-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I''ve a problem with the configuration below eth3 - Connection to ISP 1 eth4 - Server Farm Public address (202.73.10.*) eth5 - Local Area Network (192.168.0.0/24) I''m doing this one-to-one NAT because there is a server need to have the public ip and it is located in somewhere that can only be reach by LAN. I''ve make the modification on nat and rules and make sure it is working from outside... As show below. The public IP it have it from eth4 Group... 202.73.10.61 eth4.4000 192.168.0.11 yes yes 202.73.10.62 eth4.4000 192.168.0.12 yes yes I found that I can''t access the device using public address on the Local Area Network. And for some reason, there is a router on 192.168.0.150 and router to 192.168.100.0/24 (This is for testing) All the Client below can''t reach these Public IP e.g 202.73.10.61, but can still reach using the Local IP address 192.168.0.11. Can someone help me on that one to one NAT to solve these 2 problem? local --> o2oNAT Local(local) --> o2oNAT Thank You. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCeEsOV0p9slMZLW4RAl79AKCtsjpb/J/QH1nO7/ZThK4benH7HQCg1/4s dYpdzGSejAZN+NE1q8/cXvc=pXBQ -----END PGP SIGNATURE-----
Chan Min Wai wrote:> > I found that I can''t access the device using public address on the Local > Area Network.This is Shorewall FAQ #2a (http://shorewall.net/FAQ.htm#faq2a)> > And for some reason, there is a router on 192.168.0.150 and router to > 192.168.100.0/24 (This is for testing) All the Client below can''t reach > these Public IP e.g 202.73.10.61, but can still reach using the Local IP > address 192.168.0.11.Sounds like a routing issue but you haven''t given us nearly enough information to even guess how to correct the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Chan Min Wai wrote: > > >>I found that I can''t access the device using public address on the Local >>Area Network. > > > This is Shorewall FAQ #2a (http://shorewall.net/FAQ.htm#faq2a)Ok Now local can Ping and access them, however something strange... when ping one of the devices, local address is replaying the ping... [root@dcmwaicom bin]# ping 202.73.10.61 PING 202.73.10.61 (202.73.10.61) 56(84) bytes of data. 64 bytes from 192.168.0.11: icmp_seq=0 ttl=255 time=3.43 ms 64 bytes from 192.168.0.11: icmp_seq=1 ttl=255 time=0.829 ms but for 202.73.10.62 the result is different. [root@dcmwaicom src]$ ping 202.73.10.62 PING 202.73.10.62 (202.73.10.62) 56(84) bytes of data. 64 bytes from 202.73.10.62: icmp_seq=0 ttl=63 time=0.478 ms 64 bytes from 202.73.10.62: icmp_seq=1 ttl=63 time=0.476 ms Both of them are on the NAT and they have the same entry. 202.73.10.61 eth4.4000 192.168.0.11 yes yes 202.73.10.62 eth4.4000 192.168.0.12 yes yes Is that correct? (dcmwaicom is on LAN 192.168.0.23) I''m kind of blur now. Both of them are a IP Camera from Dlink...> >>And for some reason, there is a router on 192.168.0.150 and router to >>192.168.100.0/24 (This is for testing) All the Client below can''t reach >>these Public IP e.g 202.73.10.61, but can still reach using the Local IP >>address 192.168.0.11. > > Sounds like a routing issue but you haven''t given us nearly enough > information to even guess how to correct the problem.On the same network 192.168.0.150 is a Router eth0 is 192.168.0.150 (WAN to the local) eth1 is 192.168.100.0/24 (It was a test bed) It have just a simple firewall using shorewall (where net <--> all allow) however it can''t ping 202.73.10.61 (Which is the on the NAT) but it can ping 202.73.10.62 all right. (I''ve no idea if it is related to the above problem) I can ping 192.168.0.0/24 and also 202.73.10.* without any problem. So I think there might be some problem about the ping and reply which is different... There is no log somehow... regards, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCeZeQV0p9slMZLW4RApz9AJ40al52nlyDU4WSQ4jnWvgoQa9lRwCeLrvJ dNWY0CS9Z7ttmbjPOHCjp7s=kHmP -----END PGP SIGNATURE-----
Chan Min Wai wrote:> > There is no log somehow...Please see http://shorewall.net/support.htm#Guidelines. I can''t solve these sorts of problems when all you show me are bits and pieces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chan Min Wai wrote:> Tom Eastep wrote: >>>Chan Min Wai wrote: >>> >>> >>>>I found that I can''t access the device using public address on the Local >>>>Area Network. >>> >>>This is Shorewall FAQ #2a (http://shorewall.net/FAQ.htm#faq2a) > > Ok Now local can Ping and access them, however something strange... when > ping one of the devices, local address is replaying the ping... > > [root@dcmwaicom bin]# ping 202.73.10.61 > PING 202.73.10.61 (202.73.10.61) 56(84) bytes of data. > 64 bytes from 192.168.0.11: icmp_seq=0 ttl=255 time=3.43 ms > 64 bytes from 192.168.0.11: icmp_seq=1 ttl=255 time=0.829 ms > > but for 202.73.10.62 the result is different. > > [root@dcmwaicom src]$ ping 202.73.10.62 > PING 202.73.10.62 (202.73.10.62) 56(84) bytes of data. > 64 bytes from 202.73.10.62: icmp_seq=0 ttl=63 time=0.478 ms > 64 bytes from 202.73.10.62: icmp_seq=1 ttl=63 time=0.476 ms > > Both of them are on the NAT and they have the same entry. > 202.73.10.61 eth4.4000 192.168.0.11 yes yes > 202.73.10.62 eth4.4000 192.168.0.12 yes yes > > Is that correct? (dcmwaicom is on LAN 192.168.0.23) > > I''m kind of blur now. Both of them are a IP Camera from Dlink... >The routing is different in the two cases. Add this to your /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth5 eth5 <eth5''s ip> This will make all redirected traffic look like it came from the firewall (as I say in FAQ 2, this is yet one more reason to use DNS to fix this problem rather than applying ugly IP hacks). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key