I''m running shorewall 1.3.4 on Mandrake 8.2. I have a private wireless network and am using PoPToP to create a VPN connection for security. The VPN connection seems to work ok with only a couple exceptions. 1. Creating another VPN connection to the outside world (less of a priority right now) 2. Some websites don''t work. I can bring up Yahoo ok, but say I click the finance link, I get nothing. I click the classified link and it works but the kids link doesn''t. I can''t bring up slashdot or any OSDN sites either but can bring up www.perl.org, cpan.org and apache.org with no problems (I realize they''re not all associated). I can bring up shorewall.net as well with no problems. I''m not too sure what''s going on. It seems very weird that some sites work and some don''t. I''ve posted my shorewall configuration files at http://63.167.48.244/shorewall/ My goal is to have the ppp+ interfaces be assigned public IP addresses and behave like they were connected direct and not though the VPN. my firewall IP is on a different subnet than what I''m assigning tp my ppp+ interfaces. They''re both publicly routable networks though. My router is routing 63.167.49.0/24 to 63.167.48.244 (firewall IP). It seems to work with the exception of some sites. That''s what getting me. I''ve used tcpdump and I see the connection request go out and I see the Any ideas are appreciated. Thanks, Charlie
Thanks for the reply. I did have the mtu set at 1000 and still hade the same problem. Maybe it was too low? I did try it at 1400 and 1450 and no luck. options.pptpd ## turn pppd syslog debugging on debug plugin radius.so plugin radattr.so #proxyarp noproxyarp ms-dns 63.167.48.250 ms-dns 63.167.48.249 ipparam wireless-vpn lock noauth nobsdcomp nodeflate require-mschap require-mppe-40 require-mschap-v2 require-mppe-128 mtu 1490 mru 1490 lcp-echo-failure 10 lcp-echo-interval 10 ipcp-accept-local ipcp-accept-remote deflate 0> Charie: > > What do you have in the options file for pptp?? > Did you set the mtu value?? If not try setting it > to 1450 as a starting point. might have to go lower... > Let me know if that has any effect on the problem. > > Jerry > > > > -----Original Message----- > From: charlieb@cot.net [SMTP:charlieb@cot.net] > Sent: Thursday, August 08, 2002 10:51 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] PPTP Problems > > I''m running shorewall 1.3.4 on Mandrake 8.2. > > I have a private wireless network and am using PoPToP to create a VPN > connection for security. > The VPN connection seems to work ok with only a couple exceptions. > > 1. Creating another VPN connection to the outside world (less of a > priority right now) > 2. Some websites don''t work. I can bring up Yahoo ok, but say I click > the finance link, I get nothing. I click the classified link and it > works but the kids link doesn''t. I can''t bring up slashdot or any OSDN > sites either but can bring up www.perl.org, cpan.org and apache.org > with no problems (I realize they''re not all associated). I can bring > up > shorewall.net as well with no problems. I''m not too sure what''s going > on. It seems very weird that some sites work and some don''t. > I''ve posted my shorewall configuration files at > http://63.167.48.244/shorewall/ > My goal is to have the ppp+ interfaces be assigned public IP addresses > and behave like they were connected direct and not though the VPN. > my firewall IP is on a different subnet than what I''m assigning tp my > ppp+ interfaces. They''re both publicly routable networks though. My > router is routing 63.167.49.0/24 to 63.167.48.244 (firewall IP). It > seems to work with the exception of some sites. That''s what getting > me. > I''ve used tcpdump and I see the connection request go out and I see the > > Any ideas are appreciated. > > Thanks, > Charlie > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Well that was my first shot... Is Explicit Congestion Notification turned on? might be having issues with non-ecn capable sites. Just a thought but, maybe the main site supports ecn, but the link points to a different server that does not?? What was at the end of this statement?>>I''ve used tcpdump and I see the connection request go out and I see theJerry -----Original Message----- From: charlieb@cot.net [SMTP:charlieb@cot.net] Sent: Thursday, August 08, 2002 11:30 PM To: jvonau@shaw.ca Cc: shorewall-users@shorewall.net Subject: RE: [Shorewall-users] PPTP Problems Thanks for the reply. I did have the mtu set at 1000 and still hade the same problem. Maybe it was too low? I did try it at 1400 and 1450 and no luck. options.pptpd ## turn pppd syslog debugging on debug plugin radius.so plugin radattr.so #proxyarp noproxyarp ms-dns 63.167.48.250 ms-dns 63.167.48.249 ipparam wireless-vpn lock noauth nobsdcomp nodeflate require-mschap require-mppe-40 require-mschap-v2 require-mppe-128 mtu 1490 mru 1490 lcp-echo-failure 10 lcp-echo-interval 10 ipcp-accept-local ipcp-accept-remote deflate 0> Charie: > > What do you have in the options file for pptp?? > Did you set the mtu value?? If not try setting it > to 1450 as a starting point. might have to go lower... > Let me know if that has any effect on the problem. > > Jerry > > > > -----Original Message----- > From: charlieb@cot.net [SMTP:charlieb@cot.net] > Sent: Thursday, August 08, 2002 10:51 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] PPTP Problems > > I''m running shorewall 1.3.4 on Mandrake 8.2. > > I have a private wireless network and am using PoPToP to create a VPN > connection for security. > The VPN connection seems to work ok with only a couple exceptions. > > 1. Creating another VPN connection to the outside world (less of a > priority right now) > 2. Some websites don''t work. I can bring up Yahoo ok, but say I click > the finance link, I get nothing. I click the classified link and it > works but the kids link doesn''t. I can''t bring up slashdot or any OSDN > sites either but can bring up www.perl.org, cpan.org and apache.org > with no problems (I realize they''re not all associated). I can bring > up > shorewall.net as well with no problems. I''m not too sure what''s going > on. It seems very weird that some sites work and some don''t. > I''ve posted my shorewall configuration files at > http://63.167.48.244/shorewall/ > My goal is to have the ppp+ interfaces be assigned public IP addresses > and behave like they were connected direct and not though the VPN. > my firewall IP is on a different subnet than what I''m assigning tp my > ppp+ interfaces. They''re both publicly routable networks though. My > router is routing 63.167.49.0/24 to 63.167.48.244 (firewall IP). It > seems to work with the exception of some sites. That''s what getting > me. > I''ve used tcpdump and I see the connection request go out and I see the > > Any ideas are appreciated. > > Thanks, > Charlie > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
> -----Original Message----- > From: charlieb@cot.net > Sent: Thursday, August 08, 2002 10:51 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] PPTP Problems > > > I''m running shorewall 1.3.4 on Mandrake 8.2. > > I have a private wireless network and am using PoPToP to create a VPN > connection for security. The VPN connection seems to work ok with only > a couple exceptions. > > 1. Creating another VPN connection to the outside world (less of a > priority right now)Have you applied the VPN kernel patch to enable multiple VPN''s??? From the patch help section... ------------------------------------ PPTP protocol support CONFIG_IP_NF_PPTP This is a PPTP connection tracker that allows you to place one or more PPTP client machines behind a Linux 2.4 NAT machine and allow them to connect to PPTP servers on the other side of the machine. For more information, please see the Linux VPN Masquerade site at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html If you want to compile it as a module, say M here and read <file:Documentation/modules.txt>. ------------------------------------> 2. Some websites don''t work. I can bring up Yahoo ok, but > say I click the finance link, I get nothing. I click the > classified link and it works but the kids link doesn''t. > I can''t bring up slashdot or any OSDN sites either but can > bring up www.perl.org, cpan.org and apache.org with no > problems (I realize they''re not all associated). I can bring up > shorewall.net as well with no problems. I''m not too sure > what''s going on.Just a guess, but it sounds like it could be ECN related. Have you tried to disable ECN and then checkout the sites that are not working??? To test (as root) echo "0" >/proc/sys/net/ipv4/tcp_ecn If the above sites now work, then you can add the above to your startup procedures. Otherwise... try and reduce the MTU setting for the VPN. Long pause... Well I see someone has already posted this sugestion. Oh Well! Steve Cowles
Oops ... didn''t finish my thought there. I''m at a fair working on drumming up business. Must have gotten distracted. I''ve also put my pptpd.conf and options.pptpd files on the website I listed earlier. I''ve used TCP dump and see the connection request go out and the reply come back ... here''s what I see: The very last line in this dump showed up when I closed the browser window. I got the "Website found waiting for reply" but that was it. [root@wireless-gateway shorewall]# tcpdump -i ppp0 tcpdump: listening on ppp0 22:17:51.290326 63.167.49.1.2996 > 64.28.67.150.http: S 254393753:254393753(0) win 65280 <mss 1360,nop,nop,sackOK> (DF)22:17:51.385693 64.28.67.150.http > 63.167.49.1.2996: S 11059:11059(0) ack 254393754 win 8760 <mss 1460,eol> (DF)22:17:51.406136 63.167.49.1.2996 > 64.28.67.150.http: . ack 1 win 65280 (DF) 22:17:51.408969 63.167.49.1.2996 > 64.28.67.150.http: P 1:274(273) ack 1 win 65280 (DF)22:17:51.507364 64.28.67.150.http > 63.167.49.1.2996: . ack 274 win 6432 (DF) 22:17:51.512772 63.167.49.1.netbios-ns > 64.28.67.150.netbios-ns:>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST22:17:53.062073 63.167.49.1.netbios-ns > 64.28.67.150.netbios-ns:>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST22:17:53.083377 63.167.49.1.2997 > 208.223.223.25.http: S 254896997:254896997(0) win 65280 <mss 1360,nop,nop,sackOK> (DF)22:17:53.145705 208.223.223.25.http > 63.167.49.1.2997: S 958958499:958958499(0) ack 254896998 win 17680 <mss 1380,nop,nop,sackOK> (DF)22:17:53.158561 63.167.49.1.2997 > 208.223.223.25.http: . ack 1 win 65280 (DF)22:17:53.160232 63.167.49.1.2997 > 208.223.223.25.http: F 1:1(0) ack 1 win 65280 (DF)22:17:53.226057 208.223.223.25.http > 63.167.49.1.2997: . ack 2 win 17680 (DF)22:17:53.226252 208.223.223.25.http > 63.167.49.1.2997: F 1:1(0) ack 2 win 17680 (DF)22:17:53.246224 63.167.49.1.2997 > 208.223.223.25.http: . ack 2 win 65280 (DF)22:17:54.511185 63.167.49.1.netbios-ns > 64.28.67.150.netbios-ns:>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST22:23:21.913620 63.167.49.1.2996 > 64.28.67.150.http: R 254394027:254394027(0) win 0 (DF)> Well that was my first shot... > Is Explicit Congestion Notification turned on? > might be having issues with non-ecn capable sites. > > Just a thought but, maybe the main site supports ecn, > but the link points to a different server that does not?? > What was at the end of this statement? > >>>I''ve used tcpdump and I see the connection request go out and I see >>>the > > Jerry > > -----Original Message----- > From: charlieb@cot.net [SMTP:charlieb@cot.net] > Sent: Thursday, August 08, 2002 11:30 PM > To: jvonau@shaw.ca > Cc: shorewall-users@shorewall.net > Subject: RE: [Shorewall-users] PPTP Problems > > Thanks for the reply. I did have the mtu set at 1000 and still hade > the same problem. Maybe it was too low? I did try it at 1400 and 1450 > and no luck. > > options.pptpd > ## turn pppd syslog debugging on > debug > > plugin radius.so > plugin radattr.so > > #proxyarp > noproxyarp > ms-dns 63.167.48.250 > ms-dns 63.167.48.249 > ipparam wireless-vpn > lock > noauth > nobsdcomp > nodeflate > > require-mschap > require-mppe-40 > require-mschap-v2 > require-mppe-128 > > mtu 1490 > mru 1490 > > lcp-echo-failure 10 > lcp-echo-interval 10 > > ipcp-accept-local > ipcp-accept-remote > > deflate 0 > > > > >> Charie: >> >> What do you have in the options file for pptp?? >> Did you set the mtu value?? If not try setting it >> to 1450 as a starting point. might have to go lower... >> Let me know if that has any effect on the problem. >> >> Jerry >> >> >> >> -----Original Message----- >> From: charlieb@cot.net [SMTP:charlieb@cot.net] >> Sent: Thursday, August 08, 2002 10:51 PM >> To: shorewall-users@shorewall.net >> Subject: [Shorewall-users] PPTP Problems >> >> I''m running shorewall 1.3.4 on Mandrake 8.2. >> >> I have a private wireless network and am using PoPToP to create a VPN >> connection for security. >> The VPN connection seems to work ok with only a couple exceptions. >> >> 1. Creating another VPN connection to the outside world (less of a >> priority right now) >> 2. Some websites don''t work. I can bring up Yahoo ok, but say I >> click the finance link, I get nothing. I click the classified link >> and it works but the kids link doesn''t. I can''t bring up slashdot or >> any OSDN sites either but can bring up www.perl.org, cpan.org and >> apache.org with no problems (I realize they''re not all associated). I >> can bring up >> shorewall.net as well with no problems. I''m not too sure what''s going >> on. It seems very weird that some sites work and some don''t. >> I''ve posted my shorewall configuration files at >> http://63.167.48.244/shorewall/ >> My goal is to have the ppp+ interfaces be assigned public IP addresses >> and behave like they were connected direct and not though the VPN. my >> firewall IP is on a different subnet than what I''m assigning tp my >> ppp+ interfaces. They''re both publicly routable networks though. My >> router is routing 63.167.49.0/24 to 63.167.48.244 (firewall IP). It >> seems to work with the exception of some sites. That''s what getting >> me. >> I''ve used tcpdump and I see the connection request go out and I see >> the >> >> Any ideas are appreciated. >> >> Thanks, >> Charlie >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@shorewall.net >> http://www.shorewall.net/mailman/listinfo/shorewall-users
Thanks for the suggestions. [root@wireless-gateway ipv4]# cat /proc/sys/net/ipv4/tcp_ecn 0 Looks like it''s already turned off. This is very puzzling .... Thanks again, Charlie>> -----Original Message----- >> From: charlieb@cot.net >> Sent: Thursday, August 08, 2002 10:51 PM >> To: shorewall-users@shorewall.net >> Subject: [Shorewall-users] PPTP Problems >> >> >> I''m running shorewall 1.3.4 on Mandrake 8.2. >> >> I have a private wireless network and am using PoPToP to create a VPN >> connection for security. The VPN connection seems to work ok with only >> a couple exceptions. >> >> 1. Creating another VPN connection to the outside world (less of a >> priority right now) > > Have you applied the VPN kernel patch to enable multiple VPN''s??? From > the patch help section... > > ------------------------------------ > PPTP protocol support > CONFIG_IP_NF_PPTP > This is a PPTP connection tracker that allows you to place one or more > PPTP client machines behind a Linux 2.4 NAT machine and allow them to > connect to PPTP servers on the other side of the machine. > > For more information, please see the Linux VPN Masquerade site at > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html > > If you want to compile it as a module, say M here and read > <file:Documentation/modules.txt>. > ------------------------------------ > >> 2. Some websites don''t work. I can bring up Yahoo ok, but >> say I click the finance link, I get nothing. I click the >> classified link and it works but the kids link doesn''t. >> I can''t bring up slashdot or any OSDN sites either but can >> bring up www.perl.org, cpan.org and apache.org with no >> problems (I realize they''re not all associated). I can bring up >> shorewall.net as well with no problems. I''m not too sure >> what''s going on. > > Just a guess, but it sounds like it could be ECN related. Have you > tried to disable ECN and then checkout the sites that are not > working??? > > To test (as root) > > echo "0" >/proc/sys/net/ipv4/tcp_ecn > > If the above sites now work, then you can add the above to your startup > procedures. Otherwise... try and reduce the MTU setting for the VPN. > > Long pause... Well I see someone has already posted this sugestion. > > Oh Well! > Steve Cowles
On Thu, 8 Aug 2002, charlieb@cot.net wrote:> Thanks for the suggestions. > > [root@wireless-gateway ipv4]# cat /proc/sys/net/ipv4/tcp_ecn > 0 > > > Looks like it''s already turned off. This is very puzzling .... >Have you tried CLAMPMSS=Yes in shorewall.conf? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thanks for the suggestion Tom. After reading the description above the option I was sure it would fix the problem, but it didn''t. I''ve saved "shorewall status" out to http://63.167.48.244/shorewall/shorewall_status.txt lsmod shows that the ipt_TCPMSS modules is indeed loaded as well [root@wireless-gateway sys]# lsmod Module Size Used by Tainted: P ipt_TCPMSS 2304 1 (autoclean) ipt_TOS 960 12 (autoclean) ipt_MASQUERADE 1248 1 (autoclean) ipt_LOG 3392 5 (autoclean) ipt_REJECT 2848 4 (autoclean) ipt_state 608 55 (autoclean) iptable_mangle 2080 1 (autoclean) ip_nat_irc 2432 0 (unused) ip_nat_ftp 3008 0 (unused) iptable_nat 13588 3 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp] ip_conntrack_irc 2592 0 (unused) ip_conntrack_ftp 3424 0 (unused) ip_conntrack 13420 4 [ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]iptable_filter 1696 1 ip_tables 10880 11 [ipt_TCPMSS ipt_TOS ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_state iptable_mangle iptable_nat iptable_filter]sch_ingress 1440 2 (autoclean) cls_u32 4644 6 (autoclean) sch_sfq 3552 6 (autoclean) sch_htb 12512 2 (autoclean) ppp_mppe 10496 4 (autoclean) ppp_async 6112 2 (autoclean) ppp_generic 15752 6 (autoclean) [ppp_mppe ppp_async] slhc 4624 1 (autoclean) [ppp_generic] af_packet 11912 2 (autoclean) ext3 58688 3 (autoclean) jbd 36232 3 (autoclean) [ext3] rtc 5720 0 (autoclean) Thanks again to all for the help. Charlie> On Thu, 8 Aug 2002, charlieb@cot.net wrote: > >> Thanks for the suggestions. >> >> [root@wireless-gateway ipv4]# cat /proc/sys/net/ipv4/tcp_ecn >> 0 >> >> >> Looks like it''s already turned off. This is very puzzling .... >> > > Have you tried CLAMPMSS=Yes in shorewall.conf? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
On Fri, 9 Aug 2002, charlieb@cot.net wrote:> Thanks for the suggestion Tom. After reading the description above the > option I was sure it would fix the problem, but it didn''t. > I''ve saved "shorewall status" out to > http://63.167.48.244/shorewall/shorewall_status.txt >Other than it looks like you are overusing the "hosts" file, I don''t see anthing in your configuration. But then I wouldn''t expect to given that your problem seems to be web site-specific. I notice an unusually high number of UNREPLIED entries in your connection tracking table which may indicate that you have a routing problem somewhere. I didn''t see any particular pattern to them but you''re more familiar with your setup than I am so you might spot something... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 9 Aug 2002, charlieb@cot.net wrote:> Thanks for the suggestion Tom. After reading the description above the > option I was sure it would fix the problem, but it didn''t. > I''ve saved "shorewall status" out to > http://63.167.48.244/shorewall/shorewall_status.txt >I''ve set up my laptop in an environment similar to yours (access the internet through PopTop running on my firewall) and I''m not seeing any probs with the sites you mention... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Apologies for being long in replies, but I was on the road all day and just got back. As you (Tom) mentioned in your earlier message, it could be a routing issue. But I would think it would effect everything, not just some sites. Good to know that it should be working. :-) Guess I''ll start looking at my router configuration althought I don''t really know howip route 63.167.49.0 255.255.255.0 63.167.48.244 wouldn''t be right .... Oh my ... I just looked at my router and I think I found the problem (I''m not up on IOS as I''d like to be ... thanks for the hint Tom). The router was already configured when I started this job. It used to do NAT and had the following entry:ip nat pool temp 63.167.49.1 63.167.49.2 netmask 255.255.255.252 Those are the first two IP addresses being assigned to clients that I''m testing with. Boy do I feel stupid. I''ll let you know if removing that ip nat entry from the router fixed it. Charlie> On Fri, 9 Aug 2002, charlieb@cot.net wrote: > >> Thanks for the suggestion Tom. After reading the description above >> the option I was sure it would fix the problem, but it didn''t. >> I''ve saved "shorewall status" out to >> http://63.167.48.244/shorewall/shorewall_status.txt >> > > I''ve set up my laptop in an environment similar to yours (access the > internet through PopTop running on my firewall) and I''m not seeing any > probs with the sites you mention... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Well ... taking the "ip nat" entry off the router didn''t fix it. And there are no other 63.167.49.0/24 ip addresses assigned or used in the router except in the routing table to route that subnet to my Linux system. Could it be that I don''t have "proxyarp" turned on? I have "noproxyarp" in my options.pptpd file. Could it be that the 63.167.49.254 address that''s my "localip" in the pptpd.conf file isn''t assigned to an interface on my Linux system (which is why I''m not using proxyarp)? Could it be that I''m using the same "localip" address for all the VPN connections? I thought this was acceptable based on what I''ve read. Also, I''m using HTB for traffic control on each PPP interface via ip-up.local. I tried taking this out of the mix and it still didn''t help. Guess I''ll just have to beat on it a little more. Tom, could you send me how you setup your test case? Here are my routing entries for my Cisco 3640 and my Linux system: Cisco: ip local pool ATMPPPoE 63.167.50.1 63.167.50.127 ip classless ip route 0.0.0.0 0.0.0.0 160.81.9.37 15 ip route 0.0.0.0 0.0.0.0 160.81.9.41 15 ip route 63.167.48.0 255.255.252.0 Null0 ip route 63.167.49.0 255.255.255.0 63.167.48.244 ip route 63.167.50.128 255.255.255.128 63.167.48.252 ip route 63.167.51.14 255.255.255.255 63.167.48.239 ip route 63.167.51.32 255.255.255.224 63.167.48.236 ip route 63.167.51.64 255.255.255.252 63.167.48.232 ip route 63.167.51.96 255.255.255.224 63.167.48.231 10 ip route 63.167.51.96 255.255.255.224 63.167.51.95 10 ip route 63.167.51.128 255.255.255.128 63.167.48.244 ip route 207.135.221.252 255.255.255.255 63.167.48.250 no ip http server Linux 63.167.49.4 dev ppp2 proto kernel scope link src 63.167.49.254 63.167.49.2 dev ppp3 proto kernel scope link src 63.167.49.254 63.167.51.128/25 via 10.100.1.10 dev eth1 63.167.48.0/24 dev eth0 scope link 10.100.0.0/16 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 63.167.48.254 dev eth0 Thanks, Charlie> Apologies for being long in replies, but I was on the road all day and > just got back. > > As you (Tom) mentioned in your earlier message, it could be a routing > issue. But I would think it would effect everything, not just some > sites. Good to know that it should be working. :-) > > Guess I''ll start looking at my router configuration althought I don''t > really know howip route 63.167.49.0 255.255.255.0 63.167.48.244 > wouldn''t be right .... > > > Oh my ... I just looked at my router and I think I found the problem > (I''m not up on IOS as I''d like to be ... thanks for the hint Tom). > The router was already configured when I started this job. It used to > do NAT and had the following entry:ip nat pool temp 63.167.49.1 > 63.167.49.2 netmask 255.255.255.252 > > Those are the first two IP addresses being assigned to clients that I''m > testing with. > Boy do I feel stupid. > > I''ll let you know if removing that ip nat entry from the router fixed > it. > > > Charlie > > > >> On Fri, 9 Aug 2002, charlieb@cot.net wrote: >> >>> Thanks for the suggestion Tom. After reading the description above >>> the option I was sure it would fix the problem, but it didn''t. >>> I''ve saved "shorewall status" out to >>> http://63.167.48.244/shorewall/shorewall_status.txt >>> >> >> I''ve set up my laptop in an environment similar to yours (access the >> internet through PopTop running on my firewall) and I''m not seeing any >> probs with the sites you mention... >> >> -Tom >> -- >> Tom Eastep \ Shorewall - iptables made easy >> AIM: tmeastep \ http://www.shorewall.net >> ICQ: #60745924 \ teastep@shorewall.net >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@shorewall.net >> http://www.shorewall.net/mailman/listinfo/shorewall-users
On Sat, 10 Aug 2002, charlieb@cot.net wrote:> Guess I''ll just have to beat on it a little more. Tom, could you send me > how you setup your test case?The diagram and firewall ruleset is as shown at http://www.shorewall.net/myfiles.htm. I configured the PPTP link from my laptop to the PoPToP server running on the firewall to be the LapTop''s default route. My PoPToP configuration can be found at http://www.shorewall.net/PPTP.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net