Erik
2005-Mar-20 10:51 UTC
Client Behind Router can''t get internet & cannot do fowarding...
i ask here after give up reading and following all the documentation.. i got 3 nic eth0:222.222.222.222 netmask:255.255.255.252 gateway:222.222.222.221 eth1:10.10.10.254 netmask:255.255.255.0 gateway:blank eth2:10.10.11.254 netmask:255.255.255.0 gateway: blank i''m running redhat9, and shorewall2.2.2 eth0 connected to dsl modem ( static ip ) eth1 connected to d-link router ( for office network ) eth2 connected to hub/switch ( for DMZ ) my d-link conf: wan setting ip:10.10.10.1 netmask:255.255.255.0 gateway:10.10.10.254 d-link office client is using dhcp: ip:192.168.0.1 netmask:255.255.255.0 I got 2 big problem after running shorewall: 1) forward my static ip ( 222.222.222.222 ) to my local webserver at DMZ area ( 10.10.11.10 ) at port 80. my lan disallow to 10.10.11.10 but have to use 222.222.222.222 to access the webserver. but i failed to do this...dont know what is the problem 2) office network cannot get the internet from d-link router. but when i connect the eth1 directly to a single pc, yes i can get the internet. glad if there is a help cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Mark D. Montgomery II
2005-Mar-20 13:22 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Erik wrote:> i ask here after give up reading and following all the > documentation.. > > i got 3 nic > > eth0:222.222.222.222 > netmask:255.255.255.252 > gateway:222.222.222.221 > > eth1:10.10.10.254 > netmask:255.255.255.0 > gateway:blank > > eth2:10.10.11.254 > netmask:255.255.255.0 > gateway: blank > > > i''m running redhat9, and shorewall2.2.2 > > eth0 connected to dsl modem ( static ip ) > eth1 connected to d-link router ( for office network ) > eth2 connected to hub/switch ( for DMZ ) > > my d-link conf: > wan setting > ip:10.10.10.1 > netmask:255.255.255.0 > gateway:10.10.10.254 > > d-link office client is using dhcp: > ip:192.168.0.1 > netmask:255.255.255.0 > > I got 2 big problem after running shorewall: > > 1) forward my static ip ( 222.222.222.222 ) to my > local webserver at DMZ area ( 10.10.11.10 ) at port > 80. my lan disallow to 10.10.11.10 but have to use > 222.222.222.222 to access the webserver. but i failed > to do this...dont know what is the problem >I''m sure Tom will correct me if I''m wrong given your setup :), but connections that leave the router and then try to loop back into the router using the external connection address don''t work.> 2) office network cannot get the internet from d-link > router. but when i connect the eth1 directly to a > single pc, yes i can get the internet.As for this, it''s hard to know without seeing the shorewall config and other stuff, but it sounds like a config error somewhere or other.> > > glad if there is a help > > > > cout<<"Erik"; >Mark II -- END ----------------------------------- TechieM2 (Mark D. Montgomery II) https://techiem2.no-ip.com techiem2@techiem2.net Isaiah 40:28-31 ----------------------------------- Konfucius: Naco mas google, mantak ? -----------------------------------
Erik
2005-Mar-20 13:34 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Thank you fore reply, 1) I dont quite understand you meaning on the first answer --- "Mark D. Montgomery II" <techiem2@techiem2.net> wrote:> Erik wrote: > > i ask here after give up reading and following all > the > > documentation.. > > > > i got 3 nic > > > > eth0:222.222.222.222 > > netmask:255.255.255.252 > > gateway:222.222.222.221 > > > > eth1:10.10.10.254 > > netmask:255.255.255.0 > > gateway:blank > > > > eth2:10.10.11.254 > > netmask:255.255.255.0 > > gateway: blank > > > > > > i''m running redhat9, and shorewall2.2.2 > > > > eth0 connected to dsl modem ( static ip ) > > eth1 connected to d-link router ( for office > network ) > > eth2 connected to hub/switch ( for DMZ ) > > > > my d-link conf: > > wan setting > > ip:10.10.10.1 > > netmask:255.255.255.0 > > gateway:10.10.10.254 > > > > d-link office client is using dhcp: > > ip:192.168.0.1 > > netmask:255.255.255.0 > > > > I got 2 big problem after running shorewall: > > > > 1) forward my static ip ( 222.222.222.222 ) to my > > local webserver at DMZ area ( 10.10.11.10 ) at > port > > 80. my lan disallow to 10.10.11.10 but have to use > > 222.222.222.222 to access the webserver. but i > failed > > to do this...dont know what is the problem > > > > I''m sure Tom will correct me if I''m wrong given your > setup :), but > connections that leave the router and then try to > loop back into the > router using the external connection address don''t > work. > > > > 2) office network cannot get the internet from > d-link > > router. but when i connect the eth1 directly to a > > single pc, yes i can get the internet. > > As for this, it''s hard to know without seeing the > shorewall config and > other stuff, but it sounds like a config error > somewhere or other. > > > > > > > glad if there is a help > > > > > > > > cout<<"Erik"; > > > > Mark II > > > -- > END > ----------------------------------- > TechieM2 (Mark D. Montgomery II) > https://techiem2.no-ip.com > techiem2@techiem2.net > Isaiah 40:28-31 > ----------------------------------- > Konfucius: Naco mas google, mantak ? > ----------------------------------- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Tom Eastep
2005-Mar-20 16:13 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Erik wrote:> i got 3 nic > > eth0:222.222.222.222 > netmask:255.255.255.252 > gateway:222.222.222.221 > > eth1:10.10.10.254 > netmask:255.255.255.0 > gateway:blank > > eth2:10.10.11.254 > netmask:255.255.255.0 > gateway: blank > > > i''m running redhat9, and shorewall2.2.2 > > eth0 connected to dsl modem ( static ip ) > eth1 connected to d-link router ( for office network ) > eth2 connected to hub/switch ( for DMZ ) > > my d-link conf: > wan setting > ip:10.10.10.1 > netmask:255.255.255.0 > gateway:10.10.10.254 > > d-link office client is using dhcp: > ip:192.168.0.1 > netmask:255.255.255.0 > > I got 2 big problem after running shorewall: > > 1) forward my static ip ( 222.222.222.222 ) to my > local webserver at DMZ area ( 10.10.11.10 ) at port > 80. my lan disallow to 10.10.11.10 but have to use > 222.222.222.222 to access the webserver. but i failed > to do this...dont know what is the problemI''m sorry -- from your description, I don''t understand what problem you are seeing. And given that you have not told us one single thing about your Shorewall configuration, I don''t know how you expect us to help you.> > 2) office network cannot get the internet from d-link > router. but when i connect the eth1 directly to a > single pc, yes i can get the internet. >Do you have the proper routes to the office network set up on your firewall>> > glad if there is a helpPlease see http://shorewall.net/support.htm#Guidelines for the information that we need to diagnose these sorts of problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Cristian Rodriguez
2005-Mar-20 17:39 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
On Sun, 20 Mar 2005 10:51:20 +0000 (GMT), Erik <hezry79@yahoo.com> wrote:> > i''m running redhat9, and shorewall2.2.2oops..get a supported distro first ¡¡> > I got 2 big problem after running shorewall: > > 1) forward my static ip ( 222.222.222.222 ) to my > local webserver at DMZ area ( 10.10.11.10 ) at port > 80. my lan disallow to 10.10.11.10 but have to use > 222.222.222.222 to access the webserver. but i failed > to do this...dont know what is the problem > > 2) office network cannot get the internet from d-link > router. but when i connect the eth1 directly to a > single pc, yes i can get the internet. > > glad if there is a help > > cout<<"Erik"; >Please provide the necessary info.
Tom Eastep
2005-Mar-20 17:41 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Cristian Rodriguez wrote:> On Sun, 20 Mar 2005 10:51:20 +0000 (GMT), Erik <hezry79@yahoo.com> wrote: > > >>i''m running redhat9, and shorewall2.2.2 > > > oops..get a supported distro first ¡¡ >RH9 should still be Ok as far as Shorewall is concerned but without security updates, I don''t think I would want to run RH9 as a firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Mark D. Montgomery II
2005-Mar-20 21:47 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Erik wrote:> Thank you fore reply, > > 1) I dont quite understand you meaning on the first > answerIf I understood your setup right, your local lan does not have access to the webserver using it''s 10.x.x.x address, but is trying to use your external static IP address to access it. This doesn''t work. Any request from behind the firewall to the external address of the firewall won''t work. Basically it''s trying to send the request out and then loop it back in. Mark II -- END ----------------------------------- TechieM2 (Mark D. Montgomery II) https://techiem2.no-ip.com techiem2@techiem2.net Isaiah 40:28-31 ----------------------------------- "It''s hard to be mad at someone who misses you while you''re asleep." -Calvin -----------------------------------
Tom Eastep
2005-Mar-21 01:41 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Mark D. Montgomery II wrote:> Erik wrote: > >> Thank you fore reply, >> >> 1) I dont quite understand you meaning on the first >> answer > > > If I understood your setup right, your local lan does not have access to > the webserver using it''s 10.x.x.x address, but is trying to use your > external static IP address to access it. > This doesn''t work. > Any request from behind the firewall to the external address of the > firewall won''t work. > Basically it''s trying to send the request out and then loop it back in. >FAQ #2 discusses that case but I don''t think that''s what Eric is trying to do. I think possibly that he is trying to access his DMZ server by external IP from his local network -- that just requires an appropriate DNAT rule. But again, that''s only a guess. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Mar-21 21:29 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
> > > FAQ #2 discusses that case but I don''t think that''s what Eric is trying > to do. I think possibly that he is trying to access his DMZ server by > external IP from his local network -- that just requires an appropriate > DNAT rule. But again, that''s only a guess. >I''ve added FAQ 1d that describes the rule to allow local access to a DMZ server using an external IP on the firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Mar-21 21:48 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Tom Eastep wrote:>> >>FAQ #2 discusses that case but I don''t think that''s what Eric is trying >>to do. I think possibly that he is trying to access his DMZ server by >>external IP from his local network -- that just requires an appropriate >>DNAT rule. But again, that''s only a guess. >> > > > I''ve added FAQ 1d that describes the rule to allow local access to a DMZ > server using an external IP on the firewall. >http://shorewall.net/FAQ.htm#faq1d -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Erik
2005-Mar-22 04:43 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
so you mean shorewall is best running on which OS? --- Tom Eastep <teastep@shorewall.net> wrote:> Cristian Rodriguez wrote: > > On Sun, 20 Mar 2005 10:51:20 +0000 (GMT), Erik > <hezry79@yahoo.com> wrote: > > > > > >>i''m running redhat9, and shorewall2.2.2 > > > > > > oops..get a supported distro first ¡¡ > > > > RH9 should still be Ok as far as Shorewall is > concerned but without > security updates, I don''t think I would want to run > RH9 as a firewall. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Erik
2005-Mar-22 04:46 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
yeah..correct...that is what i mean --- Tom Eastep <teastep@shorewall.net> wrote:> Mark D. Montgomery II wrote: > > Erik wrote: > > > >> Thank you fore reply, > >> > >> 1) I dont quite understand you meaning on the > first > >> answer > > > > > > If I understood your setup right, your local lan > does not have access to > > the webserver using it''s 10.x.x.x address, but is > trying to use your > > external static IP address to access it. > > This doesn''t work. > > Any request from behind the firewall to the > external address of the > > firewall won''t work. > > Basically it''s trying to send the request out and > then loop it back in. > > > > FAQ #2 discusses that case but I don''t think that''s > what Eric is trying > to do. I think possibly that he is trying to access > his DMZ server by > external IP from his local network -- that just > requires an appropriate > DNAT rule. But again, that''s only a guess. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Erik
2005-Mar-22 05:35 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
i will provide my configuration...sorry for delay --- Tom Eastep <teastep@shorewall.net> wrote:> Erik wrote: > > > i got 3 nic > > > > eth0:222.222.222.222 > > netmask:255.255.255.252 > > gateway:222.222.222.221 > > > > eth1:10.10.10.254 > > netmask:255.255.255.0 > > gateway:blank > > > > eth2:10.10.11.254 > > netmask:255.255.255.0 > > gateway: blank > > > > > > i''m running redhat9, and shorewall2.2.2 > > > > eth0 connected to dsl modem ( static ip ) > > eth1 connected to d-link router ( for office > network ) > > eth2 connected to hub/switch ( for DMZ ) > > > > my d-link conf: > > wan setting > > ip:10.10.10.1 > > netmask:255.255.255.0 > > gateway:10.10.10.254 > > > > d-link office client is using dhcp: > > ip:192.168.0.1 > > netmask:255.255.255.0 > > > > I got 2 big problem after running shorewall: > > > > 1) forward my static ip ( 222.222.222.222 ) to my > > local webserver at DMZ area ( 10.10.11.10 ) at > port > > 80. my lan disallow to 10.10.11.10 but have to use > > 222.222.222.222 to access the webserver. but i > failed > > to do this...dont know what is the problem > > I''m sorry -- from your description, I don''t > understand what problem you > are seeing. And given that you have not told us one > single thing about > your Shorewall configuration, I don''t know how you > expect us to help you. > > > > > 2) office network cannot get the internet from > d-link > > router. but when i connect the eth1 directly to a > > single pc, yes i can get the internet. > > > > Do you have the proper routes to the office network > set up on your firewall> > > > > > glad if there is a help > > Please see > http://shorewall.net/support.htm#Guidelines for the > information that we need to diagnose these sorts of > problems. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Ed Greshko
2005-Mar-22 06:00 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Erik wrote:> so you mean shorewall is best running on which OS?It is not a question of "where it runs best". It is a question of the O/S itself and if it is currently supported by the Vendor. RH9 has reached EOL (End of Life) and as such no longer is getting updates of any kind from Red Hat. That is, no security updates, etc. While there are some groups out there putting updates out for that version of Red Hat it is normally suggested that you switch to "Fedora" if you don''t need/want the "paid" support that goes with Red Hat Enterprise Linux. Ed -- "A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools." --Ford Prefect in "Mostly Harmless".
Erik
2005-Mar-22 10:38 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Here is my output of # actually my eth0 is 218.111.120.210 netmask :255.255.255.252 shorewall version ip addr show ip route show [root@firewall root]# shorewall version 2.2.2 [root@firewall root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:11:09:14:68:93 brd ff:ff:ff:ff:ff:ff inet 218.111.120.210/30 brd 218.111.120.211 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0d:88:7e:97:76 brd ff:ff:ff:ff:ff:ff inet 10.10.10.254/24 brd 10.10.10.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0d:88:37:47:97 brd ff:ff:ff:ff:ff:ff inet 10.10.11.254/24 brd 10.10.11.255 scope global eth2 [root@firewall root]# ip route show 218.111.120.208/30 dev eth0 scope link 10.10.10.0/24 dev eth1 scope link 10.10.11.0/24 dev eth2 scope link 169.254.0.0/16 dev eth2 scope link 127.0.0.0/8 dev lo scope link default via 218.111.120.209 dev eth0 [root@firewall root]# --- Tom Eastep <teastep@shorewall.net> wrote:> Erik wrote: > > > i got 3 nic > > > > eth0:222.222.222.222 > > netmask:255.255.255.252 > > gateway:222.222.222.221 > > > > eth1:10.10.10.254 > > netmask:255.255.255.0 > > gateway:blank > > > > eth2:10.10.11.254 > > netmask:255.255.255.0 > > gateway: blank > > > > > > i''m running redhat9, and shorewall2.2.2 > > > > eth0 connected to dsl modem ( static ip ) > > eth1 connected to d-link router ( for office > network ) > > eth2 connected to hub/switch ( for DMZ ) > > > > my d-link conf: > > wan setting > > ip:10.10.10.1 > > netmask:255.255.255.0 > > gateway:10.10.10.254 > > > > d-link office client is using dhcp: > > ip:192.168.0.1 > > netmask:255.255.255.0 > > > > I got 2 big problem after running shorewall: > > > > 1) forward my static ip ( 222.222.222.222 ) to my > > local webserver at DMZ area ( 10.10.11.10 ) at > port > > 80. my lan disallow to 10.10.11.10 but have to use > > 222.222.222.222 to access the webserver. but i > failed > > to do this...dont know what is the problem > > I''m sorry -- from your description, I don''t > understand what problem you > are seeing. And given that you have not told us one > single thing about > your Shorewall configuration, I don''t know how you > expect us to help you. > > > > > 2) office network cannot get the internet from > d-link > > router. but when i connect the eth1 directly to a > > single pc, yes i can get the internet. > > > > Do you have the proper routes to the office network > set up on your firewall> > > > > > glad if there is a help > > Please see > http://shorewall.net/support.htm#Guidelines for the > information that we need to diagnose these sorts of > problems. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Tom Eastep
2005-Mar-22 14:34 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Erik wrote:> [root@firewall root]# ip route show > 218.111.120.208/30 dev eth0 scope link > 10.10.10.0/24 dev eth1 scope link > 10.10.11.0/24 dev eth2 scope link > 169.254.0.0/16 dev eth2 scope link > 127.0.0.0/8 dev lo scope link > default via 218.111.120.209 dev eth0 > [root@firewall root]#I don''t see any route to the network behind the router in the local zone! Please see: http://shorewall.net/Multiple_Zones.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Erik
2005-Mar-23 03:29 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
for the Multiple_Zones, i test all the configuration...but fail... let me inform something: my eth1 is [ip:10.10.10.254, netmask:255.255.255.0, gateway: blank] this eth1 i connect to wireless router at WAN port by using crossover cable. so the router WAN port configuration i set it as like below: ip:10.10.10.1, netmask:255.255.255.0, gateway:10.10.10.254. so from the router, all my wireless client dhcp is: ip:192.168.0.X, netmask:255.255.255.0, gateway:192.168.0.1 ( 192.168.0.1 is router ip ) so...can you suggest me which conf is better for the shorewall? --- Tom Eastep <teastep@shorewall.net> wrote:> Erik wrote: > > > [root@firewall root]# ip route show > > 218.111.120.208/30 dev eth0 scope link > > 10.10.10.0/24 dev eth1 scope link > > 10.10.11.0/24 dev eth2 scope link > > 169.254.0.0/16 dev eth2 scope link > > 127.0.0.0/8 dev lo scope link > > default via 218.111.120.209 dev eth0 > > [root@firewall root]# > > I don''t see any route to the network behind the > router in the local zone! > > Please see: http://shorewall.net/Multiple_Zones.html > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Tom Eastep
2005-Mar-23 04:01 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Erik wrote:> for the Multiple_Zones, i test all the > configuration...but fail... > > let me inform something: > my eth1 is [ip:10.10.10.254, netmask:255.255.255.0, > gateway: blank] > > this eth1 i connect to wireless router at WAN port by > using crossover cable. so the router WAN port > configuration i set it as like below: > ip:10.10.10.1, netmask:255.255.255.0, > gateway:10.10.10.254. > > so from the router, all my wireless client dhcp is: > ip:192.168.0.X, netmask:255.255.255.0, > gateway:192.168.0.1 ( 192.168.0.1 is router ip ) > > so...can you suggest me which conf is better for the > shorewall?You need a route to 192.168.0.9/24 via 10.10.10.1.>>>[root@firewall root]# ip route show >>>218.111.120.208/30 dev eth0 scope link >>>10.10.10.0/24 dev eth1 scope link >>>10.10.11.0/24 dev eth2 scope link >>>169.254.0.0/16 dev eth2 scope link >>>127.0.0.0/8 dev lo scope link >>>default via 218.111.120.209 dev eth0THERE IS NO ROUTE HERE FOR 192.168.0.0/24 via 10.10.10;1. Look at the above routing table and ask yourself how the %$#@ your firewall will ever know to send packets to 192.168.0.0/24 through 10.10.10.1. -Tom And yes, I''M SHOUTING. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Erik
2005-Mar-23 07:08 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
1 good news and 1 bad news. good news is i succesfully make the fowarding... bad news is i still can''t spread the internet connection to wireless client thru router...from my situation how do i can create a route ? router in my router or router in my network card eth1? --- Tom Eastep <teastep@shorewall.net> wrote:> Erik wrote: > > for the Multiple_Zones, i test all the > > configuration...but fail... > > > > let me inform something: > > my eth1 is [ip:10.10.10.254, > netmask:255.255.255.0, > > gateway: blank] > > > > this eth1 i connect to wireless router at WAN port > by > > using crossover cable. so the router WAN port > > configuration i set it as like below: > > ip:10.10.10.1, netmask:255.255.255.0, > > gateway:10.10.10.254. > > > > so from the router, all my wireless client dhcp > is: > > ip:192.168.0.X, netmask:255.255.255.0, > > gateway:192.168.0.1 ( 192.168.0.1 is router ip ) > > > > so...can you suggest me which conf is better for > the > > shorewall? > > > >>>[root@firewall root]# ip route show > >>>218.111.120.208/30 dev eth0 scope link > >>>10.10.10.0/24 dev eth1 scope link > >>>10.10.11.0/24 dev eth2 scope link > >>>169.254.0.0/16 dev eth2 scope link > >>>127.0.0.0/8 dev lo scope link > >>>default via 218.111.120.209 dev eth0 > > THERE IS NO ROUTE HERE FOR 192.168.0.0/24 via > 10.10.10;1. > > Look at the above routing table and ask yourself how > the %$#@ your > firewall will ever know to send packets to > 192.168.0.0/24 through > 10.10.10.1. > > -Tom > > And yes, I''M SHOUTING. > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Erik
2005-Mar-23 07:12 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
i try to add route to my eth1: /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.10.10.1 still not working....my eth1[10.10.10.254,255.255.255.0], so is it correct is set the route gw as 10.10.10.1? --- Tom Eastep <teastep@shorewall.net> wrote:> Erik wrote: > > for the Multiple_Zones, i test all the > > configuration...but fail... > > > > let me inform something: > > my eth1 is [ip:10.10.10.254, > netmask:255.255.255.0, > > gateway: blank] > > > > this eth1 i connect to wireless router at WAN port > by > > using crossover cable. so the router WAN port > > configuration i set it as like below: > > ip:10.10.10.1, netmask:255.255.255.0, > > gateway:10.10.10.254. > > > > so from the router, all my wireless client dhcp > is: > > ip:192.168.0.X, netmask:255.255.255.0, > > gateway:192.168.0.1 ( 192.168.0.1 is router ip ) > > > > so...can you suggest me which conf is better for > the > > shorewall? > > You need a route to 192.168.0.9/24 via 10.10.10.1. > > >>>[root@firewall root]# ip route show > >>>218.111.120.208/30 dev eth0 scope link > >>>10.10.10.0/24 dev eth1 scope link > >>>10.10.11.0/24 dev eth2 scope link > >>>169.254.0.0/16 dev eth2 scope link > >>>127.0.0.0/8 dev lo scope link > >>>default via 218.111.120.209 dev eth0 > > THERE IS NO ROUTE HERE FOR 192.168.0.0/24 via > 10.10.10;1. > > Look at the above routing table and ask yourself how > the %$#@ your > firewall will ever know to send packets to > 192.168.0.0/24 through > 10.10.10.1. > > -Tom > > And yes, I''M SHOUTING. > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Tom Eastep
2005-Mar-23 14:39 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Erik wrote:> i try to add route to my eth1: > > /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 > gw 10.10.10.1 > > still not working....my > eth1[10.10.10.254,255.255.255.0], so is it correct is > set the route gw as 10.10.10.1? >If that is the address of your wireless router, yes. After you added this route, did you restart shorewall? If your entry in /etc/shorewall/masq has "eth1" in the SUBNETS column, Shorewall uses the routing table to construct the correct MASQUERADE/SNAT rules. If that doesn''t work then please: a) Go to http://shorewall.net/support.htm. b) Read the problem reporting guidelines!! c) Follow them -- especially the part that begins "THIS IS IMPORTANT!" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Erik
2005-Apr-05 06:28 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Hi there.. I gave up. I need help. My problem is i cannot make my office network client which are connected thru wireless router get the internet connection. and my wireless router is connected to my eth1 thru crossover cable at wireless WAN port. After first installation of shorewall, i copy and paste the Three-interface Linux System acting as a firewall/router for a small local network and a DMZ files to my existing shorewall directory. Then I surf to this link http://www.shorewall.net/Multiple_Zones.html and try to follow the procedure for my wireless client able to surf the internet p/s: if i connected the network cable either from eth1 and eth2 to a switch, all the switch client can get the internet connection. I already try to add router to my eth1 but the wireless client still can''t get the internet. This is my route to eth1: /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.10.10.1 My setting: I have 1 pc server act as Linux Router with 3 NIC. eth0 , eth1 and eth2. My intenet connection is using XDSL plus with 1 static ip. I have been given my static ip is 218.111.120.210 netmask 255.255.255.252 and gateway 218.111.120.209. so here my linux router setting: eth0: < connect to XDSL with 1 public ip > ip:218.111.120.210 netmsk: 255.255.255.252 gw: 218.111.120.209 eth1: < connect to wireless router at WAN port > ip:10.10.10.1 netmsk:255.255.255.0 gw: blank eth2: < connect to switch for DMZ, web serv, ftp serv>ip:10.10.11.1 netmsk:255.255.255.0 gw:blank my wireless router: WAN setting ( static ip ); ip:10.10.10.2 netmsk:255.255.255.0 gw:10.10.10.1 ( <- eth1 ) + wireless router ip is 192.168.0.1 and so dhcp client for office network client is range 192.168.0.X, netmsk 255.255.255.0 gateway 192.168.0.1 shorewall version> 2.2.2 ip addr show> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:11:09:14:68:93 brd ff:ff:ff:ff:ff:ff inet 218.111.120.210/30 brd 218.111.120.211 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0d:88:7e:97:76 brd ff:ff:ff:ff:ff:ff inet 10.10.10.1/24 brd 10.10.10.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0d:88:37:47:97 brd ff:ff:ff:ff:ff:ff inet 10.10.11.1/24 brd 10.10.11.255 scope global eth2 ip route show> 218.111.120.208/30 dev eth0 scope link 10.10.10.0/24 dev eth1 scope link 10.10.11.0/24 dev eth2 scope link 127.0.0.0/8 dev lo scope link default via 218.111.120.209 dev eth0 --- Tom Eastep <teastep@shorewall.net> wrote:> Erik wrote: > > i try to add route to my eth1: > > > > /sbin/route add -net 192.168.0.0 netmask > 255.255.255.0 > > gw 10.10.10.1 > > > > still not working....my > > eth1[10.10.10.254,255.255.255.0], so is it correct > is > > set the route gw as 10.10.10.1? > > > > If that is the address of your wireless router, yes. > After you added > this route, did you restart shorewall? If your entry > in > /etc/shorewall/masq has "eth1" in the SUBNETS > column, Shorewall uses > the routing table to construct the correct > MASQUERADE/SNAT rules. > > If that doesn''t work then please: > > a) Go to http://shorewall.net/support.htm. > b) Read the problem reporting guidelines!! > c) Follow them -- especially the part that begins > "THIS IS IMPORTANT!" > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Erik
2005-Apr-20 03:05 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Hi there.. I ALREADY SEND THIS MSG PREVIOUSLY BUT NO REPLY. I REALLY BEGGING FOR HELP I gave up. I need help. My problem is i cannot make my office network client which are connected thru wireless router get the internet connection. and my wireless router is connected to my eth1 thru crossover cable at wireless WAN port. After first installation of shorewall, i copy and paste the Three-interface Linux System acting as a firewall/router for a small local network and a DMZ files to my existing shorewall directory. Then I surf to this link http://www.shorewall.net/Multiple_Zones.html and try to follow the procedure for my wireless client able to surf the internet p/s: if i connected the network cable either from eth1 and eth2 to a switch, all the switch client can get the internet connection. I already try to add router to my eth1 but the wireless client still can''t get the internet. This is my route to eth1: /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.10.10.1 My setting: I have 1 pc server act as Linux Router with 3 NIC. eth0 , eth1 and eth2. My intenet connection is using XDSL plus with 1 static ip. I have been given my static ip is 218.111.120.210 netmask 255.255.255.252 and gateway 218.111.120.209. so here my linux router setting: eth0: < connect to XDSL with 1 public ip > ip:218.111.120.210 netmsk: 255.255.255.252 gw: 218.111.120.209 eth1: < connect to wireless router at WAN port > ip:10.10.10.1 netmsk:255.255.255.0 gw: blank eth2: < connect to switch for DMZ, web serv, ftp serv>ip:10.10.11.1 netmsk:255.255.255.0 gw:blank my wireless router: WAN setting ( static ip ); ip:10.10.10.2 netmsk:255.255.255.0 gw:10.10.10.1 ( <- eth1 ) + wireless router ip is 192.168.0.1 and so dhcp client for office network client is range 192.168.0.X, netmsk 255.255.255.0 gateway 192.168.0.1 shorewall version> 2.2.2 ip addr show> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:11:09:14:68:93 brd ff:ff:ff:ff:ff:ff inet 218.111.120.210/30 brd 218.111.120.211 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0d:88:7e:97:76 brd ff:ff:ff:ff:ff:ff inet 10.10.10.1/24 brd 10.10.10.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0d:88:37:47:97 brd ff:ff:ff:ff:ff:ff inet 10.10.11.1/24 brd 10.10.11.255 scope global eth2 ip route show> 218.111.120.208/30 dev eth0 scope link 10.10.10.0/24 dev eth1 scope link 10.10.11.0/24 dev eth2 scope link 127.0.0.0/8 dev lo scope link default via 218.111.120.209 dev eth0 --- Tom Eastep <teastep@shorewall.net> wrote:> Erik wrote: > > i try to add route to my eth1: > > > > /sbin/route add -net 192.168.0.0 netmask > 255.255.255.0 > > gw 10.10.10.1 > > > > still not working....my > > eth1[10.10.10.254,255.255.255.0], so is it correct > is > > set the route gw as 10.10.10.1? > > > > If that is the address of your wireless router, yes. > After you added > this route, did you restart shorewall? If your entry > in > /etc/shorewall/masq has "eth1" in the SUBNETS > column, Shorewall uses > the routing table to construct the correct > MASQUERADE/SNAT rules. > > If that doesn''t work then please: > > a) Go to http://shorewall.net/support.htm. > b) Read the problem reporting guidelines!! > c) Follow them -- especially the part that begins > "THIS IS IMPORTANT!" > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >cout<<"Erik"; ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
Tom Eastep
2005-Apr-20 14:07 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Erik wrote:> > my wireless router: > WAN setting ( static ip ); > ip:10.10.10.2 > netmsk:255.255.255.0 > gw:10.10.10.1 ( <- eth1 ) > > + wireless router ip is 192.168.0.1 and so dhcp client > for office network client is range 192.168.0.X, netmsk > 255.255.255.0 gateway 192.168.0.1> ip route show> > 218.111.120.208/30 dev eth0 scope link > 10.10.10.0/24 dev eth1 scope link > 10.10.11.0/24 dev eth2 scope link > 127.0.0.0/8 dev lo scope link > default via 218.111.120.209 dev eth0 >So where is the route to 192.168.0.0/24 via 10.10.10.2???? With the above routing table, your firewall is trying to send packets to 192.168.0.0/24 via 218.111.120.209. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Brad
2005-Apr-20 21:31 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Tom Eastep wrote:> Erik wrote: > > >>my wireless router: >>WAN setting ( static ip ); >>ip:10.10.10.2 >>netmsk:255.255.255.0 >>gw:10.10.10.1 ( <- eth1 ) >> >>+ wireless router ip is 192.168.0.1 and so dhcp client >>for office network client is range 192.168.0.X, netmsk >>255.255.255.0 gateway 192.168.0.1 > > >>ip route show> >>218.111.120.208/30 dev eth0 scope link >>10.10.10.0/24 dev eth1 scope link >>10.10.11.0/24 dev eth2 scope link >>127.0.0.0/8 dev lo scope link >>default via 218.111.120.209 dev eth0 >> > > > So where is the route to 192.168.0.0/24 via 10.10.10.2???? With the > above routing table, your firewall is trying to send packets to > 192.168.0.0/24 via 218.111.120.209. > > -TomI don''t remember the rest of this thread but it looks like his wireless router would be doing NAT, so the shorewall box is only talking to the wireless router''s WAN addr of 10.10.10.2
Tom Eastep
2005-Apr-20 21:37 UTC
Re: Client Behind Router can''t get internet & cannot do fowarding...
Brad wrote:> > > Tom Eastep wrote: >> Erik wrote: >> >> >>> my wireless router: >>> WAN setting ( static ip ); >>> ip:10.10.10.2 >>> netmsk:255.255.255.0 >>> gw:10.10.10.1 ( <- eth1 ) >>> >>> + wireless router ip is 192.168.0.1 and so dhcp client >>> for office network client is range 192.168.0.X, netmsk >>> 255.255.255.0 gateway 192.168.0.1 >> >> >>> ip route show> >>> 218.111.120.208/30 dev eth0 scope link >>> 10.10.10.0/24 dev eth1 scope link >>> 10.10.11.0/24 dev eth2 scope link >>> 127.0.0.0/8 dev lo scope link >>> default via 218.111.120.209 dev eth0 >>> >> >> >> So where is the route to 192.168.0.0/24 via 10.10.10.2???? With the >> above routing table, your firewall is trying to send packets to >> 192.168.0.0/24 via 218.111.120.209. >> >> -Tom > > I don''t remember the rest of this thread but it looks like his wireless > router would be doing NAT, so the shorewall box is only talking to the > wireless router''s WAN addr of 10.10.10.2In which case, what Erik has right now should work. I''ve tried to get Erik to send the output of "shorewall status" (after trying to connect from the office wireless network) but I''ve given up. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key