underlying concept of a default gateway. The 0.0.0.0 in the -net and netmask parameters act like the * wildcard, meaning "everything". One may "man route" to understand all the different tricks the command can perform.
3.3 Putting it all into /etc/network/interfaces
Now we know how we can get the configuration to work with the series of commands. But we will have to execute those commands after every interface initialization. Here's where the file /etc/network/interfaces comes into play. This file is a config file that ifup/ifdown use to configure network interfaces. You may know a bit more about this file using "man interfaces". I will only touch on the options I will be using viz. "up" and "down".
One may specify other commands to be executed after initialization of the interface by using the "up" line. Similarly, the "down" line can have commands that must be executed before deactivating the interface. These are exactly the options we need to execute our route commands immediately after the interface is activated.
So, to add the host route to the gateway and then subsequently add the default gateway route, we have the following lines:
up route add -host 10.10.10.1 dev $IFACE up route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.10.1 dev $IFACE
Note that the order should not be reversed. It will not work the other way around for the obvious reason: The host has to know where 10.10.10.1 is before it can route all miscellaneous traffic to 10.10.10.1. $IFACE is substituted automatically by ifup with the relevant interface device.
Finally, we need to delete these routes from the routing table before we deactivate the interface. The "down" option does helps us to execute commands before ifdown is executed. So the following lines added to /etc/network/interfaces will be executed before deactivation of the interfaces:
down route del -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.10.1 dev $IFACE down route del -host 10.10.10.1 dev $IFACE
Note that the order is reversed this time; the default gateway route is deleted first and then the route to the gateway host is deleted.
4. Concluding Remarks
There you have it. The above configuration will help you use a foreign IP as a gateway for your host, ofcourse, provided that it is directly connected to the host. But then a question arises: Why do Ubuntu and Debian not allow such configurations? It surely isn't very hard to add this little modification to the configuration scripts; the infrastructure is already there.
Windows 98 (and 2000) seem to readily accept the above configuration without any complaints. A study of the routes on the Windows config with the `route print` command (thanks to Dinesh Joshi for this) shows that there is no route explicitly added for the gateway host (an equivalent of `route add -host ...`). The inference I drew from it is that Windows simply assumes a direct route to the gateway, irrespective of whether it is "within the network" or not. That led me to believe for a brief moment that there is probably no security hazard in doing so. But then it's Windows, so I quickly discarded that belief ;) . The mystery is still unsolved.
So standard configurations almost always dictate that the gateway of a network *must* be within the network. Why is that necessary? It could be entirely possible that we have a "gateway family" of hosts that connect various networks to each other and to the Internet. For example, we can have a gateway 10.10.10.1 that acts as a gateway for networks 192.168.1.0, 192.168.2.0 and 192.168.3.0. Then we have gateway host 10.10.10.2 act as gateway for 192.168.4.0, 192.168.5.0 and 192.168.6.0 and so on.
The one big disadvantage of the above topology would be the massive crowding in the physical setup and subsequent network clog in case of heavy traffic. So in that sense, this type of a topology is probably not ready for the papers yet (maybe something else could click it into place in future). But in a practical scenario it doesn't really hurt to consider a direct route to the gateway does it?