NAT'd subnet routing question
I've got a host who which has a static IP but it's really on a NAT'd subnet. It just gets the same IP through MAC based auth (read I must use DHCP). It has an internal network. Essentially it's your standard DSL type set up. Problem is the ISP doesn't have an internal route for getting to my static IP from the internal LAN. This is breaking some apps I have no control over.
Static IP for the whole internet:
My internal IP:
Problem occurs when Y.Y.Y.Y tries to connect to X.X.X.X
I think the ISP didn't set a route for this. I have other hosts on DSL with different ISP that work fine in the exact same config.
Normally I'd play around with routing/iptables till I got something to work. Problem is this particular machine is 30 miles away and I'd have to drive to get to the console in case I screw up.
That said. anyone have any recommendations? Seems simple just don't want to screw up.
im having problems understanding the setup here:
you have a computer on the net with static ip X.X.X.X
when u say that Y.Y.Y.Y is internal, what is its gateway??? the X.X.X.X machine? What is the physical setup.
X.X.X.X is the static IP which my ISP NAT's outbound traffic from Y.Y.Y.Y whose gateway is Y.Y.0.1. Incoming to X.X.X.X are portforwarded to Y.Y.Y.Y through Y.Y.0.1.
If Y.Y.Y.Y tries to connect to X.X.X.X it is not properly routed. Some beta version file sharing software I'm using needs all peers to connect through a static IP, X.X.X.X. Peers external to my LAN have no problems but peers internal can not reach the X.X.X.X address.
On my home machine (different host) this routing is set up find. I use a DSL modem that does the same NATing/forwarding with the one difference that my connections from my internal lan to my external IP are routed properly.
do you own or have root privilidges on all these machines (the X's and Y's). and which ones are Linux machines? Is Y.Y.0.1 a router? or a PC acting as a router?
So you have a computer with IP X.X.X.X and a LAN behind this computer with IPs Y.Y.Y.Y. with gateway Y.Y.0.1. In order for traffic to correctly go from Y.Y.Y.Y to X.X.X.X then Y.Y.0.1 has to have its routing table configured correctly to forward the packets accordingly. If Y.Y.0.1 is a Linux box, you have to turn on forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_foward
and also setup some iptables stuff:
if you trust all the traffic:
iptables -P FORWARD ACCEPT - this says forward anything that needs to be forwarded.
if the Y.Y.0.1 is a dsl/cable router, you might be able to add static routes (i had to do this with my Linksys router)
in my case i have a 10.0.1.1/24 comming off my linux both that is connected to the Linksys as 192.168.1.101, so in my linksys router i added this:
10.0.0.0 as the ip
255.0.0.0 as the mask (this means anything that begins with 10. will be sent out)
and the default gateway is 192.168.1.101
together all this says , if a packet comes into my linksys router, bound for an ip that begins with 10. , send it to the computer with ip 192.168.1.101.
Next, I had to make sure that all packets that come in my Linux box on 192.168.1.101 that are bound for ip's with 10.0.1.1/24 get forwarded to eth1, and as soon as i get another network card, anything bound for 10.0.2.1/24 will be sent out through eth2.
Bascially, you have to make sure each gateway(router) has its routing tables configured correctly and are setup to forward packets.
A little more info on your network setup is still needed for me to help you further, but im getting sort of a mental picture of what is going on.
Damn. That's what I thought but I was hoping I could do something. Y.Y.0.1 is the ISP's machine I have no control over it.
I don't know how much more explaining I can do. I tried twice.
I ordered a static IP from my ISP. Rather than give it to my host they ISP give me an internal IP and forward/ NAT traffic from to/from my host.
INTERNET <------> X.X.X.X <----> Y.Y.0.1 <----->Y.Y.Y.Y
I have zero control over Y.Y.01 or X.X.X.X for that matter. My machine is Y.Y.Y.Y.
I don't know how else to explain it. This is NOT DSL. I have no DSL modem for this host.
if X.X.X.X can send requests to Y.Y.0.1, Y.Y.0.1 should know about Y.Y.Y.Y......unless its setup to block stuff at that gateway purposely.
oh, another question, can you even ping YYYY from XXXX and visa versa? if so then all the routing stuff is setup correctly and there is another problem like firewalling.
In my previous posts I said I don't have any control over X.X.X.X and Y.Y.0.1. They are ON THE ISP SIDE.
yea i know, i saw that. i was just wondering if ping worked.
ping X.X.X.X from Y.Y.Y.Y does not work that's why I posted.
THat's the only ping I can try.
this is kind of frustrating to me because if an ISP owns a router, they dont normally do static routes (not that i know of) but instead use routing protocols (RIP, OSPF, BGP) to update the routing tables automatically. It's all part of how the net works. So, for you not to be able to ping SHOULDN't be a problem with routing. I think the Y.Y.0.1 ISP has some kind of firewall setup. Now, if everything behind Y.Y.0.1 is private (192.168.x.x or 10.x.x.x) then you wont be able to ping those obviously, and you say you have a private address also (im guessing its 192.168. or 10.x.x.x as those are the only private address ranges in know about) so sure, if they try to connect to you, it wont work that way either unless your gateway to the internet forwards the requests to you internal IP (DNATing).
To sum it up i'll make some assumptions:
x.x.x.x is private and not seen on the internet
y.y.y.y is public and is seen on the internet (not a 192.168 or a 10.x.x.x)
if you ping y.y.y.y from x.x.x.x, it will work unless you have the following conditions.
1. y.y.0.1 is dropping ping request to prevent DoS attacks (aol does this)
2. y.y.y.y is dropping ping requests for some reason (like reason 1)
3. y.y.0.1 has no route to host y.y.y.y (i.e. y.y.y.y doesnt exsist)
4. X.X.0.1 (your gateway) doesnt forward ping request (highly unlikely and im sure this isnt the case as im sure you can ping say...yahoo.com)
5. Some other reason i'll think of later.
if you ping y.y.y.y, the reply message usually contains the reason it couldnt be pinged:
im probably beating a dead horse, but i hope i help shed some light or extra understanding.
|All times are GMT -5. The time now is 11:14 PM.|