[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Are my routing issues firewall-related?

Sigh ... these setups where you try to divide up an address space without
doing proper subnetting are always tricky. I think the problem is the
reverse of what you are focusing on -- that is, I suspect that the DSL
router does not know that its route to x.x.x.96/27 is via x.x.x.98 .  

Have you configured the DSL modem to know this route? Or did you set up the
Linux router to proxy-arp the addresses it firewalls (x.x.x.99-126)? Or did
you handle this bit of routing some other way?

Unless you do, pings and traceroutes will from (say) x.x.x.110 will reach
the DSL modem just fine, but the replies won't be routed through the firewall.

At 03:31 PM 6/27/00 -0400, David H. Silber wrote [in part]:

>I have a routing problem that may or may not be firewall-related.
>I have been assigned a block of 32 routable IP addresses for my new DSL
>connection.  One of these addresses is the address of the DSL router.
>I need to be able to make the default route from the firewall be the
>DSL router.
>As shown below, I can not get through the firewall.
>Am I missing something obvious?
>Ask, if you need more information.
>My setup is as follows:
>  x.x.x.96	Assigned network.
>  x.x.x.97	DSL Router.
>  x.x.x.98	Firewall's outside Ethernet card.
>  x.x.x.99	Firewall's inside Ethernet card.
>  x.x.x.100 through x.x.x.126	Various hosts(*).
>  x.x.x.127	Broadcast.
>  y.y.y.32	Old network addresses (on same internal Ethernet).
>  x.x.x.*  Are the routable addresses assigned by the DSL company.
>  y.y.y.*  Are the routable addresses that are routed through my older,
>	    slower connection.
>(*)  These hosts are connected to the firewall's inside Ethernet card
>and have routable addresses.  There will also be hosts with non-routable
>addresses on the internal network.
>I have this routing set up on the firewall (kernel 2.2.5): 
>  Kernel IP routing table
>  Destination   Gateway     Genmask         Flags Metric Ref    Use Iface
>  x.x.x.97 UH    0      0        0 eth0
>  x.x.x.96 U     0      0        0 eth1
>  y.y.y.32 U     0      0        0 eth1
>       x.x.x.97         UG    0      0        0 eth0
> From the firewall, I can ping to hosts on the y.y.y.32 network, the
>x.x.x.96 network and the outside world.
>I have this routing set up on x.x.x.110 (kernel 2.2.14):
>  Kernel IP routing table
>  Destination   Gateway     Genmask         Flags Metric Ref    Use Iface
>  x.x.x.97      x.x.x.99 UGH   0      0        0 eth0
> UH    0      0        0 lo
>  x.x.x.96 U     0      0        0 eth0
>       x.x.x.99         UG    1      0        0 eth0
> From host x.x.x.110, I can ping hosts on the x.x.x.96 network, but not
>the DSL router, or anything outside of it.

------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        

Reply to: