routing 2 subnets behind a firewall

routing 2 subnets behind a firewall

Post by Henry_Bart » Sun, 18 Mar 2001 01:57:25





>> The routing I have set up on the wireless remote is:
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>> 192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
>> 0.0.0.0         192.168.2.1     0.0.0.0         UG    1      0        0 eth0

>> Does that match your description?
> The "Metric"=1 setting seems odd. From what I understand, it lets packets die in your desktop gateway. Don't know neither whether this is correct nor how to get rid of this in your startup scripts/config.
> I would try
> # route del default gw 192.168.2.1 eth0
> # route add default gw 192.168.2.1 eth0
> and see if Metric=0 after that (IIRC metric is an option to the route command that defaults to 0). If the above throws errors or doesn't work, "man route" might help you to figure out.

    Yes, the Metric field changed to 0. Unfortunately it seemed to
    make no difference.

    On the other hand, not routing past the next machine has not
    been as bad as I had imagined. I can telnet to my desktop, set
    my display variable and do anything I would have done on my
    portable.

    Thanks for the suggestions. They seemed well reasoned and I had
    hopes that they would help. I have studied the man page and the
    appropriate networking HOWTOs already. They, along with deja/google
    helped me to get to the point where I posted. I guess I'll just lurk
    here hoping another query or solution will help me to resolve
    my issues.

    regards,
    hank

--
Hank Barta                            White Oak Software Inc.

                Beautiful Sunny Winfield, Illinois

 
 
 

routing 2 subnets behind a firewall

Post by Henry_Bart » Fri, 16 Mar 2001 14:41:25


    I have added a wireless subnet to my home lan and am wrestling
    with routing (and perhaps firewalling) issues.

The LAN looks like:

            eth1
          external
             IP
        11.22.33.44      192.168.100.100      198.168.2.126
             |                |                    |
CABLE>--eth--<firewall>--eth--<desktop>--wireless--<portable>
MODEM                 |               |
                192.168.100.1     192.168.2.1
                     eth0

    Verbally, I have a firewall with a static IP for which I've
    substituted 11.22.33.44 on one Ether NIC (eth1) and a connection
    to a home lan (network address 192.168.100.0) using 192.168.100.1
    on eth0. Another host on the home lan (at 192.168.100.100) has
    a wavelan interface to which I have assigned the IP address
    192.168.2.1 and which I expect to route messages bwtween the
    two network interfaces. I have not compiled in support for
    advanced routing (2.2.18 kernel) but I have turned forwarding
    on with

 "echo 1 > /proc/sys/net/ipv4/ip_forward"

    On my firewall, I have opened up connections to the remote
    subnet with:

ipchains -A input  -i $LOCAL_INTERFACE_1 -s $LOCALNET_2 -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_2 -j ACCEPT
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_2 -j MASQ

    where $LOCAL_INTERFACE_1 is eth0, $EXTERNAL_INTERFACE os eth1
    and $LOCALNET_2 is 192.168.2.1/24. (The original script was
    generated using Robert Ziegler's tool at
    http://www.linux-firewall-tools.com/linux/firewall/index.html

    When the wireless card is inserted, the routing table on the
    desktop looks like:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 eth0

    At this point, I can ping, ftp (600+ kB/sec!!!) between the
    desktop and portable with only one minor problem. When I telnet
    from desktop to portable, something has to time out because it
    takes several minutes to get the password prompt. Ping times
    are good at 1.9 ms. The problem I am encountering is routing
    or perhaps firewall related beyond the desktop.

    The standard routing configuration on the firewall is:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
11.22.33.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         11.22.33.44     0.0.0.0         UG    0      0        0 eth1

    I have tried several routing configurations and so far none
    has worked completely. Using 'watch ifconfig' on the various
    hosts, I believe I have been able to tell how far ICMP packets
    from ping travel before getting blocked.

    The command

route add -net 192.168.2.0 netmask 255.255.255.0 dev eth0

    gets me:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
11.22.33.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         11.22.33.44     0.0.0.0         UG    0      0        0 eth1

    and using

route add -host 192.168.2.126 dev eth0

    gets

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.126   0.0.0.0         255.255.255.255 UH    0      0        0 eth0
11.22.33.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         11.22.33.44     0.0.0.0         UG    0      0        0 eth1

    For both of these situations, ping from the firewall goes
    through the route to the desktop, but no further.

    Using

route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.100.100

    gets

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
11.22.33.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.2.0     192.168.100.100 255.255.255.0   UG    0      0        0 eth0
0.0.0.0         11.22.33.44     0.0.0.0         UG    0      0        0 eth1

    and

route add -host 192.168.2.126  gw 192.168.100.100

    gets

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.126   192.168.100.100 255.255.255.255 UGH   0      0        0 eth0
11.22.33.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         11.22.33.44     0.0.0.0         UG    0      0        0 eth1

    In both of these configurations, the counters increment for
    both TX and RX on the route between the firewall and desktop
    *and* the route between the desktop and portable. However, ping
    still indicates 100% packet loss. It seems like either of these
    configurations is *real* close, but something is still amiss,
    perhaps on the desktop.

    Another bit of information. I have other machines on the same
    internal ethernet segment (192.168.100.0) that also cannot ping
    the portable.  (This is a Win2000 box and I cannot figure out
    how to add a route to the portable interface.)

    I would appreciate any suggestions anyone has that might help
    me to resolve this issue.

    Thanks,
    hank

--
Hank Barta                            White Oak Software Inc.

                Beautiful Sunny Winfield, Illinois

 
 
 

routing 2 subnets behind a firewall

Post by Sven Golcher » Sat, 17 Mar 2001 03:48:24


Hank,


>     I have added a wireless subnet to my home lan and am wrestling
>     with routing (and perhaps firewalling) issues.

> The LAN looks like:

>             eth1
>           external
>              IP
>         11.22.33.44      192.168.100.100      198.168.2.126
>              |                |                    |
> CABLE>--eth--<firewall>--eth--<desktop>--wireless--<portable>
> MODEM                 |               |
>                 192.168.100.1     192.168.2.1
>                      eth0

>     (...)
>     (two routing commands, among others, that Hank
>     tried on the firewall, were)

> route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.100.100
> route add -host 192.168.2.126  gw 192.168.100.100

>     (...)

>     In both of these configurations, the counters increment for
>     both TX and RX on the route between the firewall and desktop
>     *and* the route between the desktop and portable. However, ping
>     still indicates 100% packet loss. It seems like either of these
>     configurations is *real* close, but something is still amiss,
>     perhaps on the desktop.

Right, you're close. You definitely have to specify a gateway on the firewall,
since 192.168.2.0/24 isn't physically connected to eth0. As long as you only got
.126 on that subnet, the two commands cited above don't differ in function.

The remaining problem could lie in the wireless client's routing table. It should
have routes
    dest 192.168.2.0/24 (no gateway) and
    dest 0.0.0.0 (gateway 192.168.2.1)
on the wireless interface. Is the last one missing?

Sven

 
 
 

routing 2 subnets behind a firewall

Post by Hank Bart » Sat, 17 Mar 2001 11:44:20



> Hank,
> The remaining problem could lie in the wireless client's routing table. It should
> have routes
>     dest 192.168.2.0/24 (no gateway) and
>     dest 0.0.0.0 (gateway 192.168.2.1)
> on the wireless interface. Is the last one missing?

The routing I have set up on the wireless remote is:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.2.1     0.0.0.0         UG    1      0        0 eth0

Does that match your description? This corresponds to settings in
/etc/pcmcia/network.opts of

    IPADDR="192.168.2.126"
    NETMASK="255.255.255.0"
    NETWORK="192.168.2.0"
    BROADCAST="192.168.2.255"
    # Gateway address for static routing
    GATEWAY="192.168.2.1"

    thanks,
    hank

--
Hank Barta                              White Oak Software Inc.

                Beautiful Sunny Winfield, Illinois

 
 
 

routing 2 subnets behind a firewall

Post by Sven Golcher » Sat, 17 Mar 2001 21:43:10



> The routing I have set up on the wireless remote is:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 0.0.0.0         192.168.2.1     0.0.0.0         UG    1      0        0 eth0

> Does that match your description?

The "Metric"=1 setting seems odd. From what I understand, it lets packets die in your desktop gateway. Don't know neither whether this is correct nor how to get rid of this in your startup scripts/config.

I would try

# route del default gw 192.168.2.1 eth0
# route add default gw 192.168.2.1 eth0

and see if Metric=0 after that (IIRC metric is an option to the route command that defaults to 0). If the above throws errors or doesn't work, "man route" might help you to figure out.

Sven

 
 
 

1. FreeBSD and natd - routing from behind firewall to behind firewall.

Having a strange problem with a FreeBSD gateway/firewall system I set up.  
The gateway connects a small network to an ADSL line and has three static
external IP addresses.  I am using natd to provide access to the Internet
for computers in the internal LAN.

One of the machines behind the firewall is a web server and I use a natd
line similar to the following to route incoming connections to that box:

redirect_address 192.168.1.100 xxx.xxx.xxx.1

In this case the real IP of the web server is 192.168.1.100 and it is
accessed from outside the LAN by the address xxx.xxx.xxx.1.  This works.

The problem is that if any of the computers on the internal LAN try to
access the web server at xxx.xxx.xxx.1 it doesn't work.  I can access the
web server fine from inside the LAN using the local address (192.168.1.100).

I suspect there is a simple solution to this problem.  Can anyone explain
what it is?  

Thanks,
Don

2. anon-ftp

3. FTP server behind linux firewall communicating w/ FTP behind linux firewall

4. Access to filesystem specific attr accross xattr calls

5. firewall / routing multiple subnets

6. 2.4.19 -- ac97_codec failure ALi 5451 [rescued]

7. Router/Firewall (routed subnet)

8. Firewalling SUNRPC-service

9. routing problem: 16 INET IP's behind a firewall

10. Routing behind a firewall ?!

11. Traffic routing for Multiple Web & Mail Servers behind a single linux firewall

12. ( Clean version ) 2 Network cards on the same subnet/firewall/routing

13. 2 network card on the same subnet/firewall/routing