You've already learned a little bit about how IP routing works, but we'll now cover it in a little bit more detail. Configuring routes properly is one of the great skills one can develop in networking, and it pays to be able to do it correctlyor at least to have a working understanding of it so that you can perform administrative tasks that require interfacing with the routing table, such as portsentry (which we will discuss in Chapter 30, "Network Security"). A router is any device configured to act as a router, which includes actual dedicated devices sold by Cisco or its competitors, or regular computers that can do the job in a pinch. Routers work by maintaining a routing tablea set of rules that says where packets that match certain IP address criteria should be sent. Because FreeBSD can be configured as a router, let's look at its routing tables as an example using the netstat -rn command (-r tells netstat to show the routing tables, and n says not to resolve IP addresses into hostnames): # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default hsrp-gw.netnation. UGSc 126 1379327 xl0 64.41.53.101/32 localhost UGScB 0 3 lo0 net-64-40-111.netn link#1 UC 0 0 xl0 => ip3.example.com 0:50:ba:b3:98:13 UHLW 2 357107 xl0 735 ip4.example.com 0:50:ba:b3:95:bb UHLW 0 2272 xl0 500 ip6.example.com 0:1:2:55:12:56 UHLW 0 118941 lo0 => ip6.example.com localhost UGScB 0 0 lo0 hsrp-gw.netnation. 0:0:c:7:ac:1e UHLW 119 8814 xl0 405 64.77.63.139/32 localhost UGScB 0 0 lo0 Toronto-ppp218408. localhost UGScB 0 0 lo0 localhost localhost UH 45 45210727 lo0 goo.cs.und.nodak.e localhost UGScB 0 0 lo0 Each line in this output is a rule. A routing rule specifies a particular destination and what should be done with traffic sent to that destination. The information in the routing table includes the following fields for each rule:
IP routing grew from the distributed, adaptive defense communications network envisioned by ARPA; therefore, its nature is to dynamically update these routing tables according to network conditions. The large telecommunications hubs maintain immense routing tables with many backup links from any one place to any other place. When one route is found to be unavailable, the routing table shuffles the entries around until traffic is redirected to a working route. The result is a system in which no single router has to know anything about the route to a packet's destination other than where its own nexthop router is. Any address that isn't local (in other words, any address that isn't on the network managed by that router) is passed upstream to the next-hop router, and so on, until the packet reaches a router that has an explicit entry in its routing tablewith the appropriate netmaskfor the network matching the packet's destination IP address. At that point, the packet is routed out that interface and hopefully to its destination (it might have to pass through several more routers, each with a more specific matching rule, on the way downstream to the destination host's network). Routing MisconfigurationIP routing is susceptible to misconfiguration. On the way upstream, the packet will keep moving upward until it finds an explicit match for its destination address. It's unlikely that a packet won't reach the backbone level without incident because someone would have to explicitly add a bogus route to the table in order to hijack the packet on its way up the chain of routers. However, after the packet starts downstream toward the destination, every router along the way must be properly configured to route to the network that the upstream routers think it's capable of routing to! A packet might start on its way downstream, only to find that the router that was supposed to have a further route for it to the destination actually doesn't have one. Naturally, without an explicit route for the packet, the router will pass the packet back to its upstream router, which will then send the packet back downstream again, beginning what is frequently referred to as a "router loop": traceroute to example.com (209.237.26.189), 30 hops max, 40 byte packets 1 r2-72-core-van.nx.com (10.10.4.253) 101.878 ms 135.377 ms 85.218 ms 2 dis2-atm1.in.nx.net (206.108.110.189) 132.023 ms 80.653 ms 81.686 ms 3 core2-1.in.nx.net (206.108.101.45) 102.365 ms 61.537 ms 68.561 ms 4 core2.in.nx.net (206.108.102.209) 79.989 ms 109.389 ms 115.587 ms 5 bx3-pos5-0.in.nx.net (206.108.102.202) 86.434 ms 109.678 ms 129.128 ms 6 sea1-nx.above.net (208.184.233.73) 91.201 ms 67.287 ms 79.369 ms 7 core2.above.net (208.185.175.178) 74.219 ms 79.480 ms 93.121 ms 8 sjc2.sjc2.above.net (216.200.127.117) 188.692 ms 212.627 ms 181.123 ms 9 core1.above.net (208.184.102.25) 195.260 ms 194.973 ms 272.053 ms 10 main1.sjc1.above.net (208.185.175.246) 344.104 ms 318.313 ms 11 core1.above.net (208.184.102.25) 195.260 ms 194.973 ms 272.053 ms 12 main1.sjc1.above.net (208.185.175.246) 344.104 ms 318.313 ms 13 core1.above.net (208.184.102.25) 195.260 ms 194.973 ms 272.053 ms 14 main1.sjc1.above.net (208.185.175.246) 344.104 ms 318.313 ms 15 core1.above.net (208.184.102.25) 195.260 ms 194.973 ms 272.053 ms 16 main1.sjc1.above.net (208.185.175.246) 344.104 ms 318.313 ms 17 core1.above.net (208.184.102.25) 195.260 ms 194.973 ms 272.053 ms 18 main1.sjc1.above.net (208.185.175.246) 344.104 ms 318.313 ms This "bouncing" behavior will continue, preventing proper delivery of packets until the downstream router fixes its routing tables by adding the appropriate rule, allowing the packets to continue on their way downstream instead of bouncing back upstream. Fortunately, usually when this occurs it's because work is being done on the router that's at fault, and the condition is temporary, resolving itself when the backed-up routing tables are restored. Gateways and Network Address TranslationA gateway is the router for a specific network, often used for translating addresses used by hosts on the LAN it manages to the addresses that the outside world sees. The term gateway is frequently used to mean router, and that isn't an inaccurate statement; we should clarify exactly what it means in today's parlance, though. When you're configuring a machine's TCP/IP settings, you have to specify a gateway. This is simply the next-hop router for the machine you're configuring. H1 and H2 each have to have a gateway configured so that they can operate with hosts whose addresses don't match their netmasks. Generally, in this type of topology, the gateway would be R2. Depending on the type of router, H1 and H2 might not be able to reach R1 directly. It's important to consider failure modes. If R2 should be shut down, it is unlikely that it would pass LAN traffic directly through; some network devices fail into a pass-through mode, but routers seldom fall into that category. In another type of network topology, the subnets defined by R2 might be completely unlike the R1 subnet; for instance, R1 might specify the 64.41 network, but R2 would control subnets at 192.168.10 and 192.168.11. In this case, it wouldn't do to set H1 or H2 to R1 as a gateway at all; traffic simply wouldn't reach it. The best practice is generally to set your machine's gateway to the nearest router and make sure the router is properly configured to pass traffic to the upstream router and to its managed subnets. Note Certain IP address ranges are "reserved" for specific private uses and cannot be assigned to hosts on public networksdata will not reach them. These ranges include 10.xxx.xxx.xxx and 192.168.xxx.xxx, which are commonly used in subnets and NAT topologies, and recommended for internal networks. The traditional meaning of gateway, however, is the "edge device"the point at which LAN traffic passes out onto the WAN. This device, generally a router, is also where network address translation (NAT) can be done. The NAT daemon on the router specifies aliases for internal routes and their translated addresses on the outside, and vice versa. NAT can be done in a one-to-one, many-to-one, or one-to-many fashion. To use FreeBSD as a NAT router, you will want to configure and run the natd daemon; we'll discuss this in more detail in Chapter 28. |