IPCOP OpenVPN Routing problem.
i have ipcop running as OpenVPN server. i can VPN to it fine and reach the ipcop inside IP address 192.168.0.1 but i can't reach behind that.
Code:
10.0.0.X/24 << wireless access point >> 192.168.0.0/24 << ipcop >> external ip i think that i need to add a static route on the ipcop box to route traffic from 10.10.10.0/24 which is the vpn subnet to 10.0.0.0. i don't know how to do it or if it is possible to be done. i know that i need to add a rule within iptables but i don't know how to do it or what chain i need to add it to. i need some help with this please. any ideas? |
Here is a simple guide on adding routes
http://www.geocities.com/rlcomp_1999/routes.html Ipcop needs to know about both networks, and what interface they are off of. I have a few guesses. The routing table doesn't know about 10.0.0.0/24, there is a firewall setup not to allow the traffic, or ipcop is setup to use NAT thus not allowing the 10.0.0.0/24 network to traverse into the 192.168.0.0/24 net. Can the hosts on the 192.168.0.0/24 net connect to the 10.0.0.0/24 if they initiate the connection? If so then my guess is that you need to disable NAT. "iptables --flush" will clear all the rules, and NAT table. Can you post the output of these commands from ipcop? iptables --list ifconfig netstat -rn |
It's not a Linux Question, it's a pure networking question
thanks. ok here is what i did:
Code:
route add -net 10.0.0.0/24 gw 192.168.0.1 Code:
Kernel IP routing table as far as i know, NAT will translate all internal IP addresses to the real IP address when they're going out and will translate the packets to internal IP addresses when they're coming in; it'll keep like a temp translation table for packets going in and out. but i don't understand why NAT would block the routing process. here is my iptables rules: Code:
iptables -L |
The link I sent you for adding routes wasn't really that good now I look at it again. Read over the man page as well. I think this is the command you want to use.
Code:
route add -net 10.0.0.0 netmask 255.255.255.0 dev ethX Quote:
Code:
(Internet) With NAT the clients will have private address space assigned to them. When the clients behind the NAT router send a packet to the internet the src IP address of the packet gets stripped off by the NAT router, and is replaced with its public IP so that it can be routed properly. When the response comes back to the NAT router it has the IP of the NAT routers public interface not the private IP on the client network. It will look in its NAT translation table to see if the packet is destined to one of the clients behind it, and if so send the packet to the correct client where the initial packet came from. If a device on the "internet" side sends a packet to the NAT router without there first being a connection request, the NAT router should just drop the packet. If the NAT router gets a packet in its interface facing the internet with a destination IP of one of the client IPs it will or at least should drop the packet, and not allow inside the internal net. This is what I am wondering is happening in your setup. If where the wireless clients are coming through you ipcop router hits a NAT interface it could be dropping the packets, and not allowing anything into the 192.168.0.0/24 network. Thats why was wondering can the clients on the 192.168.0.0/24 net reach the wireless ones. With "normal" routing on a Unix box where there are no routing protocols like RIP, BGP, etc that are sharing routing info between hosts they will just use its own routing table. So basically once a packet reaches the host(as long as its configured to forward or route packets ) if the packet is not for the host itself it will look in its routing table to see if it knows where the destination net, and what interface it needs to send out of to reach the network that the packet is destined to. Can you make a diagram better diagram or explain what interfaces connect to that device, and where exactly the VPN comes into pay. Also posting the output of ifconfig could help. |
here is my network
Code:
real ip <------- OpenVPN Subnet there is no problem with my ipcop box. the problem is that i have two NAT routers running on the same local network for no reason. so i either need to turn off NAT on the wireless access point or switch my network to this diagram: switch) --------> wireless access point For both wireless an wired) | | | 10.0.0.1 | OpenVPN Client ------------------------------ 10.10.10.0/24 | | | Wireless Clients 10.0.0.2 | 10.0.0.X | | Gateway 10.0.0.2 ipcop----- realIP--------- Assigned trough DHCP | | | (Doing NAT and OpenVPN on the ipcop box, i did the following hoping that it will work which it didn't. but anyway, here you go. anyway i tried to do: Code:
route add -net 10.0.0.0 netmask 255.255.255.0 dev eth0 Code:
Kernel IP routing table Code:
root@ipcop:/ # ifconfig |
here is my network
Code:
there is no problem with my ipcop box. the problem is that i have two NAT routers running on the same local network for no reason. so i either need to turn off NAT on the wireless access point or switch my network to this diagram: Code:
anyway i tried to do: Code:
route add -net 10.0.0.0 netmask 255.255.255.0 dev eth0 Code:
Kernel IP routing table Code:
root@ipcop:/ # ifconfig |
Quote:
A very easy, and quick solution would be if you can turn your wireless router into a access point. A access point just relays traffic from one interface to the other not really caring about src, and dst of the packets. In the end the access point is just like plugging a hub into your switch, and the wireless clients get IPs from the same dhcp pool as the wired ones. Having both the wired, and wirelss clients on the same subnet will be the simplest. I think for the most part from a security standpoint they should however be seperate, and then firewalled to only allow specific trafic from the wireless side into the wired. |
problem solved
i didn't have the option into turning my wireless router as i should have called by the begining of the post into a wirelss access point because it doesn't support it. i switched the the whole thing and i ran my wireless device like a switch and i let ipcop do dhcp, dns, webproxy and vpn. thanks a lot for your help and i sorry for the double post.
Wael Altaqi |
All times are GMT -5. The time now is 05:47 PM. |