LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-18-2003, 04:46 PM   #1
ealpert1
LQ Newbie
 
Registered: May 2003
Location: Colorado
Posts: 24

Rep: Reputation: 15
NAT'd subnet routing question


I've got a host who which has a static IP but it's really on a NAT'd subnet. It just gets the same IP through MAC based auth (read I must use DHCP). It has an internal network. Essentially it's your standard DSL type set up. Problem is the ISP doesn't have an internal route for getting to my static IP from the internal LAN. This is breaking some apps I have no control over.

EXAMPLE

Static IP for the whole internet:

X.X.X.X

My internal IP:

Y.Y.Y.Y

Problem occurs when Y.Y.Y.Y tries to connect to X.X.X.X

I think the ISP didn't set a route for this. I have other hosts on DSL with different ISP that work fine in the exact same config.

Normally I'd play around with routing/iptables till I got something to work. Problem is this particular machine is 30 miles away and I'd have to drive to get to the console in case I screw up.

That said. anyone have any recommendations? Seems simple just don't want to screw up.

Thanks,

-ethan
 
Old 05-18-2003, 06:57 PM   #2
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
im having problems understanding the setup here:

you have a computer on the net with static ip X.X.X.X

when u say that Y.Y.Y.Y is internal, what is its gateway??? the X.X.X.X machine? What is the physical setup.
 
Old 05-18-2003, 07:25 PM   #3
ealpert1
LQ Newbie
 
Registered: May 2003
Location: Colorado
Posts: 24

Original Poster
Rep: Reputation: 15
X.X.X.X is the static IP which my ISP NAT's outbound traffic from Y.Y.Y.Y whose gateway is Y.Y.0.1. Incoming to X.X.X.X are portforwarded to Y.Y.Y.Y through Y.Y.0.1.

If Y.Y.Y.Y tries to connect to X.X.X.X it is not properly routed. Some beta version file sharing software I'm using needs all peers to connect through a static IP, X.X.X.X. Peers external to my LAN have no problems but peers internal can not reach the X.X.X.X address.

On my home machine (different host) this routing is set up find. I use a DSL modem that does the same NATing/forwarding with the one difference that my connections from my internal lan to my external IP are routed properly.

-ethan
 
Old 05-18-2003, 07:43 PM   #4
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
do you own or have root privilidges on all these machines (the X's and Y's). and which ones are Linux machines? Is Y.Y.0.1 a router? or a PC acting as a router?

So you have a computer with IP X.X.X.X and a LAN behind this computer with IPs Y.Y.Y.Y. with gateway Y.Y.0.1. In order for traffic to correctly go from Y.Y.Y.Y to X.X.X.X then Y.Y.0.1 has to have its routing table configured correctly to forward the packets accordingly. If Y.Y.0.1 is a Linux box, you have to turn on forwarding:

# echo 1 > /proc/sys/net/ipv4/ip_foward

and also setup some iptables stuff:

if you trust all the traffic:

iptables -P FORWARD ACCEPT - this says forward anything that needs to be forwarded.

if the Y.Y.0.1 is a dsl/cable router, you might be able to add static routes (i had to do this with my Linksys router)

in my case i have a 10.0.1.1/24 comming off my linux both that is connected to the Linksys as 192.168.1.101, so in my linksys router i added this:

10.0.0.0 as the ip
255.0.0.0 as the mask (this means anything that begins with 10. will be sent out)
and the default gateway is 192.168.1.101

together all this says , if a packet comes into my linksys router, bound for an ip that begins with 10. , send it to the computer with ip 192.168.1.101.

Next, I had to make sure that all packets that come in my Linux box on 192.168.1.101 that are bound for ip's with 10.0.1.1/24 get forwarded to eth1, and as soon as i get another network card, anything bound for 10.0.2.1/24 will be sent out through eth2.

Bascially, you have to make sure each gateway(router) has its routing tables configured correctly and are setup to forward packets.

A little more info on your network setup is still needed for me to help you further, but im getting sort of a mental picture of what is going on.
 
Old 05-18-2003, 07:57 PM   #5
ealpert1
LQ Newbie
 
Registered: May 2003
Location: Colorado
Posts: 24

Original Poster
Rep: Reputation: 15
Damn. That's what I thought but I was hoping I could do something. Y.Y.0.1 is the ISP's machine I have no control over it.

I don't know how much more explaining I can do. I tried twice.

I ordered a static IP from my ISP. Rather than give it to my host they ISP give me an internal IP and forward/ NAT traffic from to/from my host.

INTERNET <------> X.X.X.X <----> Y.Y.0.1 <----->Y.Y.Y.Y

I have zero control over Y.Y.01 or X.X.X.X for that matter. My machine is Y.Y.Y.Y.

I don't know how else to explain it. This is NOT DSL. I have no DSL modem for this host.

-e
Thanks
 
Old 05-18-2003, 08:12 PM   #6
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
if X.X.X.X can send requests to Y.Y.0.1, Y.Y.0.1 should know about Y.Y.Y.Y......unless its setup to block stuff at that gateway purposely.
 
Old 05-18-2003, 08:20 PM   #7
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
oh, another question, can you even ping YYYY from XXXX and visa versa? if so then all the routing stuff is setup correctly and there is another problem like firewalling.
 
Old 05-18-2003, 09:30 PM   #8
ealpert1
LQ Newbie
 
Registered: May 2003
Location: Colorado
Posts: 24

Original Poster
Rep: Reputation: 15
In my previous posts I said I don't have any control over X.X.X.X and Y.Y.0.1. They are ON THE ISP SIDE.
 
Old 05-18-2003, 09:49 PM   #9
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
yea i know, i saw that. i was just wondering if ping worked.
 
Old 05-19-2003, 07:51 AM   #10
ealpert1
LQ Newbie
 
Registered: May 2003
Location: Colorado
Posts: 24

Original Poster
Rep: Reputation: 15
ping X.X.X.X from Y.Y.Y.Y does not work that's why I posted.

THat's the only ping I can try.
 
Old 05-19-2003, 02:07 PM   #11
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
this is kind of frustrating to me because if an ISP owns a router, they dont normally do static routes (not that i know of) but instead use routing protocols (RIP, OSPF, BGP) to update the routing tables automatically. It's all part of how the net works. So, for you not to be able to ping SHOULDN't be a problem with routing. I think the Y.Y.0.1 ISP has some kind of firewall setup. Now, if everything behind Y.Y.0.1 is private (192.168.x.x or 10.x.x.x) then you wont be able to ping those obviously, and you say you have a private address also (im guessing its 192.168. or 10.x.x.x as those are the only private address ranges in know about) so sure, if they try to connect to you, it wont work that way either unless your gateway to the internet forwards the requests to you internal IP (DNATing).

To sum it up i'll make some assumptions:

x.x.x.x is private and not seen on the internet
y.y.y.y is public and is seen on the internet (not a 192.168 or a 10.x.x.x)

if you ping y.y.y.y from x.x.x.x, it will work unless you have the following conditions.

1. y.y.0.1 is dropping ping request to prevent DoS attacks (aol does this)

2. y.y.y.y is dropping ping requests for some reason (like reason 1)

3. y.y.0.1 has no route to host y.y.y.y (i.e. y.y.y.y doesnt exsist)

4. X.X.0.1 (your gateway) doesnt forward ping request (highly unlikely and im sure this isnt the case as im sure you can ping say...yahoo.com)

5. Some other reason i'll think of later.

if you ping y.y.y.y, the reply message usually contains the reason it couldnt be pinged:

echo
dest_unreachable
quench
redirect
time_exceeded
param_prob
timestamp
info
address_mask


im probably beating a dead horse, but i hope i help shed some light or extra understanding.

Last edited by Robert0380; 05-19-2003 at 02:08 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
routing http traffic to the correct box on subnet nodine Linux - Security 1 07-15-2004 09:51 AM
routing from one subnet to another NetAX Linux - Networking 2 06-16-2004 08:10 AM
Help with Subnet Routing xatmes Linux - Networking 6 04-26-2004 11:52 PM
Aargh!!! Not routing to local subnet sancho5 Linux - Networking 5 02-10-2004 02:11 AM
routing problem with the same subnet nobody Linux - Newbie 1 10-03-2003 02:23 PM


All times are GMT -5. The time now is 05:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration