Re: Are my routing issues firewall-related?

To: Lee Bradshaw <lee@sectionIV.com>
Cc: Debian Firewall List <debian-firewall@lists.debian.org>
Subject: Re: Are my routing issues firewall-related?
From: "David H. Silber" <security@orbits.com>
Date: Sat, 1 Jul 2000 05:06:51 -0400
Message-id: <[🔎] 20000701050651.A9250@sol.orbits.com>
In-reply-to: <20000627163419.A7580@sectionIV.com>; from Lee Bradshaw on Tue, Jun 27, 2000 at 04:34:19PM -0400
References: <20000627153124.A7058@sol.orbits.com> <20000627163419.A7580@sectionIV.com>

Thank you.  This was indeed part of the problem.  The other part was a
typo, but this was required to make things work.

My thanks also go to everyone who offered suggestions, even though those
ideas may not have applied to my problem.  I hope someone was able to
benefit from them.

Best Regards,
David H. Silber


On Tue, Jun 27, 2000 at 04:34:19PM -0400, Lee Bradshaw wrote:
> Did you have some way to set up host routes on the DSL router? If not,
> the router may not know how to send packets to anything but the
> firewall's external address. That is, the DSL router may be think all
> the network address are reachable without going through a gateway and
> may be requesting the MAC address associated with the IP addresses.
> You can try tcpdump to see if that's happening. You can also set up
> proxy arp on the firewall machine. Then the firewall will supply it's
> MAC address whenever the DSL router wants to send a packet to ip
> addresses on the internal network. The firewall should be able to
> properly route the packets once it receives them from the DSL router.
> Something like:
> 
> # proxy arp for internal addresses or dsl router can't find them
> arp -i eth0 -Ds x.x.x.99 eth1 pub
> arp -i eth0 -Ds x.x.x.100 eth1 pub
> arp -i eth0 -Ds x.x.x.101 eth1 pub
> ...
> 
> On Tue, Jun 27, 2000 at 03:31:24PM -0400, David H. Silber wrote:
> > 
> > Hi Folks,
> > 
> > I have a routing problem that may or may not be firewall-related.
> > 
> > I have been assigned a block of 32 routable IP addresses for my new DSL
> > connection.  One of these addresses is the address of the DSL router.
> > I need to be able to make the default route from the firewall be the
> > DSL router.
> > 
> > As shown below, I can not get through the firewall.
> > 
> > Am I missing something obvious?
> > 
> > Ask, if you need more information.
> > 
> > Thanks,
> > David
> > 
> > 
> > My setup is as follows:
> >   x.x.x.96	Assigned network.
> >   x.x.x.97	DSL Router.
> >   x.x.x.98	Firewall's outside Ethernet card.
> >   x.x.x.99	Firewall's inside Ethernet card.
> >   x.x.x.100 through x.x.x.126	Various hosts(*).
> >   x.x.x.127	Broadcast.
> >   y.y.y.32	Old network addresses (on same internal Ethernet).
> > 
> >   x.x.x.*  Are the routable addresses assigned by the DSL company.
> >   y.y.y.*  Are the routable addresses that are routed through my older,
> > 	    slower connection.
> > 
> > (*)  These hosts are connected to the firewall's inside Ethernet card
> > and have routable addresses.  There will also be hosts with non-routable
> > addresses on the internal network.
> > 
> > 
> > 
> > I have this routing set up on the firewall (kernel 2.2.5): 
> >   Kernel IP routing table
> >   Destination   Gateway     Genmask         Flags Metric Ref    Use Iface
> >   x.x.x.97      0.0.0.0     255.255.255.255 UH    0      0        0 eth0
> >   x.x.x.96      0.0.0.0     255.255.255.224 U     0      0        0 eth1
> >   y.y.y.32      0.0.0.0     255.255.255.224 U     0      0        0 eth1
> >   0.0.0.0       x.x.x.97    0.0.0.0         UG    0      0        0 eth0
> > 
> > I have turned on forwarding (echo "1" > /proc/sys/net/ipv4/ip_forward) on the firewall in /etc/init.d/network.
> > 
> > I have not yet touched the default ipchains configuration:
> >   # ipchains -L input
> >   Chain input (policy ACCEPT):
> >   # ipchains -L output
> >   Chain output (policy ACCEPT):
> >   # ipchains -L forward
> >   Chain forward (policy ACCEPT):
> > 
> >  From the firewall, I can ping to hosts on the y.y.y.32 network, the
> > x.x.x.96 network and the outside world.
> > 
> > 
> > 
> > I have this routing set up on x.x.x.110 (kernel 2.2.14):
> >   Kernel IP routing table
> >   Destination   Gateway     Genmask         Flags Metric Ref    Use Iface
> >   x.x.x.97      x.x.x.99    255.255.255.255 UGH   0      0        0 eth0
> >   127.0.0.1     0.0.0.0     255.255.255.255 UH    0      0        0 lo
> >   x.x.x.96      0.0.0.0     255.255.255.224 U     0      0        0 eth0
> >   0.0.0.0       x.x.x.99    0.0.0.0         UG    1      0        0 eth0
> > 
> >  From host x.x.x.110, I can ping hosts on the x.x.x.96 network, but not
> > the DSL router, or anything outside of it.
> > 
> > $ traceroute -Inv x.x.x.99
> > traceroute to x.x.x.99 (x.x.x.99), 30 hops max, 38 byte packets
> >  1  x.x.x.99 18 bytes to x.x.x.110  0.718 ms  0.600 ms  0.588 ms
> > 
> > $ traceroute -Inv x.x.x.98
> > traceroute to x.x.x.98 (x.x.x.98), 30 hops max, 38 byte packets
> >  1  x.x.x.98 18 bytes to x.x.x.110  1.428 ms  0.605 ms  0.596 ms
> > 
> > $ traceroute -Inv x.x.x.97
> > traceroute to x.x.x.97 (x.x.x.97), 30 hops max, 38 byte packets
> >  1  x.x.x.99 66 bytes to x.x.x.110  0.962 ms  0.657 ms  0.645 ms
> >  2  * * *
> >  3  * * *
> >     .
> >     .
> >     .
> > 29  * * *
> > 30  * * *

Reply to:

Next by Date: Re: general firewall howto??
Next by thread: Re: general firewall howto??
Index(es):
- Date
- Thread