Re: Firewall routing question.
On Mon, Feb 14, 2000 at 10:41:35AM -0500, Bill White wrote
> Hi. I have a routing question. I have tried this in various combinations,
> but I don't seem to have the right one.
>
> This is my desired HW and SW configuration.
> o One GNU/Linux firewall machine. This also has its own IP number. This
> will also handle incoming email, ftp and web traffic, but that is not
> the issue here.
> o Two Windows machines, each with 1 ethernet card, and each with their
> own IP address. They are going to run proprietary VPN SW to my
> employer's office in San Jose CA. (I am in MA.) It goes through
> the firewall machine.
> o Two or more Unix/Hurd/Windows machines. These don't have their own
> IP numbers, but do IP Masq. through the firewall. These aren't
> on the VPN, even when they are booted into Windows.
> o One DSL Modem.
> o Two hubs, many ethernet cards and much ethernet cabling.
> o I want to be able to mount Samba shares from the Unix machines on
> the VPN'd Windows machines, but not necessarily to export them to
> machines on the company VPN. I don't need to mount the VPN's file
> systems on the Unix machines, though it wouldn't hurt.
>
> In this explanatation I will say the real IP numbers are 10.100.3.1,
> 10.100.3.2 and 10.100.3.3, though these are of course not the real ones.
>
> Right now, I have the
> o VPN'd Windows machines, the firewall (eth0) and the dsl modem all on one
> hub
> o the firewall (eth1) and the Unix/Hurd/Windows machines on the second hub.
> o the firewall routes and masquerades the Unix/Hurd/Windows machines.
>
> This means that the VPN'd Windows machines are not behind the firewall.
> I'm not completely happy with this, though these machines crash 10-20
> times a day, and it would be hard to portscan them. (If you don't
> reboot your Window machine at least 20 times a day you aren't working
> hard enough.)
>
> I would like to have:
> o The firewall has three interfaces:
> - One connecting to the DSL modem. This if has IP number 10.100.3.1.
> - One connecting to a hub for the VPN'd Windows machines. The
> IP number for this if is 192.168.2.10.
> - One connecting to a hub for the IPMasq'd Unix/Hurd/Windows machines.
> The IP number for this if is 192.168.1.10.
> o The firewall does IP masquerade for the Unix/Hurd/Windows machines.
> o Everything is routed easily and seamlessly.
>
> I connected it this way, and then I tried the obvious thing:
> o Each non-firewall machine has the firewall machine as a default gw,
> on their only interface.
> o The fw machine has a default gw route to the DSL gateway.
> o The fw machine routes the 192.168.1.0/24 net to eth2 (the if to the
> 192.168.1.0/24 hub.)
> o The fw machine routes the two real IP addresses 10.100.3.2 and 10.100.3.3
> to eth1 (the if to the 10. hub)
> o The fw does proxy arp for the 192.168.1.0/24 machines. (I tried both
> with this and without this.)
Unnecessary, and probably a bad idea.
>
> With this, all machines can get out to the internet, but the IPMasq'd
> machines could not ping the 10. machines through the fw machine.
>
> What am I doing wrong?
>
Quick check: did you enable ICMP masquerading in the firewall
machine's kernel?
John P.
--
huiac@camtech.net.au
john@huiac.apana.org.au
"Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark
Reply to: