IPCOP Firewall Static Route Problem - Routers

This is a discussion on IPCOP Firewall Static Route Problem - Routers ; I am testing IPCOP 1.4 firewall hoping to replace a Netgear VPN router. It works perfectly as a firewall router to provide NAT-basaed Internet access with protection. Unfortunately, there is a static router issue I cannot resolve. So far no ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: IPCOP Firewall Static Route Problem

  1. IPCOP Firewall Static Route Problem

    I am testing IPCOP 1.4 firewall hoping to replace a Netgear VPN router. It
    works perfectly as a firewall router to provide NAT-basaed Internet access
    with protection. Unfortunately, there is a static router issue I cannot
    resolve. So far no one in the IPCOP forum has any idea.

    Here is the network environment:

    << Headquarter >> (192.168.0.x)
    | Internet | -- | IPCOP Router | -- | LAN1 | -- | Cisco 1720 | -- | Frame
    Relay to Branch |

    << Branch >> (192.168.1.x)
    | Internet | -- | Netgear Router | -- | LAN2 | -- | Cisco 1720 | -- | Frame
    Relay to Headquarter |

    1. In LAN1, all computers are set up to use the IP addreess of LAN
    interface of IPCOP as DG
    2. In LAN2, all computers are set up to use the IP addreess of LAN
    interface of Netgear as DG
    3. IPCOP has a static route set up to LAN2, which is the local interface of
    the Cisco 1720
    4. Netgear has a static route set up to LAN1, which is the local interface
    of the Cisco 1720
    5. All workstations in both LAN set up to use DHCP and its options.
    6. All workstations in LAN1 can ping LAN2
    7. Only computers running Windows 98 can telnet to resources in LAN2.
    8. Machines running W2K (prof or server) cannot telnet to any hosts in
    LAN2.
    9. Though all W98 and W2K PC's are set up to use DHCP, TRACERT shows that
    W98 mahcines access LAN2 by directly going to the Cisco 1720, then
    reach LAN2
    W2K machines access LAN2 by going to IPCOP first, then move on to next
    hop, Cisco 1720
    *** Despite this, All TRACERT results from W98 & W2K show successful
    from LAN1 routing to LAN2

    10. If add a static route for LAN2 on W2K machines, i.e.
    route add 192.168.1.0 mask 255.255.255.0 192.168.1.11
    (LAN2)
    (Cisco)
    then the machine can access resources in LAN2 without a problem
    *** In this case, the first hop when accessing LAN2 from LAN1 is
    Cisco, not IPCOP
    11. When replace IPCOP with another Netgear router, computers in both LAN's
    work fine.
    LAN1 can access resources (including TELNET) in LAN2 and vice versa
    without a problem.
    12. I am sure I have IPCOP configured properly, static route to LAN2 set up
    correctly. I can PING
    LAN2 from IPCOP console.

    The workaround is to manually add a static route to all Windows 2000 PC's in
    LAN1, which is a tedious work and should be something handled by the DG. I
    strongly believe that the problem lies on the IPCOP 1.4 final version I am
    using. I am going to have to drop it if this problem cannot be resolved.

    Joe




  2. Re: IPCOP Firewall Static Route Problem

    "JP" wrote in
    news:5qSdnQuuS64u-RPcRVn-ow@rogers.com:

    > I am testing IPCOP 1.4 firewall hoping to replace a Netgear VPN
    > router. It works perfectly as a firewall router to provide NAT-basaed
    > Internet access with protection. Unfortunately, there is a static
    > router issue I cannot resolve. So far no one in the IPCOP forum has
    > any idea.
    >
    > Here is the network environment:
    >
    > << Headquarter >> (192.168.0.x)
    >| Internet | -- | IPCOP Router | -- | LAN1 | -- | Cisco 1720 | -- |
    >| Frame
    > Relay to Branch |
    >
    > << Branch >> (192.168.1.x)
    >| Internet | -- | Netgear Router | -- | LAN2 | -- | Cisco 1720 | -- |
    >| Frame
    > Relay to Headquarter |
    >
    > 1. In LAN1, all computers are set up to use the IP addreess of LAN
    > interface of IPCOP as DG
    > 2. In LAN2, all computers are set up to use the IP addreess of LAN
    > interface of Netgear as DG
    > 3. IPCOP has a static route set up to LAN2, which is the local
    > interface of the Cisco 1720
    > 4. Netgear has a static route set up to LAN1, which is the local
    > interface of the Cisco 1720
    > 5. All workstations in both LAN set up to use DHCP and its options.
    > 6. All workstations in LAN1 can ping LAN2
    > 7. Only computers running Windows 98 can telnet to resources in LAN2.
    > 8. Machines running W2K (prof or server) cannot telnet to any hosts
    > in LAN2.
    > 9. Though all W98 and W2K PC's are set up to use DHCP, TRACERT shows
    > that
    > W98 mahcines access LAN2 by directly going to the Cisco 1720,
    > then
    > reach LAN2
    > W2K machines access LAN2 by going to IPCOP first, then move on to
    > next
    > hop, Cisco 1720
    > *** Despite this, All TRACERT results from W98 & W2K show
    > successful
    > from LAN1 routing to LAN2
    >
    > 10. If add a static route for LAN2 on W2K machines, i.e.
    > route add 192.168.1.0 mask 255.255.255.0 192.168.1.11
    > (LAN2)
    > (Cisco)
    > then the machine can access resources in LAN2 without a problem
    > *** In this case, the first hop when accessing LAN2 from LAN1
    > is
    > Cisco, not IPCOP
    > 11. When replace IPCOP with another Netgear router, computers in both
    > LAN's work fine.
    > LAN1 can access resources (including TELNET) in LAN2 and vice
    > versa
    > without a problem.
    > 12. I am sure I have IPCOP configured properly, static route to LAN2
    > set up correctly. I can PING
    > LAN2 from IPCOP console.
    >
    > The workaround is to manually add a static route to all Windows 2000
    > PC's in LAN1, which is a tedious work and should be something handled
    > by the DG. I strongly believe that the problem lies on the IPCOP 1.4
    > final version I am using. I am going to have to drop it if this
    > problem cannot be resolved.
    >
    > Joe
    >
    >
    >
    >


    Port Forwarding should do the trick...Ill look into to this some more..

  3. Re: IPCOP Firewall Static Route Problem

    > Port Forwarding should do the trick...Ill look into to this some more..

    Thanks for your idea. Still don't understand why I can PING from LAN1 to
    LAN2 but not TELNET. If the route is valid for PING, what is the difference
    between other applications. I cannot TELNET or use Terminal Service Client
    to access LAN2. The HOSTs there repond to my PING.

    By adding a static route to the machines in LAN1, everything works as
    expected. However, if I put in a NETGEAR, DLINK or LINKSYS router instead
    of the IPCOP, I don't need the static route on the PC's.

    I configured NETGEAR, DLINK, LINKSYS and IPCOP in the exact same way, a
    static route to LAN2 is manually entered.

    Thanks again for looking into it.

    Joe



  4. Re: IPCOP Firewall Static Route Problem

    JP wrote:

    > By adding a static route to the machines in LAN1, everything works as
    > expected. However, if I put in a NETGEAR, DLINK or LINKSYS router instead
    > of the IPCOP, I don't need the static route on the PC's.


    If you have access rules that allow all ICMP and IP traffic, then you
    might want to check your network configuration. Have you tried a
    different netmask like 255.255.0.0? It looks like these hosts are all in
    192.168/16. I didn't see mention of a VPN...

    -Gary

  5. Re: IPCOP Firewall Static Route Problem

    It may have to do with what ports your gear is letting through, and in
    which direction. In some cases you can set them up bi-directionally,
    but in most cases you set them up one direction at a time.

    JP wrote:
    >>Port Forwarding should do the trick...Ill look into to this some more..

    >
    >
    > Thanks for your idea. Still don't understand why I can PING from LAN1 to
    > LAN2 but not TELNET. If the route is valid for PING, what is the difference
    > between other applications. I cannot TELNET or use Terminal Service Client
    > to access LAN2. The HOSTs there repond to my PING.
    >
    > By adding a static route to the machines in LAN1, everything works as
    > expected. However, if I put in a NETGEAR, DLINK or LINKSYS router instead
    > of the IPCOP, I don't need the static route on the PC's.
    >
    > I configured NETGEAR, DLINK, LINKSYS and IPCOP in the exact same way, a
    > static route to LAN2 is manually entered.
    >
    > Thanks again for looking into it.
    >
    > Joe
    >
    >



  6. Re: IPCOP Firewall Static Route Problem

    ping is on port 3503 and telnet is on port 23...your port 23 must be closed
    and 3503 open.




  7. Re: IPCOP Firewall Static Route Problem

    Direct:262.767.3325<> wrote:
    | ping is on port 3503 and telnet is on port 23...your port 23 must be
    closed
    | and 3503 open.
    |
    |
    |

    Dumbass... Ping uses ICMP which is a protocol not a port. Better start
    learing your **** as opposed to guessing w/ a google search. (which the
    origional poster obviously did b4 he posted here)

    If you really must know, port 3503 is for MPLS Embeded Managment...a
    cisco management protocol... And their pings are UDP, not TCP

    Ciao,
    Droid...

+ Reply to Thread