crossbow discuss - Jun 2009 - sppp device not routing ? (need help)

Ok, I''m hoping this is a fairly trivial issue, and I''m missing
something.

I''m trying to use Solaris zones (Nevada Build 117) to act as a DMZ and
a router, using exclusive IPs, VNICs (from Crossbow), and connecting to the
internet (static IP from my ISP).

I''ve got the DMZ working - that zone sees the internet, can do name
lookups, ftp, telnet, ssh, etc etc etc. The router zone ("router01")
can talk to the DMZ zone ("dmz01"), but it can''t do lookups,
or connect to the internet.

I''m trying to get the following configuration working:
1. dmz01 connects to the internet (static IP, PPP connection). This part works.
I''ve enabled routing (routeadm -e ipv4-routing , routeadm -e
ipv4-forwarding, routeadm -u, etc, reboots between tests to check everything).
Exclusive IP, physical nic e1000g0 connected to the DSL modem, device sppp0
picks up the static IP (I can see the entry "<static IP> --->
<ISP gateway or IP> " on an ifconfig -a , I can see the route to the
ISP''s gateway or IP as well with a netstat -nr).

2. Using dladm, I''ve created "etherstub0", and attached two
vnics to them (10.10.10.10 , 10.10.10.20). vnic 10.10.10.10 is attached to zone
dmz01 , 10.10.10.20 is attached to zone router01.

3. Zone "router01" has physical NIC e1000g1, and connects to my old
router (haven''t tested this part out yet). VNIC 10.10.10.20 connects to
etherstub0, and I''m able to ssh to dmz01 using 10.10.10.10 . Works
fine.

The idea is that my original home network would pass packets through the
original router, but it''s connected to zone router01 now, which
I''ll eventually set up to do the work of a content switch and firewall
(and pass packets to other zones connected to various etherstubs - Crossbow
rocks !). Haven''t gotten that far yet, though.

Here''s what I''m stuck on : Zone "router01"
can''t do name lookups (service dns/client is enabled, resolv.conf has
the nameservers, ipv4-routing and ipv4-forwarding enabled, also ipv6 routing and
forwarding enabled on router01 and dmz01). I can set up a route to the static IP
that''s assigned to sppp0 on dmz01, and it''s pingable, but the
packets go no further : I can''t ping the IP/gateway of the ISP, or the
nameservers (nameservers are pingable from dmz01, so they aren''t
blocking ICMP).

I''m pretty sure that it''s getting "stuck" at the
sppp0 device. It''s almost like the device defaults to "accept
packets with a hop count of 1 only" (allowing packets from dmz01, but
nothing further along the chain).

Oh- both zones were created with a "create -b". I didn''t use
"zone clones" either, each is an independent build.

Anyone have any solutions, or suggestions on where I can look next for answers ?


Thanks in advance.
-- 
This message posted from opensolaris.org

Hi,

Make sure you use custom ipfilter configs.
Build 117 comes with PSARC 2008/580 ''host-based'' firewall,
maybe it''s the case.

On Mon, Jun 29, 2009 at 3:01 PM, Paul Harrison<pcrharrison at gmail.com>
wrote:
> Ok, I''m hoping this is a fairly trivial issue, and I''m
missing something.
>
> I''m trying to use Solaris zones (Nevada Build 117) to act as a DMZ
and a router, using exclusive IPs, VNICs (from Crossbow), and connecting to the
internet (static IP from my ISP).
>
> I''ve got the DMZ working - that zone sees the internet, can do
name lookups, ftp, telnet, ssh, etc etc etc. The router zone
("router01") can talk to the DMZ zone ("dmz01"), but it
can''t do lookups, or connect to the internet.
>
> I''m trying to get the following configuration working:
> 1. dmz01 connects to the internet (static IP, PPP connection). This part
works. I''ve enabled routing (routeadm -e ipv4-routing , routeadm -e
ipv4-forwarding, routeadm -u, etc, reboots between tests to check everything).
Exclusive IP, physical nic e1000g0 connected to the DSL modem, device sppp0
picks up the static IP (I can see the entry "<static IP> --->
<ISP gateway or IP> " on an ifconfig -a , I can see the route to the
ISP''s gateway or IP as well with a netstat -nr).
>
> 2. Using dladm, I''ve created "etherstub0", and attached
two vnics to them (10.10.10.10 , 10.10.10.20). vnic 10.10.10.10 is attached to
zone dmz01 , 10.10.10.20 is attached to zone router01.
>
> 3. Zone "router01" has physical NIC e1000g1, and connects to my
old router (haven''t tested this part out yet). VNIC 10.10.10.20
connects to etherstub0, and I''m able to ssh to dmz01 using 10.10.10.10
. Works fine.
>
> The idea is that my original home network would pass packets through the
original router, but it''s connected to zone router01 now, which
I''ll eventually set up to do the work of a content switch and firewall
(and pass packets to other zones connected to various etherstubs - Crossbow
rocks !). Haven''t gotten that far yet, though.
>
> Here''s what I''m stuck on : Zone "router01"
can''t do name lookups (service dns/client is enabled, resolv.conf has
the nameservers, ipv4-routing and ipv4-forwarding enabled, also ipv6 routing and
forwarding enabled on router01 and dmz01). I can set up a route to the static IP
that''s assigned to sppp0 on dmz01, and it''s pingable, but the
packets go no further : I can''t ping the IP/gateway of the ISP, or the
nameservers (nameservers are pingable from dmz01, so they aren''t
blocking ICMP).
>
> I''m pretty sure that it''s getting "stuck" at
the sppp0 device. It''s almost like the device defaults to "accept
packets with a hop count of 1 only" (allowing packets from dmz01, but
nothing further along the chain).
>
> Oh- both zones were created with a "create -b". I didn''t
use "zone clones" either, each is an independent build.
>
> Anyone have any solutions, or suggestions on where I can look next for
answers ?
>
>
> Thanks in advance.
> --
> This message posted from opensolaris.org
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss
>


-- 
Piotr Jasiukajtis | estibi | SCA OS0072
http://estseg.blogspot.com