LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-18-2005, 01:50 AM   #1
bLaDe
Member
 
Registered: May 2003
Location: Adelaide, Australia
Distribution: Fedora Core 3
Posts: 52

Rep: Reputation: 15
VPN Traffic on Windows


Hi Guys,
I have a strange problem which thus far I haven't managed to resolve despite many attempts.

At work we have a VPN setup at work which uses vtund. The fedora core 3 box connects to the VPN and I am able to ping any machine as if I were there in the office but from the windows machine it simply won't ping anything (request timed out). The bad part is I need the windows machines to be able to access the VPN as the applications I need to run only work with windows.

The work VPN is setup to run on 172.17.10.0/255.255.255.0 and my home network is setup on 172.17.12.0/255.255.255.0. I have an ADSL router/modem which I have allowed all traffic from 172.17.10.0/255.255.255.0 and IP address is 172.17.12.254.

My iptables which is located here I am thinking is OK but by all means make any suggestions as appropriate.

Any suggestions would be great.

Thanks

Cheers
 
Old 03-18-2005, 11:50 PM   #2
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
How many NICs do you have? What does your routing table look like?

While you are testing, take your firewall out of the equation. Run this:
#!/bin/bash
# This will clear your firewall and enable forwarding
# DON"T LEAVE THIS RUNNING!!
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
for table in filter nat mangle
do
/sbin/iptables -t $table -F
/sbin/iptables -t $table -X
/sbin/iptables -t $table -Z
done
# End of Script
 
Old 03-19-2005, 02:13 AM   #3
bLaDe
Member
 
Registered: May 2003
Location: Adelaide, Australia
Distribution: Fedora Core 3
Posts: 52

Original Poster
Rep: Reputation: 15
I am happy to say this would appear to be a routing, still though I am a little uncertain how I solve this one.

Reason I say this when I move the windows machines to the default gateway of 172.17.12.1 (linux box) instead of 172.17.12.254 (router / modem) the VPN side of things works without any firewall changes.

The output from my routing table is as follows:
Destination Gateway Genmask Flags Metric Ref Use Iface
172.25.254.8 * 255.255.255.255 UH 0 0 0 tun1
172.17.12.0 * 255.255.255.0 U 0 0 0 eth1
172.17.10.0 172.25.254.8 255.255.255.0 UG 0 0 0 tun1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default home.gateway 0.0.0.0 UG 0 0 0 eth1


I have 2 nics but only 1 is being used since I moved to ADSL.
 
Old 03-19-2005, 06:43 PM   #4
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Let me get this straight, your original config had you connecting your linux box directly to the adsl modem (through a hub/switch?) and you also connected directly to your adsl modem through your windows box. If this is correct, that means your windows machine was never passing through your linux machine and hence, never being routed through your tunnel.

As for your 2 NICs, I have a similar setup at home; ADSL, Linux router and serveral machines internally. I suggest you review how you have yours configured because it should look like this:
ADSL --- Linux --- Switch/Hub --- Internal LAN machines
Where you have it configured
ADSL --- Switch/Hub ------- Linux Machine
.................................... ^--Windows machine

[edit: *arg* my text diagram didn't work out. ]

Last edited by JordanH; 03-19-2005 at 06:44 PM.
 
Old 03-24-2005, 03:21 AM   #5
bLaDe
Member
 
Registered: May 2003
Location: Adelaide, Australia
Distribution: Fedora Core 3
Posts: 52

Original Poster
Rep: Reputation: 15
Sorry about the delay, I've been fairly busy and haven't had a chance to reply until now.

I originally had cable which was a simple cable modem which went into eth0 using dhcp from the cable provider and then eth1 went into a hub off to all my other computers connected via it including an access point which worked flawlessly.

Now I have an adsl router/modem and all the machines hanging off of it as you demonstrated in your text picture which seems to be causing problems.

I agree, I am going to rethink how I'm going to do this, I'm thinking simply using DMZ on the router to forward all ports to the linux box, from there control iptables to decide on which way the traffic goes from there.
 
Old 03-24-2005, 04:32 PM   #6
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Quote:
Originally posted by bLaDe
Sorry about the delay, I've been fairly busy and haven't had a chance to reply until now.
Not to worry, I'm swamped too.

Quote:
Originally posted by bLaDe
I originally had cable which was a simple cable modem which went into eth0 using dhcp from the cable provider and then eth1 went into a hub off to all my other computers connected via it including an access point which worked flawlessly.
If you plan on using your linux machine as a firewall, router and vpn (good plan) then this is the way to go.

Quote:
Originally posted by bLaDe
Now I have an adsl router/modem and all the machines hanging off of it as you demonstrated in your text picture which seems to be causing problems.
This makes sense because instead of routing through the linux box to the adsl modem, you were going directly out through the modem and missing the VPN tunnel all together.

Quote:
Originally posted by bLaDe
I agree, I am going to rethink how I'm going to do this, I'm thinking simply using DMZ on the router to forward all ports to the linux box, from there control iptables to decide on which way the traffic goes from there.
If I read this correctly, you want to forward all ports on the DMZ into your internal LAN? This seems to defeat the purpose of a DMZ... Will the router let you do that? Secondly, do you want to do that? If I recall, your firewall forwarded all forwarding requests (good, bad or ugly) directly into your VPN tunnel... this would effectively route any attacker through the tunnel. I could be wrong here and it may not be possible, but that was my initial gut feeling. I'd use the KISS principle and go with your option #1 above which seems to be much safer and easier to configure.

edit: removed the unintential BOLD tags

Last edited by JordanH; 03-24-2005 at 04:40 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN load traffic fr_laz Linux - Networking 2 02-19-2005 08:34 AM
Help routing traffic over Freeswan VPN Trd79 Linux - Networking 0 06-17-2004 06:38 AM
Routing traffic to VPN connection nadams Linux - Networking 4 12-09-2003 10:19 AM
redirecting vpn traffic brb5548 Linux - Networking 1 07-01-2003 02:13 PM
using linux to redirect remote vpn traffic to another remote machine brb5548 Linux - Networking 0 06-28-2003 10:07 PM


All times are GMT -5. The time now is 08:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration