On Tue, Dec 26, 2017 at 20:40 Dan Purgert <
dan@djph.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Fletcher wrote:
> [...]
> AirStation LAN is 192.168.11.0/24, outside AirStation LAN is
> 192.168.1.1, .2 and .3 -- note the third octet difference for internal
You seem to have set up a situation of double-NAT. This means that
while 11.x can easily talk to a device on the 1.x network, the opposite
is not true.
That’s what I expected, but that is not what I am getting — machines on 11.x can easily talk to 192.168.1.1 (and hence to the internet) but not to 192.168.1.3. There is no requirement for the PI to be able to initiate connections back the other way.
> Once I introduce the PI, (by plugging it into the switch, in case that
> isn't obvious) I find I cannot reach it (by ping or by SSH) from inside
> the LAN of my AirStation. For example, from my main Stretch desktop, I
> cannot ping or SSH to the PI at 192.168.1.3. I can both ping and SSH to
> the firewall at 192.168.1.1.
>
> If I SSH into the firewall, and then try to SSH from _there_ to
> 192.168.1.3, I can connect no problem. And I log in to the PI to find it
> bright eyed and bushy tailed, and able to connect to the internet (which
> it must do through the firewall just as all traffic from the AirStation
> does). But if I can't see it from the LAN, I can't use it for the
> purpose I spent the last week of my life building it for... :(
Sounds like perhaps the airstation is blocking client devices from
talking to "bogus" network addresses. This is generally a feature of
consumer gear to stop you from trying to ask the internet for
information about a RFC1918 address (as they are private / not routable
on the internet).
So the trick would be to discourage it from thinking of 192.168.1.3 as bogus... Do you think the earlier suggestion of having the PI’s IP address handed out by the DHCP server on the firewall but using DHCP reservation to make sure the PI gets a specific address would fix that?
Anyway I still have trying that ahead of me so will report back when I have.
>
> Now 192.168.1.1 is the default gateway the firewall supplies the
> AirStation (ie it supplies itself as the gateway) when the AirStation
> makes a DHCP request, and I'm guessing that is why I can reach
> 192.168.1.1 from inside the LAN (ie the LAN side of the AirStation). I
> am wondering if the AirStation somehow doesn't know that it can reach
> 192.168.1.3 directly, which I would expect it to since it is plugged
> into the same switch as it and 192.168.1.1 -- and if so, how I would
> persuade it to know that? I would also expect that if it did not know
> that, it would send packets for 192.168.1.3 to 192.168.1.1 for
> forwarding, just as it does every packet that is destined for the
> internet -- and I would expect the firewall to be able to forward them,
> since it can clearly see the PI.
No, the airstation having been given an address 192.168.1.x/24 will know
that it can directly reach any host 192.168.1.1 through 192.168.1.254
inclusive.
Except for some reason it doesn’t seem to (or, rather, that is what APPEARS to be the case but without answering some of Pascal’s earlier questions I can’t say for certain that is what is going on). We know that 1.1 can reach 1.3, but 11.anything doesn’t seem to be able to, even though they can reach 1.1 . I just don’t know why yet.
Mark