I'm running kamikaze on an asus wl500gp with a FritzBox modem/router attached on the wan port. Internet access is fine, only I can't reach the modem's administration page from my PC (Debian Linux on the PC).

router interfaces:
br-lan    Link encap:Ethernet  HWaddr 00:18:F3:93:A8:22 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0 ...
eth0 ...
eth0.0 ...
eth0.1    Link encap:Ethernet  HWaddr 00:18:F3:93:A8:22 
          inet addr:192.168.178.20  Bcast:192.168.178.255  Mask:255.255.255.0 ...
         
where 192.168.178.20 is the address the modem's dhcp server assigns to the router. The modem's address is 192.168.178.1, I can ping it from the router, but not from the PC.

PC interface:

eth0      Link encap:Ethernet  HWaddr 00:0A:E4:36:AF:53 
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0 ...

The first thing I tried was to change the netmask on the PC to 255.255.0.0, which immediately makes the router unreachable. - Why is that?

Then (on the router) I changed /etc/config/network
#### LAN configuration
config interface lan
...
        option netmask  '255.255.0.0'

and now see:

br-lan    Link encap:Ethernet  HWaddr 00:18:F3:93:A8:22 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.0.0

Internet access is still there, modem admin page is still unreachable from PC. I get new IP address for PC  from the router via dhcp, the new address comes with  Mask:255.255.0.0 and - again the router is unreachable and internet access down.

So maybe it's the PC. I connect the PC directly to the modem, change the modem's netmask to 255.255.0.0 and - encounter the same symptom: I receive an IP address, now directly from the modem's dhcp server, netmask on the PC is now also 255.255.0.0, but modem and internet are no longer reachable. I change the netmask back to 255.255.255.0: the modem is reachable again.

So it's the PC, not the router, but - is it?

I put the router back in and now change the netmask in interface eth0.1(router) to 255.255.0.0 which - now makes the modem unreachable from the router.

I'm sure there is something quite simple and fundamental about networking that I don't understand, Could please someone tell me what it is?

(Last edited by antonix on 2 Apr 2007, 17:02)

you need a static route from the modem to your router or something

Yes, but I can't make it work. The routing table on the PC looks like this:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
modem.lan       *               255.255.255.255 UH    0      0        0 eth0
192.168.178.0   *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
default         router.lan 0.0.0.0         UG    0      0        0 eth0

On the router it looks like this:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.178.1   *               255.255.255.255 UH    0      0        0 eth0.1
192.168.178.0   *               255.255.255.0   U     0      0        0 eth0.1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
default         modem           0.0.0.0         UG    0      0        0 eth0.1

where 'modem' is 192.168.178.1 and 'router' is 192.168.1.1, set in /etc/ethers on the router.

It bothers me whenever I see people who don't even grasp the very basics of networking. It bothers me even more when they get responses by people who are equally clueless.

Let's start with a lesson in binary -

Each digit in binary represents a power of 2. The right most digit represents 2^0 and each digit to the left represents a power of 2 higher than the previous. It might help if we make a table, so for an 8 digit binary number, the values are:

2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0

Or alternatively

128 64 32 16 8 4 2 1

So, if we have a binary number like 00011011, we can compute the decimal value using the above table:

128 64 32 16 8 4 2 1
  0  0  0  1 1 0 1 1

Or

0 * 128 + 0 * 64 + 0 * 32 + 1 * 16 + 1 * 8 + 0 * 4 + 1 * 2 + 1 * 1
= 16 + 8 + 2 + 1
= 27

This means that 00011011 in binary means 27 in decimal.

To convert from decimal to binary we can also use the above table, only this time we'll start from the left side of the table. If we can subtract the value from our current number we write a 1, otherwise we write a 0. Let's start by converting 168 to binary.

128 64 32 16 8 4 2 1
  1                     ... 168 - 128 = 40, continue with 40
     0                  ... can't subtract 40 - 64
        1               ... 40 - 32 = 8
           0            ... can't subtract 8 - 16
             1          ... 8 - 8 = 0
               0 0 0    ... can't subtract anything else from 0

So, looking at our table, 168 is 10101000 in binary.

If we convert a whole IP address like 192.168.1.2 we end up with:

11000000 10101000 00000001 00000010

And a netmask of 255.255.255.0

11111111 11111111 11111111 00000000

Notice how the netmask has a series of 1's on the left? There's 24 of them, which is why you'll sometimes see a "255.255.255.0" netmask called a "/24". A netmask determines which bits of the IP address are constant, so in this example we have a range of:

11000000 10101000 00000001 00000000
...
11000000 10101000 00000001 11111111

Or, 192.168.1.0 - 192.168.1.255. This is called our subnet. The lowest number, 192.168.1.0 is reserved as the network address. The nighest number, 192.168.1.255 is called the broadcast address. This gives us a usable IP range from 192.168.1.1 to 192.168.1.254.

Before we continue we need to talk about mac addresses. Each Ethernet interface has it's own unique mac address; communication between Ethernet devices actually uses the mac address, not IP addresses. ARP stands for "Address Resolution Protocol" and is the mechanism used to resolve an IP address to a mac address.

In our example, we have a computer with an IP of 192.168.1.2 and a netmask of 255.255.255.0; this defines our subnet as 192.168.1.1-192.168.1.254 -- these are the computers that can be reached directly at the mac address layer. If we want to talk to any machines outside our subnet, we need a gateway. A gateway is nothing more than a machine on multiple subnets which is able to forward traffic on our behalf.

To understand what I mean, let's look at a routing table.

1: Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
2: 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
3: 0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

Routing tables are a set of rules to be followed to reach an IP address, they are ordered from the most specific to the least specific. Each line shows a network address, netmask (Genmask) and a gateway to reach that subnet. Line 2 shows us that 192.168.1.1-192.168.1.255 can be reached on eth0 without using a gateway (0.0.0.0). Look carefully at line 3, here is a network address of 0.0.0.0 and a netmask of 0.0.0.0; this means a 0.0.0.0-255.255.255.255 can be reached via the gateway 192.168.1.1.

That, in a nutshell is how networking works. The internet is a massive collection of networks connected by various gateways. So from 192.168.1.2 it uses 192.168.1.1 as a gateway, 192.168.1.1 will use another gateway and the packet will travel according to each gateway's routing rules until it reaches the destination. To prevent endless loops, each packet has a ttl (time to live), which is decreased each time the packet is forwarded; when the ttl expires, an error message is sent back to the source. Traceroute takes advantage of this by purposely setting the ttl low and slowly incrementing it, causing error messages from every hop (gateway) along the path to the destination.

Ah, but we still need to talk about NAT.

So far we've been talking about addresses in the 192.168.x.x range. These are private addresses which aren't routed across the internet. I don't want to connect to google telling it that I'm 192.168.1.2 because google would have a tough time sending the response back to a 192.168.x.x address. This is where NAT comes in handy; NAT stands for Network Address Translation, and it allows us to substitute one IP address for another. Suppose my network looks like this:

my pc (192.168.1.2) --- router (192.168.1.1, 1.2.3.4) --- google

When I send a request to google, it goes through my router, and the router then performs a NAT changing the original source (192.168.1.2) to the router's internet IP (1.2.3.4), while writing a record in the router's NAT table that 192.168.1.2 tried to access google. When the response from google comes back, the router looks at it's NAT table and sees that the request came from 192.168.1.2 and forwards the packet. This acts as a natural firewall, because if the router receives a packet from openwrt.org instead, it will look at the NAT table and not find any requests for openwrt.org.

...

I've indirectly answered all of your questions.

Thank you for your trouble. I found the answer now. I had qemu running on the PC with a 255.255.0.0 netmask for a host-only (tap0) network. That somehow interfered.