Le 26/12/2017 à 12:33, Dan Purgert a écrit :
Mark Fletcher wrote:[...] AirStation LAN is 192.168.11.0/24, outside AirStation LAN is 192.168.1.1, .2 and .3 -- note the third octet difference for internalYou seem to have set up a situation of double-NAT. This means that while 11.x can easily talk to a device on the 1.x network, the opposite is not true.
Good thing, the OP just wants to talk to 192.168.1.x from 192.168.11.x, not the opposite.
Sounds like perhaps the airstation is blocking client devices from talking to "bogus" network addresses. This is generally a feature of consumer gear to stop you from trying to ask the internet for information about a RFC1918 address (as they are private / not routable on the internet).
What do you mean by "ask the internet for information about a RFC1918 address" ? Sending an IP packet is not asking the internet for any information.
Now 192.168.1.1 is the default gateway the firewall supplies the AirStation (ie it supplies itself as the gateway) when the AirStation makes a DHCP request, and I'm guessing that is why I can reach 192.168.1.1 from inside the LAN (ie the LAN side of the AirStation). I am wondering if the AirStation somehow doesn't know that it can reach 192.168.1.3 directly, which I would expect it to since it is plugged into the same switch as it and 192.168.1.1 -- and if so, how I would persuade it to know that?
Being plugged to the same switch is not enough. The routing table must also contain a direct route to the destination.
I would also expect that if it did not knowthat, it would send packets for 192.168.1.3 to 192.168.1.1 for forwarding, just as it does every packet that is destined for the internet -- and I would expect the firewall to be able to forward them, since it can clearly see the PI.
A firewall usually has filtering rules. Do these rules allow packets to be forwarded from the LAN interface back to the same interface ? Also, this would cause asymmetric routing (the server would send reply packets directly to the client), which may not work well with stateful filtering as the firewall would see only one direction of the communication.
No, the airstation having been given an address 192.168.1.x/24 will know that it can directly reach any host 192.168.1.1 through 192.168.1.254 inclusive.
Maybe I missed something but I read no evidence in the OP's posts that the netmask on the Airstation WAN side is actually /24. If for instance the mask was set to /30 instead, 192.168.1.3 would be considered by the Airstation as a broadcast address and would explain why it does not work.