i'm working on a home office dsl /smoothwall firewall/ apache server/ two pc network. i can't browse from the apache webserver's browser to the internet but i can ping all the way out to the internet gateway and beyond. my apache server is set up with a single nic 10.1.1.11 netmask 255.255.255.0. what am i missing? (after I solve this problem, i also want to set up a direct gateway from the dsl modem to the server nic. what is the best solution?)



Interfaces:

(FIREWALL TO LOCAL NETWORK 10 MB HUB)
eth0 Link encap:Ethernet HWaddr 00:60:B0:86:xx:7D
inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2879 errors:0 dropped:0 overruns:0 frame:0
TX packets:5193 errors:0 dropped:0 overruns:0 carrier:0
collisions:12 txqueuelen:100
Interrupt:11 Base address:0xf4e0

(FIREWALL TO APACHE)
eth1 Link encap:Ethernet HWaddr 00:E0:29:xxC:31
inet addr:10.1.1.10 Bcast:10.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xfc00

(FIREWALL TO DSL MODEM)
eth2 Link encap:Ethernet HWaddr 00:50:BA:xx:3B:41
inet addr:xx.xxx.56.181 Bcast:xx.xxx.56.183 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5035 errors:0 dropped:0 overruns:0 frame:0
TX packets:2750 errors:0 dropped:0 overruns:0 carrier:0
collisions:2 txqueuelen:100
Interrupt:10 Base address:0xf800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:1xx36 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

Routing:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xx.xxx.56.180 0.0.0.0 255.255.255.252 U 0 0 0 eth2
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 xx.xxx.56.182 0.0.0.0 UG 0 0 0 eth2


Module Size Used by Not tainted
8139too 14888 2
pcnet32 14720 1
mii 1024 0 [8139too pcnet32]
ip_nat_ftp 3088 0 (unused)
ip_conntrack_ftp 3360 0 (unused)
ip_nat_irc 2384 0 (unused)
ip_conntrack_irc 2496 0 (unused)
ppp_async 6816 0 (unused)
ppp_synctty 5152 0 (unused)
ppp_generic 18656 0 [ppp_async ppp_synctty]
slhc4592 0 [ppp_generic]

Kernel version:

Linux firewall 2.4.19 #11 Wed Aug 21 12:13:27 BST 2002 i586 unknown

1st problem I can see is the same ip subnet on eth1 & eth0.
They need to be different address spaces eg 10.1.1.1 & 10.1.0.1 if you use a 255.255.255.0 subnet mask.
Doing it your way, the packets for the network have 2 choices about where to go.

I suggest you change the eth1 to 10.1.0.10 and likewise on the apache pc.

Regards,
Peter

thanks for the suggestion. i previously tried a completely different network for the apache nic (192.168.0.1 and 192.168.0.2) but found that this requires the kernel to be both a router and a bridge (which requires a kernel patch). http://www.linuxgazette.com/issue76/whitmarsh.html
Can I impose on you to tell me where I could find a good explanation of why you can have:
(1) multiple subnets under 10.1.x.x or 192.168.x.x but
(2) not two separate networks with 10.1.x.x and 192.168.x.x?
I read the works referenced by the hyperlink above but didn't find the answer (or at least one that i could understand).
thanks.

re: subnetwork issues, giving new subnet address to the apache nic and firewall nic for apache did the trick. thanks.

re: etc/resolv.conf, i've been messing around with some of the gui network configuration interfaces and some how i had edited my resolv.conf file without realizing it. thanks.

The two separate networks idea is common...
You just need to tell the firewall routing table which interface to find each network on,
then tell the LAN pc's to use that firewall as a gateway for the network number. So a pc on the 10.x.x.x has an entry that describes the gateway pc that has the 192.168.x.x network on it.
The '/proc/sys/net/ipv4/ip_forward' does all the routing, if it gets routing packets...
That is what a "gateway" setting is for...
Have a look at "man route" for a brief explanation...

Regards,
Peter