Re: Firewall Routing Question

To: John Pearson <huiac@camtech.net.au>
Cc: debian-user@lists.debian.org
Subject: Re: Firewall Routing Question
From: Bill White <poppa@griggsinst.com>
Date: Fri, 18 Feb 2000 10:16:19 -0500
Message-id: <[🔎] E12Lp8m-0000gg-00@griggsinst.com>
Reply-to: bill.white@griggsinst.com

Hi.  Sorry to bother you again, but my problem is not fixed.  I looked
at the ICMP Masquerade Enabled setting in my kernel, and it appears to
be enabled.

I think that the problem I am having is:
o I have a firewall machine, with an interface whose number is 192.168.2.10.
o I have machines on the same hub as this interface whose numbers are not on
  the 192.168.2.0/24 subnet.
o I want these machines to route through the 192.168.2.10 interface to the
  firewall's gateway.
o I have a second hub whose machines are all on a 192.168.1.0/24 subnet,
  and do IP Masquerade to the internet.  This works fine.

My routing tables are:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
216.254.24.1    0.0.0.0         255.255.255.255 UH    0      0        1 eth0
216.254.24.95   0.0.0.0         255.255.255.255 UH    0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        1 eth2
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        1 lo
0.0.0.0         216.254.24.1    0.0.0.0         UG    1      0        2 eth0

and this is what I expect:
    o The default route is 216.254.24.1, which is the DSL gateway.
    o 216.254.24.95 is on eth1, which is the hub whose if address is
      192.168.2.10.  I can in fact ping 216.254.24.95.
    o The 192.168.1.0/24 subnet is on eth2.  This subnet works fine
      through IP Masquerade.
    o The 192.168.2.0/24 subnet is on eth1, even though the only
      address in this subnet is the if address.
    o The 216.254.24.1 DSL gateway is on eth0, where it is supposed
      to be.

Just for completeness, the behavior seems to be that things are routed
from eth2 (the mixed subnet hub) through the fw machine to eth1 just
fine when they are for the eth1 subnet.  But they do not get out to
the default gateway when they are for addresses on the wider internet.

So, I guess the real question is: is it possible to have an interface
accept packets which are not on the subnet of the interface's address?
It seems as if it is possible, since I can ping machines which go
216.254.24.95 to 192.168.1.1 just fine.  But it doesn't seem to route
these to the default gateway.

I'm sorry if this is an obvious question.  I really have read through
the FAQS and NAG, but I haven't found what could be wrong.

Thanks in advance.

Reply to:

Follow-Ups:
- Re: Firewall Routing Question
  - From: Nathan E Norman <nnorman@midco.net>

Prev by Date: Re: using power save and power down features
Next by Date: Your notice in Internet.
Previous by thread: Apt keeps back?
Next by thread: Re: Firewall Routing Question
Index(es):
- Date
- Thread