|
»
»
« Return to Thread: static routing
Re: static routing
by Josephw
::
Rate this Message:
I spent entire day to try what you wrote, but it dosen't still work.
eventhough this , the situation is kind of different from before.
here is my lab
PC(210.17.1.2/24)
|
|
eth1(210.17.1.1/24)
[EFW]
br0(192.168.3.89/24)
|
|
e0/0(192.168.3.100/24)
[cisco router]
loop0(192.168.4.100/24)
configuration:
[EFW]
1.allow all traffic from Green interface to RED interface
2.disable proxy
3. iptables -I FORWARD 1 -s 192.168.4.0/24 -d 0.0.0.0/0 -j ACCEPT
iptables -I FORWARD 1 -d 192.168.4.0/24 -s 0.0.0.0/0 -j ACCEPT
4. Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 * 255.255.255.0 U 0 0 0 br0
210.17.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.4.0 192.168.3.100 255.255.255.0 UG 0 0 0 br0
default 210.17.1.254 0.0.0.0 UG 0 0 0 eth1
symptom
1.cisco router source 192.168.3.100 -->ping-->pc ok
2.EFW source 192.168.3.89--> ping --> 192.168.4.100 ok
3.cisco router source 192.168.4.100 -->ping->pc failed
tcpdump -n -p icmp -i br0
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
tcpdump -n -p icmp -i eth1
IP 210.17.1.1> 210.17.1.2: icmp 80: echo request seq 1280
IP 210.17.1.2> 210.17.1.1: icmp 80: echo reply seq 1280
IP 210.17.1.1> 210.17.1.2: icmp 180: host 192.168.4.100 unreachable
...
thanks for help
eventhough this , the situation is kind of different from before.
here is my lab
PC(210.17.1.2/24)
|
|
eth1(210.17.1.1/24)
[EFW]
br0(192.168.3.89/24)
|
|
e0/0(192.168.3.100/24)
[cisco router]
loop0(192.168.4.100/24)
configuration:
[EFW]
1.allow all traffic from Green interface to RED interface
2.disable proxy
3. iptables -I FORWARD 1 -s 192.168.4.0/24 -d 0.0.0.0/0 -j ACCEPT
iptables -I FORWARD 1 -d 192.168.4.0/24 -s 0.0.0.0/0 -j ACCEPT
4. Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 * 255.255.255.0 U 0 0 0 br0
210.17.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.4.0 192.168.3.100 255.255.255.0 UG 0 0 0 br0
default 210.17.1.254 0.0.0.0 UG 0 0 0 eth1
symptom
1.cisco router source 192.168.3.100 -->ping-->pc ok
2.EFW source 192.168.3.89--> ping --> 192.168.4.100 ok
3.cisco router source 192.168.4.100 -->ping->pc failed
tcpdump -n -p icmp -i br0
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
tcpdump -n -p icmp -i eth1
IP 210.17.1.1> 210.17.1.2: icmp 80: echo request seq 1280
IP 210.17.1.2> 210.17.1.1: icmp 80: echo reply seq 1280
IP 210.17.1.1> 210.17.1.2: icmp 180: host 192.168.4.100 unreachable
...
thanks for help
Patricio Bruna V.-2 wrote:I think you have to add a "routeback" rules for ping from IP_B(PC1) to IP_A. I had a similar setup, but with 17 subnets.
What i do was:
iptables -I FORWARD 1 -s IP_NETWORK_B/NETMASK -d IP_NETWORK_A/NETMASK -i br0 -o br0 -j ACCEPT
iptables -I FORWARD 1 -d IP_NETWORK_B/NETMASK -s IP_NETWORK_A/NETMASK -i br0 -o br0 -j ACCEPT
i had to put those lines in /etc/init.d/rc.local
----- Original Message -----
From: Josephw <josephw@mail.josephw.idv.tw>
To: efw-user@lists.sourceforge.net
Sent: martes 26 de septiembre de 2006 23H35 GMT-0400
Subject: Re: [Efw-user] static routing
Patricio Bruna V.-2 wrote:
>
> What problems do you have with statict routing?
>
ok Here is the network diagram
Internet
|
|
IP_A
[EFW]
ip_a
|
|
LAN_A
|
|
[cisco router]
|
|
LAN_B
|
|
ip_b[PC1]
1.I want to make PC1 be able to connect to the internet via EFW
2.I added the route for reaching LAN_B on EFW
3. I added the default route for accessing the internet on cisco router.
4.I added firewall policy which allows nods on LAN_B accessing the internet
5. The nodes on LAN_A could reach the internet.
6.I could ping EFW/ip_a from PC1
7. I also could ping PC1 with source ip EFW/ip_a
8. But I could not ping IP_A and other ip addresses in the internet from
PC1
9.I used command tcpdump to observe icmp packets while I ping from PC1 to
internet ip. there are always two related packets like below
ICMP reply Destination -> IP_A
ICMP reply Destination -> ip_b
compare with ping from nodes on LAN_A , there's no 2nd ICMP reply packet.
thanks for help
--
View this message in context: http://www.nabble.com/static-routing-tf2115612.html#a6519965
Sent from the efw-user mailing list archive at Nabble.com.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user
« Return to Thread: static routing
| Free embeddable forum powered by Nabble | Forum Help |
