PS in earlier attachments the office and home folders are reversed in regards to openvpn folders Dont know if this will help, this is three different ping request from home to office, monitoring the office tcpdump on ssh at home on a XP machine. The pings originate from the XP machine as well (my computer) except when I pinging from the home firewall to the office which is the last ping below. This ping is from my machine 192.168.1.73 from home to office SCO box it always does and arp request has never given me a reply on the VPN 00:38:25.954325 arp who-has 10.19.227.194 tell ns1.227.19.10.in-addr.arpa 00:38:25.954325 arp reply 10.19.227.194 is-at 8:0:69:5:7a:b3 00:38:25.954325 192.168.1.73 > 10.19.227.194: icmp: echo request This ping is from my machine as well to a XP workstation at the office, it is always successfull in reply As all pings I have tried to windows workstations are successfull (I have tried about 15 workstations) 00:42:49.854325 192.168.1.73 > trevor.227.19.10.in-addr.arpa: icmp: echo request 00:42:49.854325 trevor.227.19.10.in-addr.arpa > 192.168.1.73: icmp: echo reply This ping is to a GM NT server at the office always no Reply I Noticed its trying to reply to the virtual tun at home, (dont know if it can deal with mac address?) 00:45:05.974325 10.4.0.2 > gma03893.icmp: echo request (DF) 00:45:05.974325 arp who-has 10.4.0.2 tell gma03893 00:45:06.974325 10.4.0.2 > gma03893.: icmp: echo request (DF) 00:45:06.974325 arp who-has 10.4.0.2 tell gma03893. 00:45:07.714325 802.1d config 8000.00:06:53:e4:1e:80.8018 root 8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15 00:45:07.974325 10.4.0.2 > gma03893: icmp: echo request (DF) 00:45:07.974325 arp who-has 10.4.0.2 tell gma03893. 00:45:08.974325 10.4.0.2 > gma03893.: icmp: echo request (DF) 00:45:08.974325 arp who-has 10.4.0.2 tell gma03893 00:45:09.724325 802.1d config 8000.00:06:53:e4:1e:80.8018 root 8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15 00:45:09.974325 10.4.0.2 > gma03893: icmp: echo request (DF)
On Mon, 24 Mar 2003, Mike wrote:> > This ping is from my machine as well to a XP workstation at the office, it is always successfull in reply > As all pings I have tried to windows workstations are successfull (I have tried about 15 workstations) > > 00:42:49.854325 192.168.1.73 > trevor.227.19.10.in-addr.arpa: icmp: echo request > 00:42:49.854325 trevor.227.19.10.in-addr.arpa > 192.168.1.73: icmp: echo reply > > This ping is to a GM NT server at the office always no Reply I Noticed > its trying to reply to the virtual tun at home, (dont know if it can > deal with mac address?) > > 00:45:05.974325 10.4.0.2 > gma03893.icmp: echo request (DF) > 00:45:05.974325 arp who-has 10.4.0.2 tell gma03893 > 00:45:06.974325 10.4.0.2 > gma03893.: icmp: echo request (DF) > 00:45:06.974325 arp who-has 10.4.0.2 tell gma03893. > 00:45:07.714325 802.1d config 8000.00:06:53:e4:1e:80.8018 root 8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15 > 00:45:07.974325 10.4.0.2 > gma03893: icmp: echo request (DF) > 00:45:07.974325 arp who-has 10.4.0.2 tell gma03893. > 00:45:08.974325 10.4.0.2 > gma03893.: icmp: echo request (DF) > 00:45:08.974325 arp who-has 10.4.0.2 tell gma03893 > 00:45:09.724325 802.1d config 8000.00:06:53:e4:1e:80.8018 root 8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15 > 00:45:09.974325 10.4.0.2 > gma03893: icmp: echo request (DF) >Ok gma03893 thinks it is on the same lan as 10.4.0.2 so it is arping -- I don''t have time to spend this morning digging through everything you''ve sent (after all, this isn''t even a Shoreall problem as you admit) but is that correct -- are gma03893 and 10.4.0.2 on the same LAN segment? If they are then the problem is in that LAN segment. If they are not on the same LAN segment then there is a routing problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
This is ifconfig -a at home with tun0 10.4.0.2, gma03893 is in the office lan eth0 Link encap:Ethernet HWaddr 00:A0:CC:5A:81:F4 inet addr:64.42.49.235 Bcast:64.42.49.239 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:68259 errors:1 dropped:0 overruns:0 frame:0 TX packets:57142 errors:0 dropped:0 overruns:0 carrier:0 collisions:11 RX bytes:25265284 (24.0 Mb) TX bytes:25073372 (23.9 Mb) eth1 Link encap:Ethernet HWaddr 00:50:04:03:93:CB inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:59592 errors:0 dropped:0 overruns:0 frame:0 TX packets:67664 errors:0 dropped:0 overruns:0 carrier:0 collisions:86 RX bytes:25397658 (24.2 Mb) TX bytes:25901526 (24.7 Mb) gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:45 errors:0 dropped:0 overruns:0 frame:0 TX packets:45 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:2850 (2.7 Kb) TX bytes:2850 (2.7 Kb) tun0 Link encap:Point-to-Point Protocol inet addr:10.4.0.2 P-t-P:10.4.0.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1 RX packets:105 errors:0 dropped:0 overruns:0 frame:0 TX packets:1891 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:6636 (6.4 Kb) TX bytes:153948 (150.3 Kb) ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mike" <landers@lanlinecomputers.com> Cc: <shorewall-users@lists.shorewall.net> Sent: Monday, March 24, 2003 6:31 AM Subject: Re: [Shorewall-users] tcp dump eth1 internal at office> On Mon, 24 Mar 2003, Mike wrote: > > > > > This ping is from my machine as well to a XP workstation at the office,it is always successfull in reply> > As all pings I have tried to windows workstations are successfull (Ihave tried about 15 workstations)> > > > 00:42:49.854325 192.168.1.73 > trevor.227.19.10.in-addr.arpa: icmp: echorequest> > 00:42:49.854325 trevor.227.19.10.in-addr.arpa > 192.168.1.73: icmp: echoreply> > > > This ping is to a GM NT server at the office always no Reply I Noticed > > its trying to reply to the virtual tun at home, (dont know if it can > > deal with mac address?) > > > > 00:45:05.974325 10.4.0.2 > gma03893.icmp: echo request (DF) > > 00:45:05.974325 arp who-has 10.4.0.2 tell gma03893 > > 00:45:06.974325 10.4.0.2 > gma03893.: icmp: echo request (DF) > > 00:45:06.974325 arp who-has 10.4.0.2 tell gma03893. > > 00:45:07.714325 802.1d config 8000.00:06:53:e4:1e:80.8018 root8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15> > 00:45:07.974325 10.4.0.2 > gma03893: icmp: echo request (DF) > > 00:45:07.974325 arp who-has 10.4.0.2 tell gma03893. > > 00:45:08.974325 10.4.0.2 > gma03893.: icmp: echo request (DF) > > 00:45:08.974325 arp who-has 10.4.0.2 tell gma03893 > > 00:45:09.724325 802.1d config 8000.00:06:53:e4:1e:80.8018 root8000.00:06:53:e4:1e:80 pathcost 0 age 0 max 20 hello 2 fdelay 15> > 00:45:09.974325 10.4.0.2 > gma03893: icmp: echo request (DF) > > > > Ok gma03893 thinks it is on the same lan as 10.4.0.2 so it is arping -- I > don''t have time to spend this morning digging through everything you''ve > sent (after all, this isn''t even a Shoreall problem as you admit) but is > that correct -- are gma03893 and 10.4.0.2 on the same LAN segment? If they > are then the problem is in that LAN segment. If they are not on the same > LAN segment then there is a routing problem. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > >
On Mon, 24 Mar 2003, Mike wrote:> This is ifconfig -a at home with tun0 10.4.0.2, gma03893 is in the office > lan >Can we see the same outout from the office router? And what is the IP address of gma03893? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
office router output gma03893-----10.19.227.193 mike eth0 Link encap:Ethernet HWaddr 00:48:54:83:7E:41 inet addr:64.42.53.202 Bcast:64.42.53.207 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:174519 errors:0 dropped:0 overruns:0 frame:0 TX packets:173412 errors:0 dropped:0 overruns:0 carrier:0 collisions:1239 RX bytes:92467106 (88.1 Mb) TX bytes:28545982 (27.2 Mb) eth1 Link encap:Ethernet HWaddr 00:50:FC:75:0C:B9 inet addr:10.19.227.20 Bcast:10.19.227.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:456023 errors:0 dropped:0 overruns:0 frame:0 TX packets:398686 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:62376012 (59.4 Mb) TX bytes:213665520 (203.7 Mb) gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:547770 errors:0 dropped:0 overruns:0 frame:0 TX packets:547770 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:158819194 (151.4 Mb) TX bytes:158819194 (151.4 Mb) tun0 Link encap:Point-to-Point Protocol inet addr:10.4.0.1 P-t-P:10.4.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1 RX packets:1917 errors:0 dropped:0 overruns:0 frame:0 TX packets:126 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:155724 (152.0 Kb) TX bytes:8112 (7.9 Kb) [root@ns1 root]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.4.0.2 * 255.255.255.255 UH 0 0 0 tun0 64.42.53.200 * 255.255.255.248 U 0 0 0 eth0 192.168.1.0 10.4.0.2 255.255.255.0 UG 0 0 0 tun0 10.19.227.0 * 255.255.255.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 64-42-53-201.at 0.0.0.0 UG 0 0 0 eth0 ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mike" <landers@lanlinecomputers.com> Cc: <shorewall-users@lists.shorewall.net> Sent: Monday, March 24, 2003 8:38 AM Subject: Re: [Shorewall-users] tcp dump eth1 internal at office> On Mon, 24 Mar 2003, Mike wrote: > > > This is ifconfig -a at home with tun0 10.4.0.2, gma03893 is in theoffice> > lan > > > > Can we see the same outout from the office router? And what is the IP > address of gma03893? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > >
On Mon, 24 Mar 2003, Mike wrote:> office router output > gma03893-----10.19.227.193Ok -- check gma03893''s IP configuration. I suspect that it is configured as 10.19.227.193/8. If this is a problem with a lot of the systems at GM, you would be well advised to change your tunnel IP addresses to something in 192.168.x.x or 172.16.0.0 - 172.31.255.255. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Hey Tom, This is driven me crazy, when you mailed me last a light turned on about routes to alternate networks when I set this up three years ago so I added the route 10.19.227.193 which is a satellite to gm it is the gateway. Right after your mail this morning techs called and could not get their EEProm data to upload to cars. So I fixed that by adding the route below then they could program cars Changed Tunnel ips and I still cant ping everything same problem. Any idea''s The ping below route is a failed icmp request to 10.19.227.193 Thanks Mike Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.16.0.2 * 255.255.255.255 UH 0 0 0 tun0 64.42.53.200 * 255.255.255.248 U 0 0 0 eth0 10.39.227.0 172.16.0.2 255.255.255.0 UG 0 0 0 tun0 10.19.227.0 * 255.255.255.0 U 0 0 0 eth1 10.0.0.0 10.19.227.193 255.0.0.0 UG 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 64-42-53-201.at 0.0.0.0 UG 0 0 0 eth0 [root@ns1 root]# tcpdump -i tun0 tcpdump: listening on tun0 17:56:39.534325 10.39.227.73 > 10.19.227.193: icmp: echo request 17:56:44.754325 10.39.227.73 > 10.19.227.193: icmp: echo request ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mike" <landers@lanlinecomputers.com> Sent: Monday, March 24, 2003 1:12 PM Subject: Re: [Shorewall-users] tcp dump eth1 internal at office> Any progress, Mike? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > >----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mike" <landers@lanlinecomputers.com> Sent: Monday, March 24, 2003 1:12 PM Subject: Re: [Shorewall-users] tcp dump eth1 internal at office> Any progress, Mike? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > >
I also changed the home subnet ips 10.39.227.0/24 , to see if that would help. Mike and I added a route to home.up to the gm system And I still can''t talk to the computers, Mike Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.16.0.1 * 255.255.255.255 UH 0 0 0 tun0 64.42.49.232 * 255.255.255.248 U 0 0 0 eth0 10.39.227.0 * 255.255.255.0 U 0 0 0 eth1 10.19.227.0 172.16.0.1 255.255.255.0 UG 0 0 0 tun0 10.0.0.0 172.16.0.1 255.0.0.0 UG 0 0 0 tun0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 64.42.49.233 0.0.0.0 UG 0 0 0 eth0 [root@ns3 root]# ----- Original Message ----- From: "Mike" <landers@lanlinecomputers.com> To: <shorewall-users@lists.shorewall.net> Sent: Monday, March 24, 2003 6:10 PM Subject: Re: [Shorewall-users] tcp dump eth1 internal at office> Hey Tom, > This is driven me crazy, when you mailed me last a light turned onabout> routes to alternate networks when I set this up three years ago > so I added the route 10.19.227.193 which is a satellite to gm it is the > gateway. Right after your mail this morning techs called and could not get > their EEProm data to upload to cars. So I fixed that by adding the route > below then they could program cars > Changed Tunnel ips and I still cant ping everything same problem. Any > idea''s > The ping below route is a failed icmp request to 10.19.227.193 > > Thanks > Mike > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 172.16.0.2 * 255.255.255.255 UH 0 0 0tun0> 64.42.53.200 * 255.255.255.248 U 0 0 0eth0> 10.39.227.0 172.16.0.2 255.255.255.0 UG 0 0 0tun0> 10.19.227.0 * 255.255.255.0 U 0 0 0eth1> 10.0.0.0 10.19.227.193 255.0.0.0 UG 0 0 0eth1> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default 64-42-53-201.at 0.0.0.0 UG 0 0 0eth0> [root@ns1 root]# tcpdump -i tun0 > tcpdump: listening on tun0 > 17:56:39.534325 10.39.227.73 > 10.19.227.193: icmp: echo request > 17:56:44.754325 10.39.227.73 > 10.19.227.193: icmp: echo request > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Mike" <landers@lanlinecomputers.com> > Sent: Monday, March 24, 2003 1:12 PM > Subject: Re: [Shorewall-users] tcp dump eth1 internal at office > > > > Any progress, Mike? > > > > -Tom > > -- > > Tom Eastep \ Shorewall - iptables made easy > > Shoreline, \ http://shorewall.sf.net > > Washington USA \ teastep@shorewall.net > > > > > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Mike" <landers@lanlinecomputers.com> > Sent: Monday, March 24, 2003 1:12 PM > Subject: Re: [Shorewall-users] tcp dump eth1 internal at office > > > > Any progress, Mike? > > > > -Tom > > -- > > Tom Eastep \ Shorewall - iptables made easy > > Shoreline, \ http://shorewall.sf.net > > Washington USA \ teastep@shorewall.net > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Mon, 24 Mar 2003, Mike wrote:> I also changed the home subnet ips 10.39.227.0/24 , to see if that would > help.MIKE -- CHANGE THE TUNNEL IP ADDRESSES, NOT YOUR HOME IP ADDRESSES!!!!! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
This is a tcp dump at theoffice eth1 internal nic, when trying to ping the 10.19.227.193 from home through the tunnel. I took the name out of dns gma03893 for troubleshooting 18:21:04.864325 partsmanager.227.19.10.in-addr.arpa.1130 > 211.58.56.250.8700: . ack 235722 win 8356 (DF) 18:21:04.894325 10.39.227.73 > 10.19.227.193: icmp: echo request 18:21:04.894325 arp who-has 10.39.227.73 tell 10.19.227.193 18:21:04.934325 211.58.56.250.8700 > partsmanager.227.19.10.in-addr.arpa.1130: P 235722:237182(1460) ack 1 win 17138 (DF) ----- Original Message ----- From: "Mike" <landers@lanlinecomputers.com> To: <shorewall-users@lists.shorewall.net> Sent: Monday, March 24, 2003 6:10 PM Subject: Re: [Shorewall-users] tcp dump eth1 internal at office> Hey Tom, > This is driven me crazy, when you mailed me last a light turned onabout> routes to alternate networks when I set this up three years ago > so I added the route 10.19.227.193 which is a satellite to gm it is the > gateway. Right after your mail this morning techs called and could not get > their EEProm data to upload to cars. So I fixed that by adding the route > below then they could program cars > Changed Tunnel ips and I still cant ping everything same problem. Any > idea''s > The ping below route is a failed icmp request to 10.19.227.193 > > Thanks > Mike > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 172.16.0.2 * 255.255.255.255 UH 0 0 0tun0> 64.42.53.200 * 255.255.255.248 U 0 0 0eth0> 10.39.227.0 172.16.0.2 255.255.255.0 UG 0 0 0tun0> 10.19.227.0 * 255.255.255.0 U 0 0 0eth1> 10.0.0.0 10.19.227.193 255.0.0.0 UG 0 0 0eth1> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo > default 64-42-53-201.at 0.0.0.0 UG 0 0 0eth0> [root@ns1 root]# tcpdump -i tun0 > tcpdump: listening on tun0 > 17:56:39.534325 10.39.227.73 > 10.19.227.193: icmp: echo request > 17:56:44.754325 10.39.227.73 > 10.19.227.193: icmp: echo request > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Mike" <landers@lanlinecomputers.com> > Sent: Monday, March 24, 2003 1:12 PM > Subject: Re: [Shorewall-users] tcp dump eth1 internal at office > > > > Any progress, Mike? > > > > -Tom > > -- > > Tom Eastep \ Shorewall - iptables made easy > > Shoreline, \ http://shorewall.sf.net > > Washington USA \ teastep@shorewall.net > > > > > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Mike" <landers@lanlinecomputers.com> > Sent: Monday, March 24, 2003 1:12 PM > Subject: Re: [Shorewall-users] tcp dump eth1 internal at office > > > > Any progress, Mike? > > > > -Tom > > -- > > Tom Eastep \ Shorewall - iptables made easy > > Shoreline, \ http://shorewall.sf.net > > Washington USA \ teastep@shorewall.net > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Mon, 24 Mar 2003, Mike wrote:> This is a tcp dump at theoffice eth1 internal nic, when trying to ping the > 10.19.227.193 from home through the tunnel. I took the name out of dns > gma03893 for troubleshootingPossibly you should "man tcpdump" and study the "-n" option....> 18:21:04.864325 partsmanager.227.19.10.in-addr.arpa.1130 > > 211.58.56.250.8700: . ack 235722 win 8356 (DF) > 18:21:04.894325 10.39.227.73 > 10.19.227.193: icmp: echo request > 18:21:04.894325 arp who-has 10.39.227.73 tell 10.19.227.193 > 18:21:04.934325 211.58.56.250.8700 > > partsmanager.227.19.10.in-addr.arpa.1130: P 235722:237182(1460) ack 1 win > 17138 (DF) >Mike, as I told you in my last shouted post you have made things worse, not better. Either fix the IP configurations of the systems at GM (no 255.0.0.0 netmasks) or: a) Change your home net back to 192.168.1.0/24; and b) Change the tunnel IP addresses to something NOT IN 10.0.0.0/8... Don''t post again until you have done one or the other and tested... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Mon, 24 Mar 2003, Tom Eastep wrote:> Mike, as I told you in my last shouted post you have made things worse, > not better. Either fix the IP configurations of the systems at GM (no > 255.0.0.0 netmasks) or: > > a) Change your home net back to 192.168.1.0/24; and > b) Change the tunnel IP addresses to something NOT IN 10.0.0.0/8... > > Don''t post again until you have done one or the other and tested...And if you need some quick background to help you understand what I''m talking about, check out: http://www.shorewall.net/shorewall_setup_guide.htm#Addressing That page gives you a very breif overview of addressing, routing and ARP that should let you look at the traces you have been sending me and see why your setup is failing. Good Luck... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
One thing I thought I should make clear, I CAN ping 90% of the nodes in the office network> Well, at least now hosts on one side of the tunnel aren''t trying to ARP > for the MAC of hosts on the other side of the tunnel. Is the office > Shorewall box the default gateway for that office? Because you can see the > ping from your home box is reaching the local side of the office gateway > but you don''t see any replies. So either the ping isn''t reaching > 10.19.227.193 or that box is sending its reply somewhere else (and since > the office network is switched, tcpdump can''t see it).I ran this dump this morning at office: This is a lexmark t620 network printer10.19.227.80 all tcpdumps are eth1 shorewall office I think it is still arping for this node not sure? 07:47:05.321832 192.168.1.73 > 10.19.227.80: icmp: echo request 07:47:05.321832 arp who-has 10.19.227.80 tell 10.19.227.80 07:47:05.351832 10.19.227.84.1185 > 10.19.227.20.squid: . ack 802 win 7959 (DF) 07:47:15.821832 arp who-has 10.19.227.80 tell 10.19.227.20 07:47:15.821832 arp reply 10.19.227.80 is-at 0:4:0:6f:93:58 07:47:16.321832 192.168.1.73 > 10.19.227.80: icmp: echo request 07:54:25.371832 192.168.1.73 > 10.19.227.80: icmp: echo request 07:54:25.371832 arp who-has 10.19.227.80 tell 10.19.227.80 This is Gm''s Gateway, I tried to ping from home 07:56:49.891832 192.168.1.73 > 10.19.227.193: icmp: echo request Does not arp, but fails> > > and by adding the route 10.0.0.0/8 into the table has worked, to allow > > access to it and our T-1 for two segments out of the building> > I have no idea what that said. Adding a route where? What is "it" as > in "...allow access to it... There is two gateways, Gm private 10.19.227.193 sattelite, and shorewall 10.19.227.20 eth1, Frac T-1 Most traffic is routed through shorewall to the net, the gm gateway is for private traffic IE: ordering cars Mike
On Tue, 25 Mar 2003, Mike wrote:> One thing I thought I should make clear, I CAN ping 90% of the nodes in the > office network > > > Well, at least now hosts on one side of the tunnel aren''t trying to ARP > > for the MAC of hosts on the other side of the tunnel. Is the office > > Shorewall box the default gateway for that office? Because you can see the > > ping from your home box is reaching the local side of the office gateway > > but you don''t see any replies. So either the ping isn''t reaching > > 10.19.227.193 or that box is sending its reply somewhere else (and since > > the office network is switched, tcpdump can''t see it). > > I ran this dump this morning at office: This is a lexmark t620 network > printer10.19.227.80 all tcpdumps are eth1 shorewall office > I think it is still arping for this node not sure? > > 07:47:05.321832 192.168.1.73 > 10.19.227.80: icmp: echo request > 07:47:05.321832 arp who-has 10.19.227.80 tell 10.19.227.80 > 07:47:05.351832 10.19.227.84.1185 > 10.19.227.20.squid: . ack 802 win 7959 > (DF) > 07:47:15.821832 arp who-has 10.19.227.80 tell 10.19.227.20 > 07:47:15.821832 arp reply 10.19.227.80 is-at 0:4:0:6f:93:58 > 07:47:16.321832 192.168.1.73 > 10.19.227.80: icmp: > echo request > 07:54:25.371832 192.168.1.73 > 10.19.227.80: icmp: echo request > 07:54:25.371832 arp who-has 10.19.227.80 tell 10.19.227.80 >This printer seems confused -- it is sending ARP "who-has" for its own IP address in response to a ping from 192.168.1.73. Again, WHAT IS THE CONFIGURED DEFAULT GATEWAY OF THIS PRINTER? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net