Firewall routing question.

To: debian-user@lists.debian.org
Subject: Firewall routing question.
From: Bill White <poppa@griggsinst.com>
Date: Mon, 14 Feb 2000 10:41:35 -0500
Message-id: <[🔎] E12KNd1-0004EX-00@griggsinst.com>

Hi.  I have a routing question.  I have tried this in various combinations,
but I don't seem to have the right one.

This is my desired HW and SW configuration.
o One GNU/Linux firewall machine.  This also has its own IP number.  This
  will also handle incoming email, ftp and web traffic, but that is not
  the issue here.
o Two Windows machines, each with 1 ethernet card, and each with their
  own IP address.  They are going to run proprietary VPN SW to my
  employer's office in San Jose CA.  (I am in MA.)  It goes through
  the firewall machine.
o Two or more Unix/Hurd/Windows machines.  These don't have their own
  IP numbers, but do IP Masq. through the firewall.  These aren't
  on the VPN, even when they are booted into Windows.
o One DSL Modem.
o Two hubs, many ethernet cards and much ethernet cabling.
o I want to be able to mount Samba shares from the Unix machines on
  the VPN'd Windows machines, but not necessarily to export them to
  machines on the company VPN.  I don't need to mount the VPN's file
  systems on the Unix machines, though it wouldn't hurt.

In this explanatation I will say the real IP numbers are 10.100.3.1,
10.100.3.2 and 10.100.3.3, though these are of course not the real ones.

Right now, I have the 
o VPN'd Windows machines, the firewall (eth0) and the dsl modem all on one
  hub
o the firewall (eth1) and the Unix/Hurd/Windows machines on the second hub.
o the firewall routes and masquerades the Unix/Hurd/Windows machines.

This means that the VPN'd Windows machines are not behind the firewall.
I'm not completely happy with this, though these machines crash 10-20
times a day, and it would be hard to portscan them.  (If you don't
reboot your Window machine at least 20 times a day you aren't working
hard enough.)

I would like to have:
o The firewall has three interfaces:
  - One connecting to the DSL modem.  This if has IP number 10.100.3.1.
  - One connecting to a hub for the VPN'd Windows machines.  The
    IP number for this if is 192.168.2.10.
  - One connecting to a hub for the IPMasq'd Unix/Hurd/Windows machines.
    The IP number for this if is 192.168.1.10.
o The firewall does IP masquerade for the Unix/Hurd/Windows machines.
o Everything is routed easily and seamlessly.

I connected it this way, and then I tried the obvious thing:
o Each non-firewall machine has the firewall machine as a default gw,
  on their only interface.
o The fw machine has a default gw route to the DSL gateway.
o The fw machine routes the 192.168.1.0/24 net to eth2 (the if to the
  192.168.1.0/24 hub.)
o The fw machine routes the two real IP addresses 10.100.3.2 and 10.100.3.3
  to eth1 (the if to the 10. hub)
o The fw does proxy arp for the 192.168.1.0/24 machines.  (I tried both
  with this and without this.)

With this, all machines can get out to the internet, but the IPMasq'd
machines could not ping the 10. machines through the fw machine.

What am I doing wrong?

Thanks in advance.

Reply to:

Follow-Ups:
- Re: Firewall routing question.
  - From: John Pearson <huiac@camtech.net.au>

Prev by Date: Re: Proper location for StarOffice
Next by Date: Freeze due to video card?
Previous by thread: Is console forced to tty0 by init?
Next by thread: Re: Firewall routing question.
Index(es):
- Date
- Thread