Re: [Fwd: network problem: configuration/DNS? cannot access internal machine using our external IP

To: Mark Ferlatte <ferlatte@cryptio.net>
Cc: Debian-User <debian-user@lists.debian.org>
Subject: Re: [Fwd: network problem: configuration/DNS? cannot access internal machine using our external IP
From: Jerome "Lacoste (Frisurf)" <lacostej@frisurf.no>
Date: 16 Feb 2003 17:54:46 +0100
Message-id: <[🔎] 1045414486.1194.53.camel@expresso>
In-reply-to: <[🔎] 20030213181050.GB93457@radix.cryptio.net>
References: <[🔎] 1045127589.674.5.camel@expresso> <[🔎] 20030213181050.GB93457@radix.cryptio.net>

On Thu, 2003-02-13 at 19:10, Mark Ferlatte wrote:
> Jerome Lacoste (Frisurf) said on Thu, Feb 13, 2003 at 10:13:09AM +0100:
> > I have this network configuration
> > 
> >    E
> >    |
> > Internet
> >    |
> >    | (EXT-IP)
> > ** R ** (Firewall)
> >    | (192.168.1.1)
> > ___|___
> > | | | | 
> > M S M M
> > 
> > 
> > E: external machine
> > R: router firewall for our intranet
> > S: internal server running Linux (in fact it runs Mandrake 9.0)
> > M: internal machines
> 
> What is R?  Routerbox, Linux box being a router...?

No it's a dedicated box. ZyXEL ZYWALL.
http://www.zyxel.com (their site is in bad shape now due to mysql
problems apparently).

> > Thus doing a ping EXT-IP or wget EXT-IP ends up with a timeout.
> 
> So you're blocking all ICMP at your router?  That's not a good idea: you
> should rate limit ping (to say 5/sec), and allow many of the other ones.
> ICMP is necessary for IP to function properly.

I am not sure I have that level of control. Not from the web interface
at least. I will have to look more deeply at the command line interface
of the beast. 

> > If I am in my internal network:
> > 
> > > ssh login@192.168.1.9     works
> > > ssh login@xxx.dyndns.org  fails
> > > ssh login@EXT-IP          fails
> 
> Sounds like your router isn't allowing DNS packets to go from behind
> your internal network to your nameservers.  In addition, it sounds like
> your router/firewall is blocking ssh traffic from your internal network
> to your external IP.

The solution is perhaps as Jeremy pointed out to have an internal DNS
server. Does that sound OK to you?

> > >From a windows machine, pring and tracert to EXT-IP work.
> > >From any Linux machine on my network (M), I can ping my EXT-IP, but
> > cannot traceroute it.
> 
> traceroute on Linux works differently than tracert on Windows.  By
> default, traceroute on Linux uses UDP packets, while tracert on Windows
> uses ICMP.  Try traceroute -I from your Linux boxes, and see if that
> works.
> 
> > Now I am out of ideas.
> > So if anybody can tell me why I cannot make a traceroute on linux or an
> > ssh to my external ip from within my network, I would be happy.
> 
> Can you tell us what your router is?  That might help.  

Answered above.

> Are you sure
> that your router is configured to NAT your internal network properly?


I am as sure as what the router tells me ;) 
We have no other problem that I know of.

Thanks a lot,

Jerome

Reply to:

References:
- [Fwd: network problem: configuration/DNS? cannot access internal machine using our external IP
  - From: Jerome "Lacoste (Frisurf)" <lacostej@frisurf.no>
- Re: [Fwd: network problem: configuration/DNS? cannot access internal machine using our external IP
  - From: Mark Ferlatte <ferlatte@cryptio.net>

Prev by Date: Re: ALSA sound setup
Next by Date: Stumped: openAFS client "Connection Timed Out"
Previous by thread: Re: [Fwd: network problem: configuration/DNS? cannot access internal machine using our external IP
Next by thread: gprs Ericsson T200
Index(es):
- Date
- Thread