Linux: Default gateway fails, must use local IP for defaul..

[Guest]

Archived from groups: (More info?)

We have several laptops running Redhat 9 using Linksys 802.11b cards, and
Cisco 1200 series APs. We've found that to access networks beyond our
local subnet, we must configure the default gateway on the laptop to be the
IP address of the local wireless interface, and NOT the address of the
router for the subnet the laptop is on (as one normally would). Note that
w/o the default gw configured we can still ping hosts on the same subnet (of
course).

Why would we be having such a problem? If I bring my laptop home and
configure the default gateway to be the IP address of my small router, it
works fine. I'm wondering if it could be a config issue on the Cisco AP at
work?

--john

 

[Guest]

Archived from groups: (More info?)

On Thu, 08 Jul 2004 02:51:17 GMT, "John Sasso" <jsassojr@nycap.rr.com>
wrote:

>We have several laptops running Redhat 9 using Linksys 802.11b cards, and
>Cisco 1200 series APs. We've found that to access networks beyond our
>local subnet, we must configure the default gateway on the laptop to be the
>IP address of the local wireless interface, and NOT the address of the
>router for the subnet the laptop is on (as one normally would).

That's wrong.

>Note that
>w/o the default gw configured we can still ping hosts on the same subnet (of
>course).

Ok, the hosts and router are present and accounted for.

>Why would we be having such a problem?

Because you *MAY* have had your routers IP address hijacked by someone
doing a "man in the middle" attack. Packets that are suppose to go to
the router are instead going to some other computah, collected, and
then forwarded to the real router. You can test for this by running:
arp -a
Ping the router and compare the MAC address for whatever it shows for
the router IP address. If it doesn't agree with what's on the label,
try to identify the manufacturer by the MAC address and deal with the
perpetrator. You may also find arpwatch and arping handy (comes with
RH9).

>If I bring my laptop home and
>configure the default gateway to be the IP address of my small router, it
>works fine. I'm wondering if it could be a config issue on the Cisco AP at
>work?
>
>--john
>

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

 

[Guest]

Archived from groups: (More info?)

On Thu, 08 Jul 2004 02:51:17 GMT, "John Sasso" <jsassojr@nycap.rr.com>
wrote:

>We have several laptops running Redhat 9 using Linksys 802.11b cards, and
>Cisco 1200 series APs. We've found that to access networks beyond our
>local subnet, we must configure the default gateway on the laptop to be the
>IP address of the local wireless interface, and NOT the address of the
>router for the subnet the laptop is on (as one normally would). Note that
>w/o the default gw configured we can still ping hosts on the same subnet (of
>course).
>
>Why would we be having such a problem? If I bring my laptop home and
>configure the default gateway to be the IP address of my small router, it
>works fine. I'm wondering if it could be a config issue on the Cisco AP at
>work?

Another possibility is that some machine on your office LAN is spewing
RIP (router information protocol) updates that are advertising a bogus
route to the internet. If your Linux boxes are running routed (RIP2)
they may be getting redirected to the wrong gateway to the internet.
A clue is that if the default route (i.e. gateway) on your laptops
point to themselves, you should not be able to browse or ping IP
addresses on the internet as there is no way for the packets to get to
the internet. Therefore, I suspect that either something is
redirecting the packets as in the man in the middle exploit, or that
something (i.e. RIP) is setting the default route AFTER you set them
to the laptop IP address.

Check your routing table with:
route -nv
or
route -env
for the old style netstat output. Look for a weird default route or a
route that changes. Also, fire up arpwatch and see if the arp cache
is changing or similar weirdness.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558