Shorewall users - Mar 2003 - tcp dump eth1 internal at office

PS in earlier attachments the office and home folders are reversed in regards to
openvpn folders

    Dont know if this will help, this is three different ping request from home
to office, monitoring the office tcpdump on ssh at home on a

XP machine. The pings originate from the XP machine as well (my computer) except
when I pinging from the home firewall to the office which is the last ping
below.

This ping is from my machine 192.168.1.73 from home to office SCO box
it always does and arp request has never given me a reply on the VPN

00:38:25.954325 arp who-has 10.19.227.194 tell ns1.227.19.10.in-addr.arpa
00:38:25.954325 arp reply 10.19.227.194 is-at 8:0:69:5:7a:b3
00:38:25.954325 192.168.1.73 > 10.19.227.194: icmp: echo request

This ping is from my machine as well to a XP workstation at the office, it is
always successfull in reply
As all pings I have tried to windows workstations are successfull (I have tried
about 15 workstations)

00:42:49.854325 192.168.1.73 > trevor.227.19.10.in-addr.arpa: icmp: echo
request
00:42:49.854325 trevor.227.19.10.in-addr.arpa > 192.168.1.73: icmp: echo
reply

This ping is to a GM NT server at the office always no Reply
I Noticed its trying to reply to the virtual tun at home, (dont know if it can
deal with mac address?)

00:45:05.974325 10.4.0.2 > gma03893.icmp: echo request (DF)
00:45:05.974325 arp who-has 10.4.0.2 tell gma03893
00:45:06.974325 10.4.0.2 > gma03893.: icmp: echo request (DF)
00:45:06.974325 arp who-has 10.4.0.2 tell gma03893.
00:45:07.714325 802.1d config 8000.00:06:53:e4:1e:80.8018 root
8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15
00:45:07.974325 10.4.0.2 > gma03893: icmp: echo request (DF)
00:45:07.974325 arp who-has 10.4.0.2 tell gma03893.
00:45:08.974325 10.4.0.2 > gma03893.: icmp: echo request (DF)
00:45:08.974325 arp who-has 10.4.0.2 tell gma03893
00:45:09.724325 802.1d config 8000.00:06:53:e4:1e:80.8018 root
8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15
00:45:09.974325 10.4.0.2 > gma03893: icmp: echo request (DF)

On Mon, 24 Mar 2003, Mike wrote:
> 
> This ping is from my machine as well to a XP workstation at the office, it
is always successfull in reply
> As all pings I have tried to windows workstations are successfull (I have
tried about 15 workstations)
> 
> 00:42:49.854325 192.168.1.73 > trevor.227.19.10.in-addr.arpa: icmp: echo
request
> 00:42:49.854325 trevor.227.19.10.in-addr.arpa > 192.168.1.73: icmp: echo
reply
> 
> This ping is to a GM NT server at the office always no Reply I Noticed
> its trying to reply to the virtual tun at home, (dont know if it can
> deal with mac address?)
> 
> 00:45:05.974325 10.4.0.2 > gma03893.icmp: echo request (DF)
> 00:45:05.974325 arp who-has 10.4.0.2 tell gma03893
> 00:45:06.974325 10.4.0.2 > gma03893.: icmp: echo request (DF)
> 00:45:06.974325 arp who-has 10.4.0.2 tell gma03893.
> 00:45:07.714325 802.1d config 8000.00:06:53:e4:1e:80.8018 root
8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15
> 00:45:07.974325 10.4.0.2 > gma03893: icmp: echo request (DF)
> 00:45:07.974325 arp who-has 10.4.0.2 tell gma03893.
> 00:45:08.974325 10.4.0.2 > gma03893.: icmp: echo request (DF)
> 00:45:08.974325 arp who-has 10.4.0.2 tell gma03893
> 00:45:09.724325 802.1d config 8000.00:06:53:e4:1e:80.8018 root
8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15
> 00:45:09.974325 10.4.0.2 > gma03893: icmp: echo request (DF)
> 
Ok gma03893 thinks it is on the same lan as 10.4.0.2 so it is arping -- I
don''t have time to spend this morning digging through everything
you''ve
sent (after all, this isn''t even a Shoreall problem as you admit) but
is
that correct -- are gma03893 and 10.4.0.2 on the same LAN segment? If they 
are then the problem is in that LAN segment. If they are not on the same 
LAN segment then there is a routing problem.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

This is ifconfig -a at home with tun0 10.4.0.2, gma03893 is in the office
lan

eth0      Link encap:Ethernet  HWaddr 00:A0:CC:5A:81:F4
          inet addr:64.42.49.235  Bcast:64.42.49.239  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:68259 errors:1 dropped:0 overruns:0 frame:0
          TX packets:57142 errors:0 dropped:0 overruns:0 carrier:0
          collisions:11
          RX bytes:25265284 (24.0 Mb)  TX bytes:25073372 (23.9 Mb)

eth1      Link encap:Ethernet  HWaddr 00:50:04:03:93:CB
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59592 errors:0 dropped:0 overruns:0 frame:0
          TX packets:67664 errors:0 dropped:0 overruns:0 carrier:0
          collisions:86
          RX bytes:25397658 (24.2 Mb)  TX bytes:25901526 (24.7 Mb)

gre0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:45 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:2850 (2.7 Kb)  TX bytes:2850 (2.7 Kb)

tun0      Link encap:Point-to-Point Protocol
          inet addr:10.4.0.2  P-t-P:10.4.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1255  Metric:1
          RX packets:105 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1891 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:6636 (6.4 Kb)  TX bytes:153948 (150.3 Kb)

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mike" <landers@lanlinecomputers.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Monday, March 24, 2003 6:31 AM
Subject: Re: [Shorewall-users] tcp dump eth1 internal at office

> On Mon, 24 Mar 2003, Mike wrote:
>
> >
> > This ping is from my machine as well to a XP workstation at the
office,
it is always successfull in reply
> > As all pings I have tried to windows workstations are successfull (I
have tried about 15 workstations)
> >
> > 00:42:49.854325 192.168.1.73 > trevor.227.19.10.in-addr.arpa: icmp:
echo
request
> > 00:42:49.854325 trevor.227.19.10.in-addr.arpa > 192.168.1.73: icmp:
echo
reply
> >
> > This ping is to a GM NT server at the office always no Reply I Noticed
> > its trying to reply to the virtual tun at home, (dont know if it can
> > deal with mac address?)
> >
> > 00:45:05.974325 10.4.0.2 > gma03893.icmp: echo request (DF)
> > 00:45:05.974325 arp who-has 10.4.0.2 tell gma03893
> > 00:45:06.974325 10.4.0.2 > gma03893.: icmp: echo request (DF)
> > 00:45:06.974325 arp who-has 10.4.0.2 tell gma03893.
> > 00:45:07.714325 802.1d config 8000.00:06:53:e4:1e:80.8018 root
8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay
15
> > 00:45:07.974325 10.4.0.2 > gma03893: icmp: echo request (DF)
> > 00:45:07.974325 arp who-has 10.4.0.2 tell gma03893.
> > 00:45:08.974325 10.4.0.2 > gma03893.: icmp: echo request (DF)
> > 00:45:08.974325 arp who-has 10.4.0.2 tell gma03893
> > 00:45:09.724325 802.1d config 8000.00:06:53:e4:1e:80.8018 root
8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay
15
> > 00:45:09.974325 10.4.0.2 > gma03893: icmp: echo request (DF)
> >
>
> Ok gma03893 thinks it is on the same lan as 10.4.0.2 so it is arping -- I
> don''t have time to spend this morning digging through everything
you''ve
> sent (after all, this isn''t even a Shoreall problem as you admit)
but is
> that correct -- are gma03893 and 10.4.0.2 on the same LAN segment? If they
> are then the problem is in that LAN segment. If they are not on the same
> LAN segment then there is a routing problem.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.sf.net
> Washington USA  \ teastep@shorewall.net
>
>

On Mon, 24 Mar 2003, Mike wrote:
> This is ifconfig -a at home with tun0 10.4.0.2, gma03893 is in the office
> lan
> 
Can we see the same outout from the office router? And what is the IP 
address of gma03893?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

office router output
gma03893-----10.19.227.193
mike

eth0      Link encap:Ethernet  HWaddr 00:48:54:83:7E:41
          inet addr:64.42.53.202  Bcast:64.42.53.207  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:174519 errors:0 dropped:0 overruns:0 frame:0
          TX packets:173412 errors:0 dropped:0 overruns:0 carrier:0
          collisions:1239
          RX bytes:92467106 (88.1 Mb)  TX bytes:28545982 (27.2 Mb)

eth1      Link encap:Ethernet  HWaddr 00:50:FC:75:0C:B9
          inet addr:10.19.227.20  Bcast:10.19.227.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:456023 errors:0 dropped:0 overruns:0 frame:0
          TX packets:398686 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:62376012 (59.4 Mb)  TX bytes:213665520 (203.7 Mb)

gre0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:547770 errors:0 dropped:0 overruns:0 frame:0
          TX packets:547770 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:158819194 (151.4 Mb)  TX bytes:158819194 (151.4 Mb)

tun0      Link encap:Point-to-Point Protocol
          inet addr:10.4.0.1  P-t-P:10.4.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1255  Metric:1
          RX packets:1917 errors:0 dropped:0 overruns:0 frame:0
          TX packets:126 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:155724 (152.0 Kb)  TX bytes:8112 (7.9 Kb)

[root@ns1 root]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.4.0.2        *               255.255.255.255 UH    0      0        0 tun0
64.42.53.200    *               255.255.255.248 U     0      0        0 eth0
192.168.1.0     10.4.0.2        255.255.255.0   UG    0      0        0 tun0
10.19.227.0     *               255.255.255.0   U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         64-42-53-201.at 0.0.0.0         UG    0      0        0 eth0

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mike" <landers@lanlinecomputers.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Monday, March 24, 2003 8:38 AM
Subject: Re: [Shorewall-users] tcp dump eth1 internal at office

> On Mon, 24 Mar 2003, Mike wrote:
>
> > This is ifconfig -a at home with tun0 10.4.0.2, gma03893 is in the
office
> > lan
> >
>
> Can we see the same outout from the office router? And what is the IP
> address of gma03893?
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.sf.net
> Washington USA  \ teastep@shorewall.net
>
>

On Mon, 24 Mar 2003, Mike wrote:
> office router output
> gma03893-----10.19.227.193
Ok -- check gma03893''s IP configuration. I suspect that it is
configured
as 10.19.227.193/8. 

If this is a problem with a lot of the systems at GM, you would be well 
advised to change your tunnel IP addresses to something in 192.168.x.x or 
172.16.0.0 - 172.31.255.255.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Hey Tom,
    This is driven me crazy, when you mailed me last a light turned on about
routes to alternate networks when I set this up three years ago
so I added the route 10.19.227.193 which is a satellite to gm it is the
gateway. Right after your mail this morning techs called and could not get
their EEProm data to upload to cars. So I fixed that by adding the route
below then they could program cars
    Changed Tunnel ips and I still cant ping everything same problem. Any
idea''s
The ping below route is a failed icmp request to 10.19.227.193

Thanks
Mike
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
172.16.0.2      *               255.255.255.255 UH    0      0        0 tun0
64.42.53.200    *               255.255.255.248 U     0      0        0 eth0
10.39.227.0     172.16.0.2      255.255.255.0   UG    0      0        0 tun0
10.19.227.0     *               255.255.255.0   U     0      0        0 eth1
10.0.0.0        10.19.227.193   255.0.0.0       UG    0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         64-42-53-201.at 0.0.0.0         UG    0      0        0 eth0
[root@ns1 root]# tcpdump -i tun0
tcpdump: listening on tun0
17:56:39.534325 10.39.227.73 > 10.19.227.193: icmp: echo request
17:56:44.754325 10.39.227.73 > 10.19.227.193: icmp: echo request

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mike" <landers@lanlinecomputers.com>
Sent: Monday, March 24, 2003 1:12 PM
Subject: Re: [Shorewall-users] tcp dump eth1 internal at office

> Any progress, Mike?
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.sf.net
> Washington USA  \ teastep@shorewall.net
>
>
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mike" <landers@lanlinecomputers.com>
Sent: Monday, March 24, 2003 1:12 PM
Subject: Re: [Shorewall-users] tcp dump eth1 internal at office

> Any progress, Mike?
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.sf.net
> Washington USA  \ teastep@shorewall.net
>
>

I also changed the home subnet ips 10.39.227.0/24 , to see if that would
help.
Mike
and I added a route to home.up to the gm system

And I still can''t talk to the computers,

Mike

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
172.16.0.1      *               255.255.255.255 UH    0      0        0 tun0
64.42.49.232    *               255.255.255.248 U     0      0        0 eth0
10.39.227.0     *               255.255.255.0   U     0      0        0 eth1
10.19.227.0     172.16.0.1      255.255.255.0   UG    0      0        0 tun0
10.0.0.0        172.16.0.1      255.0.0.0       UG    0      0        0 tun0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         64.42.49.233    0.0.0.0         UG    0      0        0 eth0
[root@ns3 root]#

----- Original Message -----
From: "Mike" <landers@lanlinecomputers.com>
To: <shorewall-users@lists.shorewall.net>
Sent: Monday, March 24, 2003 6:10 PM
Subject: Re: [Shorewall-users] tcp dump eth1 internal at office

> Hey Tom,
>     This is driven me crazy, when you mailed me last a light turned on
about
> routes to alternate networks when I set this up three years ago
> so I added the route 10.19.227.193 which is a satellite to gm it is the
> gateway. Right after your mail this morning techs called and could not get
> their EEProm data to upload to cars. So I fixed that by adding the route
> below then they could program cars
>     Changed Tunnel ips and I still cant ping everything same problem. Any
> idea''s
> The ping below route is a failed icmp request to 10.19.227.193
>
> Thanks
> Mike
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 172.16.0.2      *               255.255.255.255 UH    0      0        0
tun0
> 64.42.53.200    *               255.255.255.248 U     0      0        0
eth0
> 10.39.227.0     172.16.0.2      255.255.255.0   UG    0      0        0
tun0
> 10.19.227.0     *               255.255.255.0   U     0      0        0
eth1
> 10.0.0.0        10.19.227.193   255.0.0.0       UG    0      0        0
eth1
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         64-42-53-201.at 0.0.0.0         UG    0      0        0
eth0
> [root@ns1 root]# tcpdump -i tun0
> tcpdump: listening on tun0
> 17:56:39.534325 10.39.227.73 > 10.19.227.193: icmp: echo request
> 17:56:44.754325 10.39.227.73 > 10.19.227.193: icmp: echo request
>
> ----- Original Message -----
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Mike" <landers@lanlinecomputers.com>
> Sent: Monday, March 24, 2003 1:12 PM
> Subject: Re: [Shorewall-users] tcp dump eth1 internal at office
>
>
> > Any progress, Mike?
> >
> > -Tom
> > --
> > Tom Eastep    \ Shorewall - iptables made easy
> > Shoreline,     \ http://shorewall.sf.net
> > Washington USA  \ teastep@shorewall.net
> >
> >
>
> ----- Original Message -----
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Mike" <landers@lanlinecomputers.com>
> Sent: Monday, March 24, 2003 1:12 PM
> Subject: Re: [Shorewall-users] tcp dump eth1 internal at office
>
>
> > Any progress, Mike?
> >
> > -Tom
> > --
> > Tom Eastep    \ Shorewall - iptables made easy
> > Shoreline,     \ http://shorewall.sf.net
> > Washington USA  \ teastep@shorewall.net
> >
> >
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Mon, 24 Mar 2003, Mike wrote:
> I also changed the home subnet ips 10.39.227.0/24 , to see if that would
> help.
MIKE -- CHANGE THE TUNNEL IP ADDRESSES, NOT YOUR HOME IP ADDRESSES!!!!!

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

This is a tcp dump at theoffice eth1 internal nic, when trying to ping the
10.19.227.193 from home through the tunnel. I took the name out of dns
gma03893 for troubleshooting
18:21:04.864325 partsmanager.227.19.10.in-addr.arpa.1130 >
211.58.56.250.8700: . ack 235722 win 8356 (DF)
18:21:04.894325 10.39.227.73 > 10.19.227.193: icmp: echo request
18:21:04.894325 arp who-has 10.39.227.73 tell 10.19.227.193
18:21:04.934325 211.58.56.250.8700 >
partsmanager.227.19.10.in-addr.arpa.1130: P 235722:237182(1460) ack 1 win
17138 (DF)


----- Original Message -----
From: "Mike" <landers@lanlinecomputers.com>
To: <shorewall-users@lists.shorewall.net>
Sent: Monday, March 24, 2003 6:10 PM
Subject: Re: [Shorewall-users] tcp dump eth1 internal at office

> Hey Tom,
>     This is driven me crazy, when you mailed me last a light turned on
about
> routes to alternate networks when I set this up three years ago
> so I added the route 10.19.227.193 which is a satellite to gm it is the
> gateway. Right after your mail this morning techs called and could not get
> their EEProm data to upload to cars. So I fixed that by adding the route
> below then they could program cars
>     Changed Tunnel ips and I still cant ping everything same problem. Any
> idea''s
> The ping below route is a failed icmp request to 10.19.227.193
>
> Thanks
> Mike
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 172.16.0.2      *               255.255.255.255 UH    0      0        0
tun0
> 64.42.53.200    *               255.255.255.248 U     0      0        0
eth0
> 10.39.227.0     172.16.0.2      255.255.255.0   UG    0      0        0
tun0
> 10.19.227.0     *               255.255.255.0   U     0      0        0
eth1
> 10.0.0.0        10.19.227.193   255.0.0.0       UG    0      0        0
eth1
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         64-42-53-201.at 0.0.0.0         UG    0      0        0
eth0
> [root@ns1 root]# tcpdump -i tun0
> tcpdump: listening on tun0
> 17:56:39.534325 10.39.227.73 > 10.19.227.193: icmp: echo request
> 17:56:44.754325 10.39.227.73 > 10.19.227.193: icmp: echo request
>
> ----- Original Message -----
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Mike" <landers@lanlinecomputers.com>
> Sent: Monday, March 24, 2003 1:12 PM
> Subject: Re: [Shorewall-users] tcp dump eth1 internal at office
>
>
> > Any progress, Mike?
> >
> > -Tom
> > --
> > Tom Eastep    \ Shorewall - iptables made easy
> > Shoreline,     \ http://shorewall.sf.net
> > Washington USA  \ teastep@shorewall.net
> >
> >
>
> ----- Original Message -----
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Mike" <landers@lanlinecomputers.com>
> Sent: Monday, March 24, 2003 1:12 PM
> Subject: Re: [Shorewall-users] tcp dump eth1 internal at office
>
>
> > Any progress, Mike?
> >
> > -Tom
> > --
> > Tom Eastep    \ Shorewall - iptables made easy
> > Shoreline,     \ http://shorewall.sf.net
> > Washington USA  \ teastep@shorewall.net
> >
> >
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Mon, 24 Mar 2003, Mike wrote:
> This is a tcp dump at theoffice eth1 internal nic, when trying to ping the
> 10.19.227.193 from home through the tunnel. I took the name out of dns
> gma03893 for troubleshooting
Possibly you should "man tcpdump" and study the "-n"
option....
> 18:21:04.864325 partsmanager.227.19.10.in-addr.arpa.1130 >
> 211.58.56.250.8700: . ack 235722 win 8356 (DF)
> 18:21:04.894325 10.39.227.73 > 10.19.227.193: icmp: echo request
> 18:21:04.894325 arp who-has 10.39.227.73 tell 10.19.227.193
> 18:21:04.934325 211.58.56.250.8700 >
> partsmanager.227.19.10.in-addr.arpa.1130: P 235722:237182(1460) ack 1 win
> 17138 (DF)
> 
Mike, as I told you in my last shouted post you have made things worse, 
not better. Either fix the IP configurations of the systems at GM (no 
255.0.0.0 netmasks) or:

a) Change your home net back to 192.168.1.0/24; and
b) Change the tunnel IP addresses to something NOT IN 10.0.0.0/8...

Don''t post again until you have done one or the other and tested...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

On Mon, 24 Mar 2003, Tom Eastep wrote:
> Mike, as I told you in my last shouted post you have made things worse, 
> not better. Either fix the IP configurations of the systems at GM (no 
> 255.0.0.0 netmasks) or:
> 
> a) Change your home net back to 192.168.1.0/24; and
> b) Change the tunnel IP addresses to something NOT IN 10.0.0.0/8...
> 
> Don''t post again until you have done one or the other and
tested...
And if you need some quick background to help you understand what I''m 
talking about, check out:

http://www.shorewall.net/shorewall_setup_guide.htm#Addressing

That page gives you a very breif overview of addressing, routing and ARP
that should let you look at the traces you have been sending me and
see why your setup is failing.

Good Luck...

-Tom 
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

One thing I thought I should make clear, I CAN ping 90% of the nodes in the
office network
> Well, at least now hosts on one side of the tunnel aren''t trying
to ARP
> for the MAC of hosts on the other side of the tunnel. Is the office
> Shorewall box the default gateway for that office? Because you can see the
> ping from your home box is reaching the local side of the office gateway
> but you don''t see any replies. So either the ping isn''t
reaching
> 10.19.227.193 or that box is sending its reply somewhere else (and since
> the office network is switched, tcpdump can''t see it).
I ran this dump this morning at office: This is a lexmark t620 network
printer10.19.227.80 all tcpdumps are eth1 shorewall office
I think it is still arping for this node not sure?

07:47:05.321832 192.168.1.73 > 10.19.227.80: icmp: echo request
07:47:05.321832 arp who-has 10.19.227.80 tell 10.19.227.80
07:47:05.351832 10.19.227.84.1185 > 10.19.227.20.squid: . ack 802 win 7959
(DF)
07:47:15.821832 arp who-has 10.19.227.80 tell 10.19.227.20
07:47:15.821832 arp reply 10.19.227.80 is-at 0:4:0:6f:93:58
07:47:16.321832 192.168.1.73 > 10.19.227.80: icmp:
echo request
07:54:25.371832 192.168.1.73 > 10.19.227.80: icmp: echo request
07:54:25.371832 arp who-has 10.19.227.80 tell 10.19.227.80

This is Gm''s Gateway, I tried to ping from home

07:56:49.891832 192.168.1.73 > 10.19.227.193: icmp: echo request
Does not arp, but fails
>
> > and by adding the route 10.0.0.0/8 into the table has worked, to allow
> > access to it and our T-1 for two segments out of the building
>
> I have no idea what that said. Adding a route where? What is "it"
as
> in "...allow access to it.
..
There is two gateways, Gm private 10.19.227.193 sattelite, and shorewall
10.19.227.20 eth1, Frac T-1
Most traffic is routed through shorewall to the net, the gm gateway is for
private traffic IE: ordering cars

Mike

On Tue, 25 Mar 2003, Mike wrote:
> One thing I thought I should make clear, I CAN ping 90% of the nodes in the
> office network
> 
> > Well, at least now hosts on one side of the tunnel aren''t
trying to ARP
> > for the MAC of hosts on the other side of the tunnel. Is the office
> > Shorewall box the default gateway for that office? Because you can see
the
> > ping from your home box is reaching the local side of the office
gateway
> > but you don''t see any replies. So either the ping
isn''t reaching
> > 10.19.227.193 or that box is sending its reply somewhere else (and
since
> > the office network is switched, tcpdump can''t see it).
> 
> I ran this dump this morning at office: This is a lexmark t620 network
> printer10.19.227.80 all tcpdumps are eth1 shorewall office
> I think it is still arping for this node not sure?
> 
> 07:47:05.321832 192.168.1.73 > 10.19.227.80: icmp: echo request
> 07:47:05.321832 arp who-has 10.19.227.80 tell 10.19.227.80
> 07:47:05.351832 10.19.227.84.1185 > 10.19.227.20.squid: . ack 802 win
7959
> (DF)
> 07:47:15.821832 arp who-has 10.19.227.80 tell 10.19.227.20
> 07:47:15.821832 arp reply 10.19.227.80 is-at 0:4:0:6f:93:58
> 07:47:16.321832 192.168.1.73 > 10.19.227.80: icmp:
> echo request
> 07:54:25.371832 192.168.1.73 > 10.19.227.80: icmp: echo request
> 07:54:25.371832 arp who-has 10.19.227.80 tell 10.19.227.80
> 
This printer seems confused -- it is sending ARP "who-has" for its own
IP
address in response to a ping from 192.168.1.73. Again, WHAT IS THE 
CONFIGURED DEFAULT GATEWAY OF THIS PRINTER?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net