I try to route 137.74.9.193 from server A to server B (Ubuntu 16.04).
If i try to ping 137.74.9.193 from Server A it works as expected, but when i try to ping from my personal computer it doesn't work.
Server A:
Public IP (ens3): 213.32.69.16
Public IP: 137.74.9.193
Local Tunnel IP: 10.0.0.1
Server B:
Public IP (eth0): 139.59.131.76
Local Tunnel IP: 10.0.0.2
Configuration on Server A:
nano /etc/network/interfaces
auto lo
iface lo inet loopback
auto ens3
iface ens3 inet dhcp
auto tun1
iface tun1 inet static
address 10.0.0.1
netmask 255.255.255.252
pre-up iptunnel add tun1 mode gre local 213.32.69.16 remote 139.59.131.76 ttl 255
up ifconfig tun1 multicast
up ifconfig tun1 arp
up ifconfig tun1 broadcast
pointopoint 10.0.0.2
post-up ip route add 137.74.9.193 via 10.0.0.2 dev tun1
post-down iptunnel del tun1
Commands executed:
# enable ip forward
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ echo 1 > /proc/sys/net/ipv4/conf/ens3/proxy_arp
# Add ip to arp to complete the loop.
$ arp -s 137.74.9.193 fa:16:3e:76:31:ea -i ens3 pub
Result Kernel IP routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 213.32.64.1 0.0.0.0 UG 0 0 0 ens3
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun1
ip193.ip-137-74 10.0.0.2 255.255.255.255 UGH 0 0 0 tun1
213.32.64.1 * 255.255.255.255 UH 0 0 0 ens3
Configuration on Server B:
nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 139.59.131.76
netmask 255.255.240.0
gateway 139.59.128.1
iface eth0:0 inet static
address 137.74.9.193
netmask 255.255.255.255
broadcast 137.74.9.193
auto tun1
iface tun1 inet static
address 10.0.0.2
netmask 255.255.255.252
pre-up iptunnel add tun1 mode gre local 139.59.131.76 remote 213.32.69.16 ttl 255
up ifconfig tun1 multicast
up ifconfig tun1 arp
up ifconfig tun1 broadcast
pointopoint 10.0.0.1
post-down iptunnel del tun1
Commands executed:
# enable ip forward
$ echo 1 > /proc/sys/net/ipv4/ip_forward
# Route to tun1
ip route add 10.0.0.1 dev tun1
Kernel IP routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 0 0 0 eth0
10.0.0.1 * 255.255.255.255 UH 0 0 0 tun1
10.19.0.0 * 255.255.0.0 U 0 0 0 eth0
139.59.128.0 * 255.255.240.0 U 0 0 0 eth0
Thanks for any help 🙂
UPDATE (14.11.2016): Add route commands on Server B
Best Answer
As far as I can tell from the information in your question, your problem is that
doesn't do what you think it does. This command creates a new ARP table entry on your server, such that if your server was to send packets over
ens3
to137.74.9.193
it won't do any ARP requests because you already specified a destination MAC address.But you also need to ensure that the router knows to send the packets to your server. The router will send an ARP request for
137.74.9.193
. But since that IP address is not assigned to any interface on your server, your server won't respond to these ARP requests.To make that work you will need to enable proxy ARP, which you can do with this command:
If you use that command instead of the
arp
command, I think it will work. (I know for a fact that this works with the peer IP of a point-to-point interface. I have not tested the same setup with a routing table entry sending the traffic over a tunnel interface, and I don't know with certainty whether that requires additional steps.)If the ISP hosting Server B filter traffic based on source IP address you may not be able to send packets from there using
137.74.9.193
as source address. If you ping137.74.9.193
from outside and capture ICMP packets oneth0
on Server B you should see whether ICMP echo responses are being sent on that interface.If you find that Server B is sending ICMP echo responses and they never reach their destination, the most likely explanation is that the ISP is filtering based on source IP address.
In that case you have two options. You can either contact the ISP and explain that you need to originate packets with this source IP such that they can update their filter. Or you can tunnel the return traffic through Server A.
The simplest way to tunnel return traffic through A is to create a routing table on B which looks like this:
This will however make
139.59.131.76
unreachable from the rest of the internet. If you want B to be reachable through both IP addresses simultaneously you need to create two different default routes and a routing policy to choose between them based on the packet source IP.