Re: Routing

To: "Kevin Buhr" <buhr@telus.net>
Cc: <debian-user@lists.debian.org>
Subject: Re: Routing
From: "Mark Maas" <mark@menem.mine.nu>
Date: Mon, 8 Sep 2003 14:45:03 +0200
Message-id: <[🔎] 003901c37607$19c64a20$6508a8c0@GWSAMSWKS112>
References: <[🔎] 001001c372d8$03feabb0$6508a8c0@GWSAMSWKS112><[🔎] 20030904115741.GA593@samuraj><[🔎] 003801c372e0$5adb2d20$6508a8c0@GWSAMSWKS112><[🔎] 87llt4183c.fsf@saurus.asaurus.invalid><[🔎] 877k4o16ca.fsf@saurus.asaurus.invalid><[🔎] 002501c37373$0e5fab90$6508a8c0@GWSAMSWKS112><[🔎] 87he3rn0rd.fsf@saurus.asaurus.invalid><[🔎] 003901c37384$9684f8c0$6508a8c0@GWSAMSWKS112> <[🔎] 87vfs6lwe6.fsf@saurus.asaurus.invalid>

Oh boy indeed!

Situation:

Internet - Eth1(217.149.34.117) - Debian - Eth0 - Internal 192.168.8.0/24
LAN

                                                                       \  -
Gateway (192.168.8.4) - 10.1.0.0/24 (LAN)

\  - 192.168.3.0/24 (LAN)

Id like to give my road warriors access to the three Lan's
This is now a fact. Thanks for that!

Sometimes though they also need to acces, ftp site, and website's while also
on the lan. Internal website are ofcourse no problem anymore, but internet
website are.
By reading your excellent explanation, I understand that this is a tough
cookie to bake.

ok, so be it, if there is no easy route to create then I have to think of
some other way for this.

Thanks,
Mark

p.s.
You don't happen to know how to get mppe encryption working do you? I
installed the kernel-patch-mppe but the howto's and manuals tell me I have
to compile the kernel. Any doc's on that?
Thanks again.


----- Original Message -----
From: "Kevin Buhr" <buhr@telus.net>
To: "Mark Maas" <mark@menem.mine.nu>
Cc: <debian-user@lists.debian.org>
Sent: Saturday, September 06, 2003 12:10 AM
Subject: Re: Routing


> "Mark Maas" <mark@menem.mine.nu> writes:
> >
> > When I use the MS pptp client and login to the pptpd server on this
machine
> > i can ping all networks from the client, but cannot reach the internet.
> > Pinging google.nl results in the name beeing resolved to the ip adress
of
> > google.nl but the request don't ever reach google.nl...
>
> Oh boy...
>
> We're getting to the stage where you may have to explain what it is
> you're trying to accomplish and give a lot more detail about your
> network topology.
>
> Why are you setting up this PPTP tunnel?  Are you using it as an
> (expensive) way to connect a single machine on the intranet to the
> Internet through the ADSL (??) on the Linux box?  Or are you
> eventually aiming to have a Windows machine out on the big, bad
> Internet connect to your intranet through the secure PPTP tunnel and
> have access to all intranet machines and also the rest of the
> Internet?
>
> Besides the ADSL on your Linux box, are there any other connections
> from the intranet to the Internet?  Are other machines forwarding
> traffic through your Linux box right now?  Or are they even able to
> connect to the Internet?  Do you have a single external IP address or
> a block of them?
>
> In a nutshell, what's probably going wrong is that your Windows
> machine, whatever its original IP address was, reconfigured itself
> when you started up its PPTP client.  It's now using its original IP
> address only to shuttle packets across the PPTP tunnel to and from the
> Linux box.  For all other purposes, it's using the IP address assigned
> by the copy of "pppd" running on the Linux box (in the "remote IP
> address" line in your log).  This is presumably some address on the
> 192.168.8.x network, say 192.168.8.123.
>
> When you ping, say, the intranet gateway "192.168.8.4", from the
> Windows box, the packet goes out with source IP 192.168.8.123 and
> destination 192.168.8.4 across the PPTP tunnel.  The Linux box
> forwards the packet out to the "eth0" interface where 192.168.8.4
> picks it up and generates a reply.  The reply needs to go to
> 192.168.8.123, and that's fine---the Linux box has configured itself
> to do proxy ARP for 192.168.8.123, so packets destined for that
> address go to your Linux box which recognizes that it's destined for
> the Windows machine and shuttles the packet back across the PPTP
> tunnel and you get your reply.
>
> Unfortunately, when you ping "google.nl", the packet goes out with
> source IP 192.168.8.123 across the PPTP tunnel.  The Linux box
> forwards the packet out to the "eth1" interface (becaause its
> destination matches the default route), and it goes out to "google.nl"
> with an internal source IP.  It either gets filtered at your or
> "google.nl"'s ISP perimeter (when the firewalls notice that its source
> IP is an unroutable address) or "google.nl" actually gets the packet,
> formulates a reply, and discovers it can't deliver it.
>
> If you really want things to work this way, you need to do source NAT
> on behalf of the Windows machine (or any other internal machine that's
> trying to send packets to the Internet through your Linux machine) so
> packets that hit the Internet can find there way back to your Linux
> machine through its public (ADSL) IP address.
>
> --
> Kevin <buhr@telus.net>
>
>

Reply to:

Follow-Ups:
- Re: Routing
  - From: Kevin Buhr <buhr@telus.net>

References:
- Routing
  - From: "Mark Maas" <mark@menem.mine.nu>
- Re: Routing
  - From: Lukasz Hejnak <szift@tkk.pl>
- Re: Routing
  - From: "Mark Maas" <mark@menem.mine.nu>
- Re: Routing
  - From: Kevin Buhr <buhr@telus.net>
- Re: Routing
  - From: Kevin Buhr <buhr@telus.net>
- Re: Routing
  - From: "Mark Maas" <mark@menem.mine.nu>
- Re: Routing
  - From: Kevin Buhr <buhr@telus.net>
- Re: Routing
  - From: "Mark Maas" <mark@menem.mine.nu>
- Re: Routing
  - From: Kevin Buhr <buhr@telus.net>

Prev by Date: Strange ownership when mounting a MINIX floppy
Next by Date: Re: where is netscape 4 in testing?
Previous by thread: Re: Routing
Next by thread: Re: Routing
Index(es):
- Date
- Thread