Cannot ping through router from outside

Louis_Carole · 09-16-2009, 12:55 PM

Dear All,

I have read many posts which suggest many things for many problems similar to mine. I am still confused and am not sure whether they address my problem in particular.

In short: We can't see our computers through our new router.

In not-so-short:

Old Setup (DHCP, using names of computers, not IPs):

mycomputer.network.school.edu ---> somewhere, not sure where
anothercomputer.network.school.edu ---> same somewhere
yetanothercomputer.network.school.edu ---> same somewhere
...
labcomputer.network.school.edu --> same somewhere

I could ssh from mycomputer to labcomputer, and back again.
My colleagues could ssh to or from, either way, too, without port specifications or anything, using their {,yet}anothercomputer's.

New Setup (Still want DHCP/names since that's what we know):

mycomputer.network.school.edu ---> new router
anothercomputer.network.school.edu ---> old somewhere
yetanothercomputer.network.school.edu ---> new router
...
labcomputer.network.school.edu --> same old somewhere

Now, I can ssh to the labcomputer from mycomputer, but I can't ssh from the labcomputer to mycomputer. In fact,

myaccount@labcomputer $ ping mycomputer.network.school.edu

yields "From labcomputer.network.school.edu (###.###.###.###) icmp_seq=3 Destination Host Unreachable"

Moreover,

'myaccount@mycomputer $ ping mycomputer' works, but not 'myaccount@mycomputer $ ping mycomputer.network.school.edu'.

Here's a lot of stuff people seemed to ask for from other posts...

On labcomputer.network.uc.edu:

Code:

myaccount@labcomputer $ uname -a
Linux node1.knut.cluster.uc 2.4.20-8 #1 Thu Mar 13 17:18:24 EST 2003 i686 athlon i386 GNU/Linux

myaccount@labcomputer $ sudo route # full priveledges
sudo: route: command not found

myaccount@labcomputer $ sudo ifconfig -a # full priveledges
sudo: ifconfig: command not found

# labcomputer uses some wacky old networking stuff, but I can't ping mycomputer from anothercomputer either

myaccount@labcomputer $ nmap -sT localhost

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1589 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
513/tcp    open        login                   
514/tcp    open        shell                   
764/tcp    open        omserv                  
873/tcp    open        rsync                   
904/tcp    open        unknown                 
912/tcp    open        unknown                 
925/tcp    open        unknown                 
1023/tcp   open        unknown                 
32770/tcp  open        sometimes-rpc3          
32771/tcp  open        sometimes-rpc5          

Nmap run completed -- 1 IP address (1 host up) scanned in 0 

myaccount@labcomputer $ nmap -sT labcomputer.network.school.edu # ip scratched, but it looks like school's network

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on labcomputer.network.school.edu (###.###.###.###):
(The 1589 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
111/tcp    open        sunrpc                  
513/tcp    open        login                   
514/tcp    open        shell                   
764/tcp    open        omserv                  
873/tcp    open        rsync                   
904/tcp    open        unknown                 
912/tcp    open        unknown                 
925/tcp    open        unknown                 
1023/tcp   open        unknown                 
32770/tcp  open        sometimes-rpc3          
32771/tcp  open        sometimes-rpc5          

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

On mycomputer.network.school.edu:

Code:

myaccount@mycomputer $ uname -a
Linux mycomputer 2.6.28-15-generic #49-Ubuntu SMP Tue Aug 18 18:40:08 UTC 2009 i686 GNU/Linux

myaccount@mycomputer $ ifconfig -a

eth0      Link encap:Ethernet  HWaddr 00:18:8b:d9:99:2e  
          inet addr:192.168.10.106  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::218:8bff:fed9:992e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14685 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16169 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:8558785 (8.5 MB)  TX bytes:2765833 (2.7 MB)
          Interrupt:17 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:70 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5344 (5.3 KB)  TX bytes:5344 (5.3 KB)

pan0      Link encap:Ethernet  HWaddr 82:67:4d:4e:75:07  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:18:de:b3:52:c0  
          inet addr:192.168.10.105  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::218:deff:feb3:52c0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1174 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:345090 (345.0 KB)  TX bytes:4519 (4.5 KB)

wmaster0  Link encap:UNSPEC  HWaddr 00-18-DE-B3-52-C0-32-63-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

myaccount@mycomputer $ nmap -sT localhost

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-16 13:21 EDT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
631/tcp  open  ipp
2049/tcp open  nfs

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

myaccount@mycomputer $ nmap -sT mycomputer.network.school.edu

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-16 13:33 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 2.13 seconds

myaccount@mycomputer $ nmap -sT mycomputer

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-16 13:36 EDT
Interesting ports on mycomputer (127.0.1.1):
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Router: Firewall off

Dynamic DHCP List
Host Name IP Address MAC Address Expired Time
home215 192.168.10.101 00-c0-9f-13-87-70 Jan/08/2000 00:00:26
afourthcomputer 192.168.10.102 00-07-e9-83-f5-9a Jan/08/2000 00:00:37
anothercomputer 192.168.10.103 00-1c-c0-a3-54-e8 Jan/08/2000 00:00:42
-- 192.168.10.104 00-1f-f3-bb-e4-81 Jan/08/2000 12:07:23
mycomputer 192.168.10.105 00-18-de-b3-52-c0 Jan/08/2000 15:46:04
yetanothercomputer 192.168.10.107 00-1c-c0-a3-7a-c0

labcomputer in another room, connected some other way.

WAN
Router IP ###.###.###.### (looks like a network.school.edu IP)
Subnet Mask 255.255.255.0
Default Gateway ###.###.###.### (looks like network.school.edu gateway)
DNS 10.25.3.2, 10.27.3.2

LAN
IP Address 192.168.10.1
Subnet Mask 255.255.255.0

Static: (nothing set up)

Dynamic
NAT Enabled
Transmit Disabled
Receive Disabled

Routing table: (empty)
Filter: MAC address, but DISABLED
Virtual Server: (nothing)
Special AP: (nothing)
DMZ: (none)
Firewall Rules: (none)

I hope this begins to answer something, and thanks in advance!

- Louis

PS /etc/networks has one line on my computer: link-local ###.###.###.###
PPS Does our router have a name?
PPPS How did our computers know what their network name was before? And how should they know now?

kbp · 09-16-2009, 11:49 PM

Hi Louis,

Judging by this:

Quote:

Dynamic
NAT Enabled

.. you should only be able to go from the 'inside' to the 'outside' .. unless static nat has been enabled to allow access from 'outside' to an 'inside' host

eg.

[PC1]-----[DYN NAT ROUTER]------[HOST on INTERNET]

PC1: 192.168.0.10 ( private address )
ROUTER inside address: 192.168.0.1 ( private address )
ROUTER outside address: 12.34.56.78 ( public address )
INTERNET HOST: 23.45.67.89 ( public address )

Connections from PC1 to INTERNET HOST will be translated and appear to come from 12.34.56.78

Connections from INTERNET HOST to PC1 will fail as PC1 has a 'private' address which is not routable on the internet.

Connections from INTERNET HOST to 12.34.56.78 will fail as they are not part of an existing connection initiated from a host on the inside.

Therefore connections will only work when initiated from the inside

Does this clear things up ?

cheers,

kbp

Louis_Carole · 09-17-2009, 11:52 AM

Dear kbp,

You have illucidated the problem, thank you. I will try to use what you have said to fix it. In the meantime, if anyone has any spoilers that would make our system work without waiting on my learning curve, feel free to tell me what to do for outside to see indide,

Thanks again,

Louis

PS Since we have laptops too, we'd like to keep the dynamic part from the inside.

prasanta · 09-17-2009, 02:20 PM

Use port forwarding in that case, in similar fashion,

/sbin/iptables -t nat -A PREROUTING -p tcp -d 12.34.56.78 --dport 80 -j DNAT --to-destination 192.168.1.1:80
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.1 --dport 80 -j ACCEPT

So, any request to 12.34.56.78 on port 80 is forwarded to 192.168.1.1, port 80 wherein as an example you can host your website.

Regards,

--
Prasanta

Louis_Carole · 09-23-2009, 10:00 AM

Dear Prasanta,

I see references to static IP addresses from both inside and outside. Does this work for dynamic IPs?

I see port forwarding. Does the outside user need to know beforehand which port to request from the router, with a different port for each machine? (e.g. ssh)

router:22 --> 192.168.1.101:22
router:23 --> 192.168.1.102:22

What I would like is:

joe@outsider.world.net executes

Code:

ssh somebody@computer1behindrouter.ourrouter.schoolnetwork.edu

and ourrouter.schoolnetwork.edu understands to do:
[CODE](pseudo) ourrouter:22 --> computer1behindrouter:22 (dynamic host name)[\CODE]
If then schmo@outsider.world.net executes

Code:

ssh someone@computer2behindrouter.ourrouter.schoolnetwork.edu

ourrouter.schoolnetwork.edu now understands to do:
[CODE](pseudo) ourrouter:22 --> computer2behindrouter:22 (dynamic host name)[\CODE]

Thanks again,

Louis

prasanta · 09-23-2009, 12:01 PM

Dear Louis,

In case you are using dynamic IP's the request would not pass through.

It will not be possible since iptbales will be confused where to pass the request to when a request of ssh is made to `ourrouter`. You can do,

Code:

ssh somebody@ourrouter.schoolnetwork.edu

and

Code:

ssh somebody@ourrouter.schoolnetwork.edu -p 1022

In the former request is forwarded to `computer1behindrouter` and the later to `computer2behindrouter`.

Regards,

--
Prasanta

Louis_Carole · 09-24-2009, 10:43 AM

Dear All,

It sounds like static IPs and port assignments are the way it has to be.
One last attempt to at least avoid port numbers...

I saw it was possible to configure ssh (see 'man ssh_config') to use default parameters for port forwarding on the client globally (in /etc/ssh_config) and per-account (~/.ssh/config).

I will try modiying these files to see if we can avoid having to remember yet another set of numbers (the host ports) to communicate with one another, since we use each other's processors all the time. It should just take setting it up for each computer and then remembering to do it for each new user/machine.

Thank you for all your help!

- Louis

PS The "no port #s" and "DNS" idea was to keep things simple for the non-admin users at work. Laptops will just have to be assigned IPs as they come in. They have unchanging MAC addresses, right?