Hi !
Recently i switched my internet provider, to get more speed but another
braindead setup regarding public ip addresses.
I now have 4 PPTP Tunnel available, of which i''m using one as the
gateway ip doing masquerading to other machines in my local lan,
excluding three other machines, which i would like to use 1:1 nat to
get them a direct access to one of the pptp tunnels.
I was able to do get all pptp tunnels established and
the net pptp tunnel to share with the machines in
my localnet successfully.
But Tunnel two to four i''m not able to do 1:1 nat.
What could be a solution ?
Kind regards,
Felix.
interfaces:
loc eth0 detect tcpflags
modem eth1 detect dhcp,tcpflags,routefilter,nosmurfs,arp_filter
net ppp0 - tcpflags,routefilter,nosmurfs,arp_filter
pptp2 ppp1 - tcpflags,routefilter,nosmurfs,arp_filter
pptp3 ppp2 - tcpflags,routefilter,nosmurfs,arp_filter
pptp4 ppp3 - tcpflags,routefilter,nosmurfs,arp_filter
zones:
modem InodeInternal PPTP Connector via 10.0.0.0
loc Local Local networks via 192.168.47.0
net Tunnel1-Internet Inode PPTP Tunnel 1
pptp2 Tunnel2-Internet Inode PPTP Tunnel 2
pptp3 Tunnel3-Internet Inode PPTP Tunnel 3
pptp4 Tunnel4-Internet Inode PPTP Tunnel 4
tunnel: (10.0.0.138 is the pptp server)
pptpclient modem 10.0.0.138 net,pptp2,pptp3,pptp4
policy:
fw fw ACCEPT
fw loc ACCEPT
fw net ACCEPT
fw modem ACCEPT
pptp2 net ACCEPT
pptp3 net ACCEPT
pptp4 net ACCEPT
loc fw ACCEPT
loc net ACCEPT
loc pptp2 ACCEPT
loc pptp3 ACCEPT
loc pptp4 ACCEPT
net all DROP
all all REJECT info
masq:
ppp0 eth0!192.168.47.31,192.168.47.32,192.168.47.33
nat:
85.124.1.42 ppp1 192.168.47.31 no no
85.124.5.46 ppp2 192.168.47.32 no no
85.124.3.196 ppp3 192.168.47.33 no no
network routes:
172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp2
172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp3
192.168.47.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 10.10.0.1 255.255.0.0 UG 0 0 0 eth1
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 172.25.46.39 0.0.0.0 UG 0 0 0 ppp0
/etc/network/interfaces:
auto lo eth0 eth1 pptp1 pptp2 pptp3 pptp4
iface lo inet loopback
# The local network interface
iface eth0 inet static
address 192.168.47.254
netmask 255.255.255.0
# The PPTP Server Interface
iface eth1 inet dhcp
up/etc/network/ifup-eth1
down/etc/network/ifdown-eth1
# This adds and deletes a route to 10.0.0.0
# where the pptp server is located,
# because the standard netmask via dhcp is 10.10.0.0
# The net PPTP Internet Tunnel
iface ppp0 inet ppp
provider pptp1
# Other Tunnels
iface ppp1 inet ppp
provider pptp2
up /etc/network/ifup-ppp ppp2
# This changed /etc/shorewall nat ip address of tunnel in future
iface ppp2 inet ppp
provider pptp3
up /etc/network/ifup-ppp ppp3
# This changed /etc/shorewall nat ip address of tunnel in future
iface ppp3 inet ppp
provider pptp4
up /etc/network/ifup-ppp ppp4
# This changed /etc/shorewall nat ip address of tunnel in future
Felix Erkinger wrote:> Hi ! > > Recently i switched my internet provider, to get more speed but another > braindead setup regarding public ip addresses. > > I now have 4 PPTP Tunnel available, of which i''m using one as the > gateway ip doing masquerading to other machines in my local lan, > excluding three other machines, which i would like to use 1:1 nat to > get them a direct access to one of the pptp tunnels. > > I was able to do get all pptp tunnels established and > the net pptp tunnel to share with the machines in > my localnet successfully. > > But Tunnel two to four i''m not able to do 1:1 nat. > > What could be a solution ?A better question is "What is the problem?". You say "I''m not able to do 1:1 nat"; that gives us virtually nothing to go on. a) Does Shorewall start? b) What tests are you trying to perform? c) What results do you see? d) What log messages (if any) do you see? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue, Apr 19, 2005 at 10:03:18AM -0700, Tom Eastep wrote:> Felix Erkinger wrote: > > Hi ! > > > > Recently i switched my internet provider, to get more speed but another > > braindead setup regarding public ip addresses. > > > > I now have 4 PPTP Tunnel available, of which i''m using one as the > > gateway ip doing masquerading to other machines in my local lan, > > excluding three other machines, which i would like to use 1:1 nat to > > get them a direct access to one of the pptp tunnels. > > > > I was able to do get all pptp tunnels established and > > the net pptp tunnel to share with the machines in > > my localnet successfully. > > > > But Tunnel two to four i''m not able to do 1:1 nat. > > > > What could be a solution ? > > A better question is "What is the problem?". You say "I''m not able to do > 1:1 nat"; that gives us virtually nothing to go on. > > a) Does Shorewall start? > b) What tests are you trying to perform? > c) What results do you see? > d) What log messages (if any) do you see?Im sorry, a) yes, everything (outside access, masq of the other machines) is working b) trying to reach an outside ip (which is known to answer) with one of the internal ip addresses which should be 1:1 natted c) no answer (packets get lost in the viewpoint of the local machine) d) to my shame, i was not able to see any reject, dropped or other log message
Felix Erkinger wrote:> Hi !> What could be a solution ? >I took another look at your setup and I see one big problem -- your routing.> > > network routes: > 172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 > 172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1 > 172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp2 > 172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp3The above is silly -- the last three routes are basically ignored. Why are they there (maybe being automatically generated by pppd?)? Is the peer address on all four tunnels really 172.25.36.39?> 0.0.0.0 172.25.46.39 0.0.0.0 UG 0 0 0 ppp0All output traffic is going through ppp0! This can''t possibly work for connections arriving on ppp1-ppp3. Maybe someone on this list is adept enough at policy routing to help you -- I''m not sure that I am. I _think_ what you want is to add three additional routing tables, with a default route out of ppp1, ppp2 and ppp3 respectively. Then you need to use the source address (192.168.47.31,32,33) to select the routing table to use. The LARTC Howto (www.lartc.org) is a good source of information about how to do this. If you need additional help, you might be better off posting on the LARTC list than here. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue, Apr 19, 2005 at 10:19:20AM -0700, Tom Eastep wrote:> > I took another look at your setup and I see one big problem -- your routing. > > > network routes: > > 172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 > > 172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1 > > 172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp2 > > 172.25.46.39 0.0.0.0 255.255.255.255 UH 0 0 0 ppp3 > > The above is silly -- the last three routes are basically ignored. Why > are they there (maybe being automatically generated by pppd?)? Is the > peer address on all four tunnels really 172.25.36.39? >Yes, the peer address on all four tunnels is 172.25.46.39, and the routes are auto generated by pppd ...> > 0.0.0.0 172.25.46.39 0.0.0.0 UG 0 0 0 ppp0 > > All output traffic is going through ppp0! This can''t possibly work for > connections arriving on ppp1-ppp3. > > Maybe someone on this list is adept enough at policy routing to help you > -- I''m not sure that I am. > > I _think_ what you want is to add three additional routing tables, with > a default route out of ppp1, ppp2 and ppp3 respectively. Then you need > to use the source address (192.168.47.31,32,33) to select the routing > table to use.Hmm, i will try this one.> The LARTC Howto (www.lartc.org) is a good source of information about > how to do this. If you need additional help, you might be better off > posting on the LARTC list than here.Thank you for your help, after trying adding more default routes, i will dig trough lartc.org , to find an answer there. Many thanks for your fast answer, Felix
Felix wrote on 19/04/2005 14:31:12:> On Tue, Apr 19, 2005 at 10:19:20AM -0700, Tom Eastep wrote: > >[...]> > > Yes, the peer address on all four tunnels is 172.25.46.39, > and the routes are auto generated by pppd ...IIRC, there''s a way to control which routes pppd generates once a pppoe connection is stablished.>[...]> Hmm, i will try this one. > > Thank you for your help, after trying adding more default routes, i > will dig trough lartc.org , to find an answer there.No, No, No. dig lartc.org first. Your answer is there. There''s no sense in trying to add more default routes if you don''t understand how routing is really done in Linux. regards, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606