Re: Are my routing issues firewall-related?

To: Debian Firewall List <debian-firewall@lists.debian.org>
Subject: Re: Are my routing issues firewall-related?
From: Lee Bradshaw <lee@sectionIV.com>
Date: Tue, 27 Jun 2000 16:34:19 -0400
Message-id: <[🔎] 20000627163419.A7580@sectionIV.com>
In-reply-to: <[🔎] 20000627153124.A7058@sol.orbits.com>; from security@orbits.com on Tue, Jun 27, 2000 at 03:31:24PM -0400
References: <[🔎] 20000627153124.A7058@sol.orbits.com>

Did you have some way to set up host routes on the DSL router? If not,
the router may not know how to send packets to anything but the
firewall's external address. That is, the DSL router may be think all
the network address are reachable without going through a gateway and
may be requesting the MAC address associated with the IP addresses.
You can try tcpdump to see if that's happening. You can also set up
proxy arp on the firewall machine. Then the firewall will supply it's
MAC address whenever the DSL router wants to send a packet to ip
addresses on the internal network. The firewall should be able to
properly route the packets once it receives them from the DSL router.
Something like:

# proxy arp for internal addresses or dsl router can't find them
arp -i eth0 -Ds x.x.x.99 eth1 pub
arp -i eth0 -Ds x.x.x.100 eth1 pub
arp -i eth0 -Ds x.x.x.101 eth1 pub
...

On Tue, Jun 27, 2000 at 03:31:24PM -0400, David H. Silber wrote:
> 
> Hi Folks,
> 
> I have a routing problem that may or may not be firewall-related.
> 
> I have been assigned a block of 32 routable IP addresses for my new DSL
> connection.  One of these addresses is the address of the DSL router.
> I need to be able to make the default route from the firewall be the
> DSL router.
> 
> As shown below, I can not get through the firewall.
> 
> Am I missing something obvious?
> 
> Ask, if you need more information.
> 
> Thanks,
> David
> 
> 
> My setup is as follows:
>   x.x.x.96	Assigned network.
>   x.x.x.97	DSL Router.
>   x.x.x.98	Firewall's outside Ethernet card.
>   x.x.x.99	Firewall's inside Ethernet card.
>   x.x.x.100 through x.x.x.126	Various hosts(*).
>   x.x.x.127	Broadcast.
>   y.y.y.32	Old network addresses (on same internal Ethernet).
> 
>   x.x.x.*  Are the routable addresses assigned by the DSL company.
>   y.y.y.*  Are the routable addresses that are routed through my older,
> 	    slower connection.
> 
> (*)  These hosts are connected to the firewall's inside Ethernet card
> and have routable addresses.  There will also be hosts with non-routable
> addresses on the internal network.
> 
> 
> 
> I have this routing set up on the firewall (kernel 2.2.5): 
>   Kernel IP routing table
>   Destination   Gateway     Genmask         Flags Metric Ref    Use Iface
>   x.x.x.97      0.0.0.0     255.255.255.255 UH    0      0        0 eth0
>   x.x.x.96      0.0.0.0     255.255.255.224 U     0      0        0 eth1
>   y.y.y.32      0.0.0.0     255.255.255.224 U     0      0        0 eth1
>   0.0.0.0       x.x.x.97    0.0.0.0         UG    0      0        0 eth0
> 
> I have turned on forwarding (echo "1" > /proc/sys/net/ipv4/ip_forward) on the firewall in /etc/init.d/network.
> 
> I have not yet touched the default ipchains configuration:
>   # ipchains -L input
>   Chain input (policy ACCEPT):
>   # ipchains -L output
>   Chain output (policy ACCEPT):
>   # ipchains -L forward
>   Chain forward (policy ACCEPT):
> 
>  From the firewall, I can ping to hosts on the y.y.y.32 network, the
> x.x.x.96 network and the outside world.
> 
> 
> 
> I have this routing set up on x.x.x.110 (kernel 2.2.14):
>   Kernel IP routing table
>   Destination   Gateway     Genmask         Flags Metric Ref    Use Iface
>   x.x.x.97      x.x.x.99    255.255.255.255 UGH   0      0        0 eth0
>   127.0.0.1     0.0.0.0     255.255.255.255 UH    0      0        0 lo
>   x.x.x.96      0.0.0.0     255.255.255.224 U     0      0        0 eth0
>   0.0.0.0       x.x.x.99    0.0.0.0         UG    1      0        0 eth0
> 
>  From host x.x.x.110, I can ping hosts on the x.x.x.96 network, but not
> the DSL router, or anything outside of it.
> 
> $ traceroute -Inv x.x.x.99
> traceroute to x.x.x.99 (x.x.x.99), 30 hops max, 38 byte packets
>  1  x.x.x.99 18 bytes to x.x.x.110  0.718 ms  0.600 ms  0.588 ms
> 
> $ traceroute -Inv x.x.x.98
> traceroute to x.x.x.98 (x.x.x.98), 30 hops max, 38 byte packets
>  1  x.x.x.98 18 bytes to x.x.x.110  1.428 ms  0.605 ms  0.596 ms
> 
> $ traceroute -Inv x.x.x.97
> traceroute to x.x.x.97 (x.x.x.97), 30 hops max, 38 byte packets
>  1  x.x.x.99 66 bytes to x.x.x.110  0.962 ms  0.657 ms  0.645 ms
>  2  * * *
>  3  * * *
>     .
>     .
>     .
> 29  * * *
> 30  * * *
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Lee Bradshaw                 lee@sectionIV.com (preferred)
Alantro Communications       lee@alantro.com

Reply to:

Follow-Ups:
- Re: Are my routing issues firewall-related?
  - From: Lee Bradshaw <lee@sectionIV.com>

References:
- Are my routing issues firewall-related?
  - From: "David H. Silber" <security@orbits.com>

Prev by Date: Re: Are my routing issues firewall-related?
Next by Date: Re: Are my routing issues firewall-related?
Previous by thread: Re: Are my routing issues firewall-related?
Next by thread: Re: Are my routing issues firewall-related?
Index(es):
- Date
- Thread