Johnson, S
2004-Jul-20 21:06 UTC
supernetting issue with rules/nat with 2 class C networks
I don''t know exactly where the issue is yet, I hope someone out there has an idea... I recently changed over to a new ISP with 2 class C networks bonded together as one using the subnet mask 255.255.254.0. My network consists of the following: net loc dmz I can access all the resources from the Internet just fine (outside our 2 class C''s)>From a computer that sits between the router and the firewall I cannotaccess anything in the DMZ when I have an IP address assigned to the second class C. If I have an address assigned from the first class C, I can access all resources on the DMZ just fine.>From the firewall I have an outside address that sits within the firstclass C. When I try to ping the default gateway which sits in the 2nd class C it says it''s pinging from the first NATed address in the NAT table for the 2nd class C NOT the address on the NIC which is in the 1st class C. If I try to ping an address that exists in the 1st class C, it''s able to ping just fine and shows that the origin is from the NIC address. (confusing I know) Ok. Next, even though I cannot ping the next upstream router from the firewall, I can get to the Internet just fine. So it is seeing the default gateway, it''s just not able to ping it. When I follow the log I see the following message repeated for the ICMP packets from the computer that sits between the default gateway and the firewall: Jul 20 15:03:50 fw kernel: Shorewall:net2all:DROP:IN=eth2 OUT=eth1 SRC=XX.XX.133.133 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=15123 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=61970 I''ve tried to explicitly allow that host through to no avail. I''ve verified and re-verified that the subnet masks match fine. I''m beginning to believe that there''s an issue with the supernetting and shorewall Does anyone have any idea what is going on with this? TIA. Scott
Tom Eastep
2004-Jul-20 21:35 UTC
Re: supernetting issue with rules/nat with 2 class C networks
Johnson, S wrote:> I don''t know exactly where the issue is yet, I hope someone out there > has an idea... > > I recently changed over to a new ISP with 2 class C networks bonded > together as one using the subnet mask 255.255.254.0. > > My network consists of the following: > > net > loc > dmz > > I can access all the resources from the Internet just fine (outside our > 2 class C''s) > >>From a computer that sits between the router and the firewall I cannot > access anything in the DMZ when I have an IP address assigned to the > second class C. If I have an address assigned from the first class C, I > can access all resources on the DMZ just fine. > >>From the firewall I have an outside address that sits within the first > class C. When I try to ping the default gateway which sits in the 2nd > class C it says it''s pinging from the first NATed address in the NAT > table for the 2nd class C NOT the address on the NIC which is in the 1st > class C. If I try to ping an address that exists in the 1st class C, > it''s able to ping just fine and shows that the origin is from the NIC > address. (confusing I know)Scott -- All of us here are smart enough to figure out from your SMTP headers and your "disguised" log message that your two class C networks are probably 64.8.132.0/23. Given that''s the case, please give is the real IP addresses and your real IP and Shorewall configuration information and we''ll try to help you. Trying to feed us this confused prose and vague descriptions of your problem with no configuration information isn''t going to get your problem solved and is just going to annoy those of use who might be able to help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net