On Sun, 17 Apr 2005, Vivian McPhail wrote:
> Apologies if this is not the correct list.
>
> I have a linux box with kernel 2.6.11.7 which I am trying to configure
> as a router. I have a cable modem connected to a firewall/router
> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
> connected to the firewall/router. Also connected to yoda is another
> network (with computer foo 192.168.1.3). I can access the internet from
> yoda and I can access yoda from foo, but I cannot access the internet
> from foo.
>
> yoda has the correct interface configuration and routing table
>
> 192.168.2.0 * 255.255.255.0 eth1
> 192.168.1.0 * 255.255.255.0 eth0
> default 192.168.2.1 0.0.0.0 eth1
>
> and I have ip forwarding enabled:
>
> $ cat /proc/sys/net/ipv4/ip_forward
> 1
>
> From what I have found in the HOWTOs and documentation this is all I
> should have to do.
>
> I do not need to do any masquerading so I do not see the need for
> netfiltering, is this assumption correct?

Not necessarily. Your router likely has no knowledge of, or any clue, how
to route your 192.168.1.0/24 network.

- If your router is capable of static routing, you could use yoda
192.168.2.4 on it as a gateway for 192.168.1.0/24 network.

- Or if your router is capable of setting a 255.255.0.0 netmask, you could
enable proxy arp on eth1, so it would answer arp for eth0:

echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

- Or even if netmask on router is limited to 255.255.255.0 you could set
eth0 to a portion of eth1 network and enable proxy_arp on eth1. For
example based on my wireless subnet, you could set eth0 to 192.168.2.241
netmask 255.255.255.249 broadcast 192.168.2.247 and have useable IPs on
eth0 .242 - .246. PC(s) on eth0 would use eth0 IP as gateway. With
proxy_arp enabled for eth1, it would answer arp requests for eth0 net,
making it one happy LAN.

- Or if all else fails, use iptables to masquerade your eth0 network as
your eth1 IP.

I use IPCOP. Its Great.
http://www.ipcop.org

"Vivian McPhail" wrote in message
news:4261bc85$1@clear.net.nz...
> Apologies if this is not the correct list.
>
> I have a linux box with kernel 2.6.11.7 which I am trying to configure as
> a router. I have a cable modem connected to a firewall/router
> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is connected
> to the firewall/router. Also connected to yoda is another network (with
> computer foo 192.168.1.3). I can access the internet from yoda and I can
> access yoda from foo, but I cannot access the internet from foo.
>
> yoda has the correct interface configuration and routing table
>
> 192.168.2.0 * 255.255.255.0 eth1
> 192.168.1.0 * 255.255.255.0 eth0
> default 192.168.2.1 0.0.0.0 eth1
>
> and I have ip forwarding enabled:
>
> $ cat /proc/sys/net/ipv4/ip_forward
> 1
>
> From what I have found in the HOWTOs and documentation this is all I
> should have to do.
>
> I do not need to do any masquerading so I do not see the need for
> netfiltering, is this assumption correct?
>
> What am I missing?
>
> Thanks in advance.
>
> Vivian McPhail

Vivian McPhail wrote:

> Apologies if this is not the correct list.
>
> I have a linux box with kernel 2.6.11.7 which I am trying to configure
> as a router. I have a cable modem connected to a firewall/router
> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
> connected to the firewall/router. Also connected to yoda is another
> network (with computer foo 192.168.1.3). I can access the internet from
> yoda and I can access yoda from foo, but I cannot access the internet
> from foo.



Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
would try and put in the same ones that are on yoda.

Peter F

Peter F wrote:
> Vivian McPhail wrote:
>
>
>>Apologies if this is not the correct list.
>>
>>I have a linux box with kernel 2.6.11.7 which I am trying to configure
>>as a router. I have a cable modem connected to a firewall/router
>>(192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
>>connected to the firewall/router. Also connected to yoda is another
>>network (with computer foo 192.168.1.3). I can access the internet from
>>yoda and I can access yoda from foo, but I cannot access the internet
>>from foo.
>
>
>
>
> Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
> would try and put in the same ones that are on yoda.
>
> Peter F

I can't get from one card eth0 to the other eth1. Even when I use
numbers not names.

Vivian McPhail wrote:
> Peter F wrote:
>
>> Vivian McPhail wrote:
>>
>>
>>> Apologies if this is not the correct list.
>>>
>>> I have a linux box with kernel 2.6.11.7 which I am trying to configure
>>> as a router. I have a cable modem connected to a firewall/router
>>> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
>>> connected to the firewall/router. Also connected to yoda is another
>>> network (with computer foo 192.168.1.3). I can access the internet from
>>> yoda and I can access yoda from foo, but I cannot access the internet
>>> from foo.
>>
>>
>>
>>
>>
>> Try checking /etc/resolv.conf on foo. It should have nameserver
>> entries. I
>> would try and put in the same ones that are on yoda.
>
> I can't get from one card eth0 to the other eth1. Even when I use
> numbers not names.
>
What is foo's default gateway? Also, imagine the route that
a packet will take to the Internet. foo puts it on the wire.
If the default gateway is set to yoda, then it is sent to
yoda. yoda picks it up and forwards it to the firewall. The
firewall send it out, presumably NATting it at the same
time. It travel to the destination on the Internet. When the
reply is sent from the Internet host it is directed to the
firewall (which stuck its address in the packet when it
NATted it). It arrives back at the firewall which deNATs it
to the correct address. Problem! The firewall doesn't know
where to send it. The firewall needs a route to foo's
network via yoda!

Cheers,

Cliff

--

Barzoomian the Martian - http://barzoomian.blogspot.com

On Mon, 18 Apr 2005 16:39:46 +1200, Vivian McPhail wrote:

> Peter F wrote:
>> Vivian McPhail wrote:
>>
>>
>>>Apologies if this is not the correct list.
>>>
>>>I have a linux box with kernel 2.6.11.7 which I am trying to configure
>>>as a router. I have a cable modem connected to a firewall/router
>>>(192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
>>>connected to the firewall/router. Also connected to yoda is another
>>>network (with computer foo 192.168.1.3). I can access the internet from
>>>yoda and I can access yoda from foo, but I cannot access the internet
>>>from foo.
>>
>>
>>
>>
>> Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
>> would try and put in the same ones that are on yoda.
>>
>> Peter F
>
> I can't get from one card eth0 to the other eth1. Even when I use
> numbers not names.

I think you'll find that your firewall/router device has no knowledge of
the 192.168.1.0/24 network so it is unable to route any traffic to foo.
Read David's post for solution.

Enkidu wrote:
> Vivian McPhail wrote:
>
>> Peter F wrote:
>>
>>> Vivian McPhail wrote:
>>>
>>>
>>>> Apologies if this is not the correct list.
>>>>
>>>> I have a linux box with kernel 2.6.11.7 which I am trying to configure
>>>> as a router. I have a cable modem connected to a firewall/router
>>>> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
>>>> connected to the firewall/router. Also connected to yoda is another
>>>> network (with computer foo 192.168.1.3). I can access the internet
>>>> from
>>>> yoda and I can access yoda from foo, but I cannot access the internet
>>>> from foo.
>>>

> >
> What is foo's default gateway? Also, imagine the route that a packet
> will take to the Internet. foo puts it on the wire. If the default
> gateway is set to yoda, then it is sent to yoda. yoda picks it up and
> forwards it to the firewall. The firewall send it out, presumably
> NATting it at the same time. It travel to the destination on the
> Internet. When the reply is sent from the Internet host it is directed
> to the firewall (which stuck its address in the packet when it NATted
> it). It arrives back at the firewall which deNATs it to the correct
> address. Problem! The firewall doesn't know where to send it. The
> firewall needs a route to foo's network via yoda!
>
> Cheers,
>
> Cliff
>

The gateway is yoda, but the problem is that yoda doesn't forward the
packet from the eth0 interface to the eth1 interface. (i have ip
forwarding enabled on yoda). So from your scenario, yoda picks up the
packet, and never sends it to the firewall.

In confusion,

Vivian

Reader wrote:
> On Mon, 18 Apr 2005 16:39:46 +1200, Vivian McPhail wrote:
>
>
>>Peter F wrote:
>>
>>>Vivian McPhail wrote:
>>>
>>>
>>>
>>>>Apologies if this is not the correct list.
>>>>
>>>>I have a linux box with kernel 2.6.11.7 which I am trying to configure
>>>>as a router. I have a cable modem connected to a firewall/router
>>>>(192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
>>>>connected to the firewall/router. Also connected to yoda is another
>>>>network (with computer foo 192.168.1.3). I can access the internet from
>>>>yoda and I can access yoda from foo, but I cannot access the internet
>>>
>>>>from foo.
>>>
>>>
>>>
>>>
>>>Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
>>>would try and put in the same ones that are on yoda.
>>>
>>>Peter F
>>
>>I can't get from one card eth0 to the other eth1. Even when I use
>>numbers not names.
>
>
> I think you'll find that your firewall/router device has no knowledge of
> the 192.168.1.0/24 network so it is unable to route any traffic to foo.
> Read David's post for solution.
>

foo 192.168.1.3
yoda 192.168.1.1 and 192.168.2.4
firewall 192.168.2.1 and external-ip

from foo:

ping yoda - works
ping firewall - request times out.

So, while I have to configure the firewall to route incoming traffic for
the 192.168.1.0/24 network, that is not yet an issue, as packets can't
get off the 192.168.1.0/24 network through my router.

On Tue, 19 Apr 2005 15:08:54 +1200, Vivian McPhail
wrote:

>foo 192.168.1.3
>yoda 192.168.1.1 and 192.168.2.4
>firewall 192.168.2.1 and external-ip

I notice your firewall isn't on the same Class C as the rest of the
network. It's probably not important, but you may try it at
192.168.1.2 and see if it makes a difference.

--
Joe Zeff
The Guy With the Sideburns

--
Joe Zeff
The Guy With the Sideburns
Kill as many as you can; I have a morbid love of excess.
http://www.lasfs.org http://home.earthlink.net/~sidebrnz
http://www.lasfs.org http://home.earthlink.net/~sidebrnz

David Efflandt wrote:
> On Sun, 17 Apr 2005, Vivian McPhail wrote:
>
>>Apologies if this is not the correct list.
>>
>>I have a linux box with kernel 2.6.11.7 which I am trying to configure
>>as a router. I have a cable modem connected to a firewall/router
>>(192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
>>connected to the firewall/router. Also connected to yoda is another
>>network (with computer foo 192.168.1.3). I can access the internet from
>>yoda and I can access yoda from foo, but I cannot access the internet
>>from foo.
>>
>>yoda has the correct interface configuration and routing table
>>
>>192.168.2.0 * 255.255.255.0 eth1
>>192.168.1.0 * 255.255.255.0 eth0
>>default 192.168.2.1 0.0.0.0 eth1
>>
>>and I have ip forwarding enabled:
>>
>>$ cat /proc/sys/net/ipv4/ip_forward
>>1
>>
>> From what I have found in the HOWTOs and documentation this is all I
>>should have to do.
>>
>>I do not need to do any masquerading so I do not see the need for
>>netfiltering, is this assumption correct?
>
>
> Not necessarily. Your router likely has no knowledge of, or any clue, how
> to route your 192.168.1.0/24 network.
>
> - If your router is capable of static routing, you could use yoda
> 192.168.2.4 on it as a gateway for 192.168.1.0/24 network.
>
> - Or if your router is capable of setting a 255.255.0.0 netmask, you could
> enable proxy arp on eth1, so it would answer arp for eth0:
>
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
>
> - Or even if netmask on router is limited to 255.255.255.0 you could set
> eth0 to a portion of eth1 network and enable proxy_arp on eth1. For
> example based on my wireless subnet, you could set eth0 to 192.168.2.241
> netmask 255.255.255.249 broadcast 192.168.2.247 and have useable IPs on
> eth0 .242 - .246. PC(s) on eth0 would use eth0 IP as gateway. With
> proxy_arp enabled for eth1, it would answer arp requests for eth0 net,
> making it one happy LAN.
>
> - Or if all else fails, use iptables to masquerade your eth0 network as
> your eth1 IP.

First, the firewall has static routing with an entry to use yoda as the
gateway for the 192.168.1.0/24 network, so packets should theoretically
be able to be returned.

However, all else failed and I tried to use iptables to masquerage the
eth0 network. I had the most liberal forwarding policy possible.
Unfortunately this did not work.

It seems that, for some reason, packets are not being forwared from eth0
to eth1.

I can ping yoda from foo. I can ping the firewall from yoda. I cannot
ping the firewall from foo.

As I mentioned earlier, I have ip_forward enabled.

TIA

Vivian

Vivian McPhail wrote:
>>
>> I think you'll find that your firewall/router device
>> has no knowledge of the 192.168.1.0/24 network so it
>> is unable to route any traffic to foo.
>> Read David's post for solution.
>
> foo 192.168.1.3
> yoda 192.168.1.1 and 192.168.2.4
> firewall 192.168.2.1 and external-ip
>
> from foo:
>
> ping yoda - works
> ping firewall - request times out.
>
> So, while I have to configure the firewall to route
> incoming traffic for the 192.168.1.0/24 network, that
> is not yet an issue, as packets can't get off the
> 192.168.1.0/24 network through my router.
>
What makes you think that? For a ping to work a packet has
to the destination *and* back to the source.

If a packet is sent to the firewall from foo, it goes to
yoda and yoda passes the packet to the firewall. The
firewall doesn't know where to route the return packet, (it
only has an IP address) so yoda never gets a packet back to
send on to foo.

Cheers,

Cliff

--

Barzoomian the Martian - http://barzoomian.blogspot.com

Vivian McPhail wrote:
> Enkidu wrote:
>
>> Vivian McPhail wrote:
>>
>>> Peter F wrote:
>>>
>>>> Vivian McPhail wrote:
>>>>
>>>>
>>>>> Apologies if this is not the correct list.
>>>>>
>>>>> I have a linux box with kernel 2.6.11.7 which I am trying to configure
>>>>> as a router. I have a cable modem connected to a firewall/router
>>>>> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
>>>>> connected to the firewall/router. Also connected to yoda is another
>>>>> network (with computer foo 192.168.1.3). I can access the internet
>>>>> from
>>>>> yoda and I can access yoda from foo, but I cannot access the internet
>>>>> from foo.
>>>>
>>>>
>
>
>> >
>> What is foo's default gateway? Also, imagine the route that a packet
>> will take to the Internet. foo puts it on the wire. If the default
>> gateway is set to yoda, then it is sent to yoda. yoda picks it up and
>> forwards it to the firewall. The firewall send it out, presumably
>> NATting it at the same time. It travel to the destination on the
>> Internet. When the reply is sent from the Internet host it is directed
>> to the firewall (which stuck its address in the packet when it NATted
>> it). It arrives back at the firewall which deNATs it to the correct
>> address. Problem! The firewall doesn't know where to send it. The
>> firewall needs a route to foo's network via yoda!
>
> The gateway is yoda, but the problem is that yoda doesn't forward the
> packet from the eth0 interface to the eth1 interface. (i have ip
> forwarding enabled on yoda). So from your scenario, yoda picks up the
> packet, and never sends it to the firewall.
>
Although it is common to loosely say "the router sends it to
the firewall" or similar what actually happens is that the
router puts the packet on the wire (leaving out a lot). "The
router has a route to the firewall" means that it knows
which interface to send on. So, the packet from foo arrives
at yoda, and yoda *does have a route for it*. It knows that
to reach the firewall, it has to put it on the right
interface which it does, and the firewall picks it up. I'm
convinced this is happening. At this stage the ping has not
completed because the packet has to make it back to foo for
the ping to succeed.

The firewall looks at the packet. It *doesn't have a route
for it* since it hasn't been told about the internal
network. So it puts it on *it's* default gateway interface,
probably to the Internet, where it dies.

The packet never makes it *back* to yoda, and therefore
never makes it back to foo, therefore the ping fails. But
the original ping packet DID reach yoda and DID get
forwarded to the firewall.

In networking, it is crucial to realise that there needs to
be a route defined *back* to the source from the
destination. The packet doesn't magically know the route
back. A return packet has to be routed the same aa the
original packet.

Cheers,

Cliff

--

Barzoomian the Martian - http://barzoomian.blogspot.com

On Tue, 19 Apr 2005 20:44:40 +1200, Enkidu
wrote:

>> So, while I have to configure the firewall to route
> > incoming traffic for the 192.168.1.0/24 network, that
> > is not yet an issue, as packets can't get off the
> > 192.168.1.0/24 network through my router.
> >
>What makes you think that? For a ping to work a packet has
>to the destination *and* back to the source.

What does traceroute show?

--
Joe Zeff
The Guy With the Sideburns
If you can't play with words, what good are they?
http://www.lasfs.org http://home.earthlink.net/~sidebrnz

Vivian McPhail wrote:

> Apologies if this is not the correct list.
>
> I have a linux box with kernel 2.6.11.7 which I am trying to configure
> as a router. I have a cable modem connected to a firewall/router
> (192.168.2.1). The linux box (yoda 192.168.2.4, 192.168.1.1) is
> connected to the firewall/router. Also connected to yoda is another
> network (with computer foo 192.168.1.3). I can access the internet from
> yoda and I can access yoda from foo, but I cannot access the internet
> from foo.



Try checking /etc/resolv.conf on foo. It should have nameserver entries. I
would try and put in the same ones that are on yoda.

Peter F