I'm hoping that someone on this list can shed some light on how Linux/CentOS decides which IP address to report when a Windows desktop attempts to access it via SAMBA/WINS.
The CentOS system in question is running a single NIC and OpenVPN which adds two additional virtual NICs. This is a backup system, there is another CentOS system that acts as the primary VPN server. The local NIC is 10.44.0.0/24, the virtual NICs are 10.55.5.0/24 and 10.55.6.0/24, respectively.
If a Windows Desktop on the local network attempts to contact this CentOS server, it is given its 10.44.0.x address. If a Windows Desktop is VPN connected to the primary CentOS VPN server, with a 10.55.3.x address, it is given this CentOS server's 10.55.6.x address.
It seems the IP address of the requester is being taken into account, perhaps looking for the closest subnet match?
Ultimately I'd like the CentOS system to always report its 10.44.0.x address. Is there anyway to force this behavior?
Brett
Brett Serkez wrote:
I'm hoping that someone on this list can shed some light on how Linux/CentOS decides which IP address to report when a Windows desktop attempts to access it via SAMBA/WINS. ... Ultimately I'd like the CentOS system to always report its 10.44.0.x address. Is there anyway to force this behavior?
pretty sure thats configurable in SMB.CONF
[global] interfaces = [ (ip address or network interface or ip/mask or broadcast/mask) ...]
pretty sure thats configurable in SMB.CONF
[global] interfaces = [ (ip address or network interface or ip/mask or broadcast/mask) ...]
Researched this before I emailed originally, this doesn't do it. Even if I specify only the subnet I want in all these places, the behavior is unaffected.
The reason I posted to CentOS and not SAMBA is that from what I can tell, the decision as to what address to return seemed to have more to do with the OS.
Does anyone on this know how the OS determines which IP address to choose when asked for its address when it has multiple choices. From the best I can tell so far, it seems to be the last adapter to start, the last one listed in ifconfig.
Brett
Brett Serkez wrote:
pretty sure thats configurable in SMB.CONF
[global] interfaces = [ (ip address or network interface or ip/mask or broadcast/mask) ...]
Researched this before I emailed originally, this doesn't do it. Even if I specify only the subnet I want in all these places, the behavior is unaffected.
The reason I posted to CentOS and not SAMBA is that from what I can tell, the decision as to what address to return seemed to have more to do with the OS.
Does anyone on this know how the OS determines which IP address to choose when asked for its address when it has multiple choices. From the best I can tell so far, it seems to be the last adapter to start, the last one listed in ifconfig.
I have only assumed it is the address that matches it's host name, which is why I always configure that in the /etc/hosts file.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
I have only assumed it is the address that matches it's host name, which is why I always configure that in the /etc/hosts file.
Right, one would think so, but this doesn't seem to effect this behavior either.
Shutting down and start up OpenVPN immediately effects the behavior, indicating this behavior is dynamic. I've been searching for a way to effect this behavior, perhaps in a configuration file (/etc/sysconfig... or /proc/...) with no luck so far.
Brett
Brett Serkez wrote:
I have only assumed it is the address that matches it's
host name, which
is why I always configure that in the /etc/hosts file.
Right, one would think so, but this doesn't seem to effect this behavior either.
Shutting down and start up OpenVPN immediately effects the behavior, indicating this behavior is dynamic. I've been searching for a way to effect this behavior, perhaps in a configuration file (/etc/sysconfig... or /proc/...) with no luck so far.
I should have asked this, but what do you mean by the default IP on a multi-homed host?
I am unsure whether there is a default IP at all and the routing table decides which interface depending on the source and destination IP addresses used on the host.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
I have only assumed it is the address that matches it's
host name, which
is why I always configure that in the /etc/hosts file.
Right, one would think so, but this doesn't seem to effect this behavior either.
Shutting down and start up OpenVPN immediately effects the behavior, indicating this behavior is dynamic. I've been searching for a way to effect this behavior, perhaps in a configuration file (/etc/sysconfig... or /proc/...) with no luck so far.
I should have asked this, but what do you mean by the default IP on a multi-homed host?
It is not multi-homed, as described in my initial post. It has only one ethernet card with a single IP address. The problem comes in when running OpenVPN which adds two virtual adapters, each with a unique IP address (i.e., 10.55.5.x and 10.55.6.x).
When OpenVPN is stopped, all works fine, it is only with OpenVPN running that the server starts using one of the IPs from the last virtual adapter as its IP address, in some cases.
I am unsure whether there is a default IP at all and the routing table decides which interface depending on the source and destination IP addresses used on the host.
OpenVPN does modify the routing table, but only for the specific subnet routing, ie. 10.55.5.0/24 and 10.55.6.0/24.
The problem is that when a Windows desktop is OpenVPN connected to another CentOS system on the same local network as the subject server on an unrelated subnet ( i.e. 10.55.3.0/24) it is given the subject server's 10.55.6.x address vs. the ethernet 10.44.0.x address, which would work perfectly.
So from a Windows workstation on the local subnet, if I ping CentOServer I get 10.44.0.x, which is what I want. If I am on the Windows desktop VPN connected to the other CentOS server on subnet 10.55.3.0/24 and I ping CentOSServer I get 10.55.6.x vs the 10.44.0.x I would have expected. There should be no relationship between the originating Workstation's IP and the IP it is given for CentOServer, but there is, I am trying to understand why if there is a way to change this behavior.
Is this any clearer?
Brett
Brett Serkez wrote:
I have only assumed it is the address that matches it's
host name, which
is why I always configure that in the /etc/hosts file.
Right, one would think so, but this doesn't seem to effect this behavior either.
Shutting down and start up OpenVPN immediately effects the behavior, indicating this behavior is dynamic. I've been searching for a way to effect this behavior, perhaps in a configuration file (/etc/sysconfig... or /proc/...) with no luck so far.
I should have asked this, but what do you mean by the default IP on a multi-homed host?
It is not multi-homed, as described in my initial post. It has only one ethernet card with a single IP address. The problem comes in when running OpenVPN which adds two virtual adapters, each with a unique IP address (i.e., 10.55.5.x and 10.55.6.x).
There should be no difference in IP behavior that would relate to the interface being an ethx or tunx device.
When OpenVPN is stopped, all works fine, it is only with OpenVPN running that the server starts using one of the IPs from the last virtual adapter as its IP address, in some cases.
I thought what is supposed to happen for outbound connections is that unless an application specifically binds a socket to an address, it should pick the interface on the subnet of the next-hop router toward the destination address. This can still be confusing if you have multiple alias addresses on the same subnet, though.
I am unsure whether there is a default IP at all and the routing table decides which interface depending on the source and destination IP addresses used on the host.
OpenVPN does modify the routing table, but only for the specific subnet routing, ie. 10.55.5.0/24 and 10.55.6.0/24.
The problem is that when a Windows desktop is OpenVPN connected to another CentOS system on the same local network as the subject server on an unrelated subnet ( i.e. 10.55.3.0/24) it is given the subject server's 10.55.6.x address vs. the ethernet 10.44.0.x address, which would work perfectly.
So from a Windows workstation on the local subnet, if I ping CentOServer I get 10.44.0.x, which is what I want. If I am on the Windows desktop VPN connected to the other CentOS server on subnet 10.55.3.0/24 and I ping CentOSServer I get 10.55.6.x vs the 10.44.0.x I would have expected.
Are you talking about IP addressing or windows name resolution here? If you are pinging by name, windows can use dns or netbios to resolve the name to an IP. Then the centos side will just respond from the same IP. Is the name in DNS?
There should be no relationship between the originating Workstation's IP and the IP it is given for CentOServer, but there is, I am trying to understand why if there is a way to change this behavior.
I have no idea how windows netbios relates to multihomed hosts - or even what samba's nmbd announces. You should be able to test from the windows box with nslookup to check dns and nbtstat for netbios.
Brett Serkez wrote:
I have only assumed it is the address that matches it's
host name, which
is why I always configure that in the /etc/hosts file.
Right, one would think so, but this doesn't seem to effect this behavior either.
Shutting down and start up OpenVPN immediately effects
the behavior,
indicating this behavior is dynamic. I've been
searching for a way
to effect this behavior, perhaps in a configuration file (/etc/sysconfig... or /proc/...) with no luck so far.
I should have asked this, but what do you mean by the default IP on a multi-homed host?
It is not multi-homed, as described in my initial post. It has only one ethernet card with a single IP address. The problem comes in when running OpenVPN which adds two virtual adapters, each with a unique IP address (i.e., 10.55.5.x and 10.55.6.x).
Ok, I see the setup now.
When OpenVPN is stopped, all works fine, it is only with OpenVPN running that the server starts using one of the IPs from the last virtual adapter as its IP address, in some cases.
You mean it routes traffic over the OpenVPN interface that you do not believe should go over that interface. What traffic is going over the interface that shouldn't?
I am unsure whether there is a default IP at all and the
routing table
decides which interface depending on the source and destination IP addresses used on the host.
OpenVPN does modify the routing table, but only for the specific subnet routing, ie. 10.55.5.0/24 and 10.55.6.0/24.
Do you have any dynamic routing protocol running like RIP or OSPF?
Can you post a 'netstat -r' when the VPN is up?
The problem is that when a Windows desktop is OpenVPN connected to another CentOS system on the same local network as the subject server on an unrelated subnet ( i.e. 10.55.3.0/24) it is given the subject server's 10.55.6.x address vs. the ethernet 10.44.0.x address, which would work perfectly.
So your setting up VPNs within the LAN? Maybe you can give a little more background at what your trying to accomplish so everybody can get a better picture of what's going on.
So from a Windows workstation on the local subnet, if I ping CentOServer I get 10.44.0.x, which is what I want. If I am on the Windows desktop VPN connected to the other CentOS server on subnet 10.55.3.0/24 and I ping CentOSServer I get 10.55.6.x vs the 10.44.0.x I would have expected. There should be no relationship between the originating Workstation's IP and the IP it is given for CentOServer, but there is, I am trying to understand why if there is a way to change this behavior.
Is this any clearer?
I would look at those routes again to make sure the OpenVPN software doesn't perform route summarization and put in a route for the whole 10.0.0.0/8 subnet on one of those interfaces.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
On 9/14/07, Brett Serkez bserkez@gmail.com wrote:
pretty sure thats configurable in SMB.CONF
[global] interfaces = [ (ip address or network interface or ip/mask or broadcast/mask) ...]
Researched this before I emailed originally, this doesn't do it. Even if I specify only the subnet I want in all these places, the behavior is unaffected.
The reason I posted to CentOS and not SAMBA is that from what I can tell, the decision as to what address to return seemed to have more to do with the OS.
Does anyone on this know how the OS determines which IP address to choose when asked for its address when it has multiple choices. From the best I can tell so far, it seems to be the last adapter to start, the last one listed in ifconfig.
While I have not resolved the issue, after more research I believe it is a SAMBA (nmbd) issue. I appreciate all the responses I've gotten, they have been helpful! In particular, using nbtstat -R to flush the NetBIOS cache on the Windows client to be sure of results is very helpful.
This is not a routing, interface or multi-homing issue. The issue seems to be within the nmbd daemon and how it selects ip addresses to return in answer to name queries.
So far I've not found a way to control or alter this behavior. I did find the following reference in regard to a variant of the nmbd daemon, a -I option that doesn't seem to be implemented in the current version:
-I
On some systems, the server is unable to determine the correct IP address to use. This allows you to override the default choice.
Since this system acts as a backup VPN server, I've temporarily disabled OpenVPN to control the behavior so that I can use it to experiment on another project which requires "correct" name resolution.
If I find a resolution, I'll reply back to the list.
Thanks to all,
Brett
-
Brett Serkez -
John R Pierce -
Les Mikesell -
Ross S. W. Walker