Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have ipcop running as OpenVPN server. i can VPN to it fine and reach the ipcop inside IP address 192.168.0.1 but i can't reach behind that.
Code:
10.0.0.X/24 << wireless access point >> 192.168.0.0/24 << ipcop >> external ip
in simple words, i can reach 192.168.0.0/24 network over VPN but not 10.0.0.0/24. there is no firewall running on my access point. i think that the ipcop box can route traffic to 192.168.0.0 but not 10.0.0.0.
i think that i need to add a static route on the ipcop box to route traffic from 10.10.10.0/24 which is the vpn subnet to 10.0.0.0. i don't know how to do it or if it is possible to be done. i know that i need to add a rule within iptables but i don't know how to do it or what chain i need to add it to. i need some help with this please. any ideas?
Last edited by waelaltaqi; 12-04-2006 at 11:53 AM.
Ipcop needs to know about both networks, and what interface they are off of.
I have a few guesses. The routing table doesn't know about 10.0.0.0/24, there is a firewall setup not to allow the traffic, or ipcop is setup to use NAT thus not allowing the 10.0.0.0/24 network to traverse into the 192.168.0.0/24 net.
Can the hosts on the 192.168.0.0/24 net connect to the 10.0.0.0/24 if they initiate the connection? If so then my guess is that you need to disable NAT.
"iptables --flush" will clear all the rules, and NAT table.
Can you post the output of these commands from ipcop?
It's not a Linux Question, it's a pure networking question
thanks. ok here is what i did:
Code:
route add -net 10.0.0.0/24 gw 192.168.0.1
here is the routing table on ipcop:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.10.10.0 10.10.10.2 255.255.255.0 UG 0 0 0 tun0
72.51.160.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
0.0.0.0 72.51.160.1 0.0.0.0 UG 0 0 0 eth1
192.168.0.1 is the IP address on the Green Interface. all packets that's going to 10.0.0.0 should route through 192.168.0.1 interface.right? but i still couldn't reach 10.0.0.1. i think that problem is due to my misunderstanding for how NAT works. IPCop is setup to do NAT and as far as i know there is no way to disable that from GUI. would you please explain for me the difference between usual routing and Natting?
as far as i know, NAT will translate all internal IP addresses to the real IP address when they're going out and will translate the packets to internal IP addresses when they're coming in; it'll keep like a temp translation table for packets going in and out. but i don't understand why NAT would block the routing process.
here is my iptables rules:
Code:
iptables -L
Chain BADTCP (2 references)
target prot opt source destination
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,PSH,ACK,URG/FIN,PSH,URG
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,PSH,ACK,URG/NONE
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,PSH,ACK,URG/FIN
PSCAN tcp -- anywhere anywhere tcp flags:SYN,RST/S YN,RST
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN/F IN,SYN
NEWNOTSYN tcp -- anywhere anywhere tcp flags:!FIN,SYN, RST,ACK/SYN state NEW
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
Chain CUSTOMINPUT (1 references)
target prot opt source destination
Chain CUSTOMOUTPUT (1 references)
target prot opt source destination
Chain DHCPBLUEINPUT (1 references)
target prot opt source destination
Chain DMZHOLES (0 references)
target prot opt source destination
Chain GUIINPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain INPUT (policy DROP)
target prot opt source destination
ipac~o all -- anywhere anywhere
BADTCP all -- anywhere anywhere
CUSTOMINPUT all -- anywhere anywhere
GUIINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT !icmp -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
DHCPBLUEINPUT all -- anywhere anywhere
IPSECRED all -- anywhere anywhere
IPSECBLUE all -- anywhere anywhere
OVPNINPUT all -- anywhere anywhere
WIRELESSINPUT all -- anywhere anywhere state NEW
REDINPUT all -- anywhere anywhere
XTACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min b urst 5 LOG level warning prefix `INPUT '
Chain FORWARD (policy DROP)
target prot opt source destination
ipac~fi all -- anywhere anywhere
ipac~fo all -- anywhere anywhere
BADTCP all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/S YN TCPMSS clamp to PMTU
CUSTOMFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
OVPNFORWARD all -- anywhere anywhere
WIRELESSFORWARD all -- anywhere anywhere state NEW
REDFORWARD all -- anywhere anywhere
PORTFWACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min b urst 5 LOG level warning prefix `OUTPUT '
Chain IPSECBLUE (1 references)
target prot opt source destination
Chain IPSECRED (1 references)
target prot opt source destination
Chain LOG_DROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min b urst 5 LOG level warning
DROP all -- anywhere anywhere
Chain LOG_REJECT (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min b urst 5 LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-po rt-unreachable
Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min b urst 5 LOG level warning prefix `NEW not SYN? '
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ipac~i all -- anywhere anywhere
CUSTOMOUTPUT all -- anywhere anywhere
Chain OVPNFORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OVPNINPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT all -- anywhere anywhere
Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.28.1.2 tcp dpt:ssh
Chain PSCAN (5 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `TCP Scan? '
LOG udp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `UDP Scan? '
LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `ICMP Scan? '
LOG all -f anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `FRAG Scan? '
DROP all -- anywhere anywhere
Chain REDFORWARD (1 references)
target prot opt source destination
Chain REDINPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:bootps dpt:bootpc
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
Chain WIRELESSFORWARD (1 references)
target prot opt source destination
Chain WIRELESSINPUT (1 references)
target prot opt source destination
Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere host-72-51-161-35.newwavecomm.net tcp dpt:ident
ACCEPT tcp -- anywhere host-72-51-161-35.newwavecomm.net tcp dpt:5445
ACCEPT tcp -- anywhere host-72-51-161-35.newwavecomm.net tcp dpt:rsh-spx
ACCEPT tcp -- anywhere host-72-51-161-35.newwavecomm.net tcp dpt:http
ACCEPT tcp -- anywhere host-72-51-161-35.newwavecomm.net tcp dpt:ssh
ACCEPT tcp -- anywhere host-72-51-161-35.newwavecomm.net tcp dpt:mdbs_daemon
Chain ipac~fi (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~fo (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~i (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
Chain ipac~o (1 references)
target prot opt source destination
all -- anywhere anywhere
all -- anywhere anywhere
i don't want to do iptables --flush becasue that would leave my firewall wide open and i don't know if i need to recreate the chains which is something i need to learn but i would do that on a slackware box rather than an ipcop box just to learn the process from scratch.
Last edited by waelaltaqi; 12-05-2006 at 09:27 AM.
The link I sent you for adding routes wasn't really that good now I look at it again. Read over the man page as well. I think this is the command you want to use.
Code:
route add -net 10.0.0.0 netmask 255.255.255.0 dev ethX
ethX = interface that that network is off of. The wireless on in this case.
Quote:
would you please explain for me the difference between usual routing and Natting?
Ill try to explain.
Code:
(Internet)
|
|
[NAT Router]
|
|
{Clients}
With NAT the clients will have private address space assigned to them. When the clients behind the NAT router send a packet to the internet the src IP address of the packet gets stripped off by the NAT router, and is replaced with its public IP so that it can be routed properly. When the response comes back to the NAT router it has the IP of the NAT routers public interface not the private IP on the client network. It will look in its NAT translation table to see if the packet is destined to one of the clients behind it, and if so send the packet to the correct client where the initial packet came from.
If a device on the "internet" side sends a packet to the NAT router without there first being a connection request, the NAT router should just drop the packet. If the NAT router gets a packet in its interface facing the internet with a destination IP of one of the client IPs it will or at least should drop the packet, and not allow inside the internal net.
This is what I am wondering is happening in your setup. If where the wireless clients are coming through you ipcop router hits a NAT interface it could be dropping the packets, and not allowing anything into the 192.168.0.0/24 network.
Thats why was wondering can the clients on the 192.168.0.0/24 net reach the wireless ones.
With "normal" routing on a Unix box where there are no routing protocols like RIP, BGP, etc that are sharing routing info between hosts they will just use its own routing table. So basically once a packet reaches the host(as long as its configured to forward or route packets ) if the packet is not for the host itself it will look in its routing table to see if it knows where the destination net, and what interface it needs to send out of to reach the network that the packet is destined to.
Can you make a diagram better diagram or explain what interfaces connect to that device, and where exactly the VPN comes into pay. Also posting the output of ifconfig could help.
alright, i think that you figured how dummy my setup is. I'm doing VPN from my office to the ipcop box so i wouldn't think that the NAT on the ipcop box is the issue. On the access point,NAT will not allow routing packets 10.0.0.0/24 unless they are originated from 10.0.0.0/24. i can ping 192.168.0.1 from 10.0.0.1 but i can't ping 10.0.0.1 from 192.168.0.1. the VPN client 10.10.10.6 will not be able to see 10.0.0.x because the NAT will block connections on 192.168.0.1 if they haven't been initially originated from 10.0.0.x. Well ....THANK YOU FOR FIGURING THAT OUT
there is no problem with my ipcop box. the problem is that i have two NAT routers running on the same local network for no reason. so i either need to turn off NAT on the wireless access point or switch my network to this diagram:
switch) --------> wireless access point
For both wireless
an wired) |
|
|
10.0.0.1
| OpenVPN Client
------------------------------ 10.10.10.0/24
| | |
Wireless Clients 10.0.0.2 |
10.0.0.X | |
Gateway 10.0.0.2 ipcop----- realIP---------
Assigned trough DHCP |
|
|
(Doing NAT and OpenVPN
on the ipcop box, i did the following hoping that it will work which it didn't. but anyway, here you go.
anyway i tried to do:
Code:
route add -net 10.0.0.0 netmask 255.255.255.0 dev eth0
here is my routing table on ipcop now:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.10.10.0 10.10.10.2 255.255.255.0 UG 0 0 0 tun0
72.51.160.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
0.0.0.0 72.51.160.1 0.0.0.0 UG 0 0 0 eth1
the tun0 if the virtual interface that OpenVPN server creates for the VPN tunnel. i don't know if my second diagram is better practically. NAT is assuming that whatever i have on the wireless access point WAN interface is going to be an real IP address and traffic from outside shouldn't be routable unless the inside clients ask for it.
alright, i think that you figured how dummy my setup is. I'm doing VPN from my office to the ipcop box so i wouldn't think that the NAT on the ipcop box is the issue. On the access point,NAT will not allow routing packets 10.0.0.0/24 unless they are originated from 10.0.0.0/24. i can ping 192.168.0.1 from 10.0.0.1 but i can't ping 10.0.0.1 from 192.168.0.1. the VPN client 10.10.10.6 will not be able to see 10.0.0.x because the NAT on the wireless access point will block connections on 192.168.0.1 if they haven't been initially originated from 10.0.0.x. Well ....THANK YOU FOR FIGURING THAT OUT
there is no problem with my ipcop box. the problem is that i have two NAT routers running on the same local network for no reason. so i either need to turn off NAT on the wireless access point or switch my network to this diagram:
Code:
switch) --------> wireless access point
For both wireless
an wired) |
|
|
10.0.0.1
| OpenVPN Client
------------------------------ 10.10.10.0/24
| | |
Wireless Clients 10.0.0.2 |
10.0.0.X | |
Gateway 10.0.0.2 ipcop----- realIP---------
Assigned trough DHCP |
|
|
(Doing NAT and OpenVPN
on the ipcop box, i did the following hoping that it will work which it didn't. but anyway, here you go.
anyway i tried to do:
Code:
route add -net 10.0.0.0 netmask 255.255.255.0 dev eth0
here is my routing table on ipcop now:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.10.10.0 10.10.10.2 255.255.255.0 UG 0 0 0 tun0
72.51.160.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
0.0.0.0 72.51.160.1 0.0.0.0 UG 0 0 0 eth1
the tun0 is the virtual interface that OpenVPN server creates for the VPN tunnel. i don't know if my second diagram is better practically. NAT is assuming that whatever i have on the wireless access point WAN interface is going to be an real IP address and traffic from outside shouldn't be routable unless the inside clients ask for it.
Last edited by waelaltaqi; 12-05-2006 at 03:37 PM.
there is no problem with my ipcop box. the problem is that i have two NAT routers running on the same local network for no reason. so i either need to turn off NAT on the wireless access point or switch my network to this diagram:
Ok I think you have it figured out then, and I agree the ipcop box is not the problem. Its the double NAT.
A very easy, and quick solution would be if you can turn your wireless router into a access point. A access point just relays traffic from one interface to the other not really caring about src, and dst of the packets. In the end the access point is just like plugging a hub into your switch, and the wireless clients get IPs from the same dhcp pool as the wired ones.
Having both the wired, and wirelss clients on the same subnet will be the simplest. I think for the most part from a security standpoint they should however be seperate, and then firewalled to only allow specific trafic from the wireless side into the wired.
i didn't have the option into turning my wireless router as i should have called by the begining of the post into a wirelss access point because it doesn't support it. i switched the the whole thing and i ran my wireless device like a switch and i let ipcop do dhcp, dns, webproxy and vpn. thanks a lot for your help and i sorry for the double post.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.