Hi Folks, I have a bit of a conundrum. Maybe there's just some simple trick I'm missing. Sorry for the lengthy background below!
I've been happily running a dialup connection to the outside world on my 3-4 machine home LAN. In this, one machine has the modem and does the dialup, and the others have a default route which points to that machine. This has no default route in general, but when kppp completes the dialup connection it installs one via ppp0, and deletes it when kppp closes down.
This works fine: all the other machines can find any address outside when this machine has its default ppp0 route up.
Now I finally have ADSL broadband as well. This connects via a Voyager 205 ADSL modem. This has IP address 192.168.1.1.
Here the situation is that, if I put a second NIC in any of the machines as eth1, give it IP address 192.168.1.3 (since this is the first in line of IP addresses which the modem gives out) and also manually install a default route to the net 192.168.1.0 via eth1, then from that machine I can also readily access the outside world.
However, I have not managed to configure the machines so as to route through the ADSL machine via its eth1 in a similar way to ppp0. Say machine C has the ADSL modem on eth1, and machines A, B and C are linked over a network on eth0 for each. The C can see the Net, while A and B can not.
Here is the outline of the configuration.
A 192.168.0.1 eth0
B 192.168.0.7 eth0
C 192.168.0.6 eth0 192.168.2.0 vmnet1 [bridging network for VMWare] 192.168.1.3 eth1 --> 192.168.1.1 [ADSL modem/router] xxx.yyy.x.w ppp0 [when dialled up, ISP's dynamic IP]
The other side of the ADSL router gets a fixed IP from the ISP, but I never need to see this.
Now for what happens when not using ADSL, just dialup.
[1] 'route' for A gives ----------------------- 192.168.0.0 * 255.255.255.0 U 0 0 555 eth0 loopback * 255.0.0.0 U 0 0 11 lo default C 0.0.0.0 UG 0 0 19 eth0
[2] 'route for B gives ---------------------- 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default Co 0.0.0.0 UG 0 0 19 eth0
[3] 'route' for C, when not dialled up, gives --------------------------------------------- Destination Gateway Genmask Flags ... Iface 192.168.2.0 * 255.255.255.0 U ... vmnet1 192.168.1.0 * 255.255.255.0 U ... eth1 192.168.0.0 * 255.255.255.0 U ... eth0
[4] and, when C has dialled up ------------------------------ imsnet-cl10-hg1 * 255.255.255.255 UH ... ppp0 192.168.2.0 * 255.255.255.0 U ... vmnet1 192.168.1.0 * 255.255.255.0 U ... eth1 192.168.0.0 * 255.255.255.0 U ... eth0 default msnet-cl10-hg1 0. 0. 0.0 UG ... ppp0
In this configuration, as described above, all three machines can reach the Net without problems, routing through ppp0 on C.
Now, with the ADSL router in place on C, I make the change analagous to [3]->[4] above, by adding the route to the ADSL 192.168.1.1 and the default route to the same on eth1.
But this does not work. While C has no problems seeing the net, beither A nor B can. I feel stumped here, but -- as I say -- there's undoubtedly something simple I;ve overlooked.
Comments and suggestions most welcom!
Best wishes to all, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 25-Oct-05 Time: 18:54:56 ------------------------------ XFMail ------------------------------
On Tue, 2005-10-25 at 18:55 +0100, Ted.Harding@nessie.mcc.ac.uk wrote: <snip>
Here the situation is that, if I put a second NIC in any of the machines as eth1, give it IP address 192.168.1.3 (since this is the first in line of IP addresses which the modem gives out) and also manually install a default route to the net 192.168.1.0 via eth1, then from that machine I can also readily access the outside world.
However, I have not managed to configure the machines so as to route through the ADSL machine via its eth1 in a similar way to ppp0. Say machine C has the ADSL modem on eth1, and machines A, B and C are linked over a network on eth0 for each. The C can see the Net, while A and B can not.
<snip>
Have you done anything on machine C with iptables to MASQUERADE on the ADSL eth1 interface? Something like:
echo "1">/proc/sys/net/ipv4/ip_forward iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
It may be that kppp does this automatically for ppp0 on-demand, or this has been configured manually before.
I notcied you started by calling the ADSL device a modem then later called it a router. Assuming it's a BT account then we'll assume it's amodem.. they're not given to giving their mostly Windows user base proper hardware(but that's a completely different black helicopter theory)
I assume you have windows machines on your LAN too which is the reason for segregating them from the modem via the Linux machine with dual NICs
Is the modem actually Ethernet? I thought they were just cheap USB jobbies? You also mention the modem gives out IP addresses which sounds more like a router performing DHCP. Anyway I'm a bit confused about your setup but here goes...
Here's my old iptables setup from when I used to have an on demand dialup:
# iptables setup # deny MS broadcast crap beyond the LAN iptables -A INPUT -d ! 192.168.0.0/24 -p tcp --dport 139 -j REJECT # allow localhost iptables -A INPUT -s 127.0.0.1 -j ACCEPT # allow LAN iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # allow www iptables -A INPUT -p tcp --dport 80 -j ACCEPT # allow SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # allow inbound DCC iptables -A INPUT -s ! 192.168.0.0/24 -p tcp --dport 6789 -j ACCEPT iptables -I INPUT 1 -s ! 192.168.0.0/24 -p tcp --dport 6790 -j ACCEPT iptables -I INPUT 1 -s ! 192.168.0.0/24 -p tcp --dport 6881:6889 -j ACCEPT # reject everything else iptables -A INPUT -p tcp --syn -j DROP # enable NAT iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 6789 -j DNAT --to-destination 192.168.0.2:6789 iptables -t nat -A PREROUTING -p tcp --dport 6790 -j DNAT --to-destination 192.168.0.7:6790
(I don't use this any more as I use the router for everything) check your IP addresses as I used 192.168.0.0/24 here and ignore any of the 'allow' stuff you don't want to get battered by from the internet. I also set forwarding on (dunno whether this actually does anything but I'm superstitious like that and always set it on):
guy@focusrite:~$ cat /etc/network/options ip_forward=no <--- I had this set to 'yes' spoofprotect=yes syncookies=no
then set everything else on the LAN to use the Dialup machine's LAN IP as the gateway. Worked for me with a modem for ages, I assume it'd work with a DSLmodem too. Of course... you could always get a cheap router from broadbandbuyer.co.uk for about £25 quid and then just point the whole LAN at that for DHCP and everything which'd solve any Windows accessibility probs for inbound rogue traffic. (That's my understanding and I'm sticking to it!). Works for me on a £50 quid D-Link router and the mother-in-law on her cheapo £25 jobbie!
G
Mr. Adam Allen. wrote:
On Tue, 2005-10-25 at 18:55 +0100, Ted.Harding@nessie.mcc.ac.uk wrote:
<snip>
Here the situation is that, if I put a second NIC in any of the machines as eth1, give it IP address 192.168.1.3 (since this is the first in line of IP addresses which the modem gives out) and also manually install a default route to the net 192.168.1.0 via eth1, then from that machine I can also readily access the outside world.
However, I have not managed to configure the machines so as to route through the ADSL machine via its eth1 in a similar way to ppp0. Say machine C has the ADSL modem on eth1, and machines A, B and C are linked over a network on eth0 for each. The C can see the Net, while A and B can not.
<snip>
Have you done anything on machine C with iptables to MASQUERADE on the ADSL eth1 interface? Something like:
echo "1">/proc/sys/net/ipv4/ip_forward iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
It may be that kppp does this automatically for ppp0 on-demand, or this has been configured manually before.
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
Before there's too much bandwidth going at cross-purposes to my actual query, here's a summary parhaps a bit more explicit on some issues.
1. Basic LAN: 3 machines A, B, C networked with coax cable over their NICs. (I want to keep this as coax, for various practical reasons).
These are on network 192.168.0.* on eth0 for each machine. (is that the same as 192.168.0.0/24?) and I want to keep this as it is too (otherwise too much unpicking in all sorts of places).
2. ADSL provider is Zen, though the phone line is BT. As part of the deal with Zen I purchased through them a BT Voyager 205 "box". This is both modem (in that it takes the signal from the phone line and comverts it) and router (in that it has a host of configurable internal routing and firewalling thingies).
3. The Voyager 205 has 2 sockets: USB and RJ45. I want to use the RJ45. Hence one machine has to have a second NIC since you can't use both BNC (coax) and RJ45 connections on a single NIC.
4. Hence one machine (say B) gets 2 NICs, and the second NIC is put on net 192.168.1.* as eth1
The router by default has a IP address 192.168.1.1 for the RJ45 (and 192.168.1.2 for the USB), and so the next available address from the router is 192.168.1.3
So I give the second NIC the IP address 192.168.1.3 on eth1 on machine B.
5. I now add a default gateway to B
route add -net default gw 192.168.1.1
(this being the IP address of the router itself) and with this setup I can access the web quite freely from machine B.
6. The other two machines (A and C) each have default gateway B.
7. However, from neither of the other machines can I access the web at all.
8. This contrasts, however, with the behaviour when B is used to dial-up using an ordinary phone modem. Kppp does the business, and when it's done there's a default route on B via PPP through interface ppp0 to the outside world.
With this, and default routes on A and C as above, unchanged, all 3 machines can access the web freely.
What I'm trying to achieve with ADSL and the Voyager is what is already achieved with dialup and the phone-modem!
What puzzles me is that if A and C can route their outside traffic via B with their default routes, and B can pick this up and send it out through the phone-modem, why is it that with ADSL -- while B can send its own traffic out through the DSL modem using B's configuration, it can't cope with the traffic coming in from A anc C? While it can cope with its own traffic?
As far as A anc C are concerned, they're still sending their outward-bound traffic to B since that's what they do with "default" stuff. B is somehow failing to transfer this to the DSL despite being able to transfer its own stuff.
Hoping this makes it clearer!
(By the way, for those who've mentioned iptables: I've checked, and there's no program 'iptables' on B, though there's 'iptables' source code in the kernel sources, and apparently 3 related modules: iptable_filter.o, iptable_mangle.o and iptable_nat.o -- and, in case it's relevant, No, I'm not in a hurry to re-compile the kernel! This issue should be simpler than that).
Best wishes to all, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 26-Oct-05 Time: 13:10:51 ------------------------------ XFMail ------------------------------
My first instinct is that the forwarding/NAT on machine C is a little confused.
How are you configuring iptables ? I had hell on a stick a few years back with SuSEFirewall (it hated having a dynamic address on the untrusted side) You possibly have an iptables statement somewhere that sets up the masquerade that may still have the external interface defined as ppp
Either that or name resolution does not work somewhere along the line, either in resolving the name of the gateway "C" in your example or in resolving the name of the Internet address.
Does it fail equally for a internet domain as well as an Internet address ?
What happens when you trace the route ?
Hi Folks,
I'm gong to try a simpler and more general version of my query.
Three machine, A, B and C.
All 3 on one LAN with coax cable linking their NICs. This LAN is on net 192.168.0.*
In addition, C has an ADSL modem/router on a second NIC, connected with RH45 cable. This 2nd NIC is on bet 192.168.1.*
A and B have a default route to C. This clearly works in each case as verified by performance when C is simply used as a phone-modem dialup (i.e. without ADSL): C, and also A and B through C, can all access the outside world.
With ADSL on C, C has a default route to the IP address of the router. With the ADSL synced to the line, this also works, but from within C alone, as verified by access to the Web.
However, now A and B cannot route out through C, despite the fact that the default routes A->C and B->C are good, and the default route C->Web is good.
'traceroute' to the router's IP from A or B gets an immediate good response from C, but then goes into asterisk mode. 'traceroute -d' returns "network unreachable". So packets are reaching C.
SO, for some reason, despite a working default route, C is unable to route packets coming in from A or B to its default route.
So, QUESTION: What can cause this? What should I be looking into?
(BTW, please don't suggest things like putting everything on one RJ45 network, since this involves physical changes that I don't wnat to get involved in. This should be a simple question of configuring one machine to act as a router between two networks.)
With thanks, and best wishes, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 26-Oct-05 Time: 22:34:03 ------------------------------ XFMail ------------------------------
(Ted Harding) Ted.Harding@nessie.mcc.ac.uk
I'm gong to try a simpler and more general version of my query.
Thanks for boiling it down for simpletons like me!
With ADSL on C, C has a default route to the IP address of the router. With the ADSL synced to the line, this also works, but from within C alone, as verified by access to the Web.
Does C have a route back to A or B?
Does the connection to the router set up the same forwarding as when it is connected via pppd?
So, QUESTION: What can cause this? What should I be looking into?
C's routing table or packet forwarding is wrong. route -n and iptables -L -n may show you what it's doing.
Hope that helps,
(Ted Harding) wrote:
Hi Folks,
I'm gong to try a simpler and more general version of my query.
Three machine, A, B and C.
All 3 on one LAN with coax cable linking their NICs. This LAN is on net 192.168.0.*
In addition, C has an ADSL modem/router on a second NIC, connected with RH45 cable. This 2nd NIC is on bet 192.168.1.*
A and B have a default route to C. This clearly works in each case as verified by performance when C is simply used as a phone-modem dialup (i.e. without ADSL): C, and also A and B through C, can all access the outside world.
With ADSL on C, C has a default route to the IP address of the router. With the ADSL synced to the line, this also works, but from within C alone, as verified by access to the Web.
However, now A and B cannot route out through C, despite the fact that the default routes A->C and B->C are good, and the default route C->Web is good.
'traceroute' to the router's IP from A or B gets an immediate good response from C, but then goes into asterisk mode. 'traceroute -d' returns "network unreachable". So packets are reaching C.
Ted,
It sounds like your router doesn't know how to get to A or B - it is almost certainly receiving the packets but doesn't know how to route to 192.168.0.0/24 (yes, this is the same as 192.168.0.* in answer to an earlier post) hence it is sending its replies out over its default route - that is to your ISP.
You have two options.
* the quickest fix would be to add a static route in your ADSL router/modem, so that it can route back to 192.168.0.0/24 via machine C * otherwise, you can install IPTables and use C to do NAT translation (this will mean that the connections from A or B will look as though they come from C to the router)
Hope this helps,
Jim
-
Guy Eastwood -
Jim Rippon -
MJ Ray -
Mr. Adam Allen. -
Ted.Harding@nessie.mcc.ac.uk -
Ten -
Wayne Stallwood