LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-31-2004, 03:54 PM   #1
Jedyte
LQ Newbie
 
Registered: Aug 2004
Posts: 10

Rep: Reputation: 0
Unhappy Can not reach server from LAN after adding router


I have some trouble in my network setup, but I have very limited knowledge of networking.

I recently purchased an ADSL modem (Thomson SpeedTouch 510), which also has a built-in router, DHCP and other stuff (as I discovered later). I already had a server/firewall/router that took care of IP masquerading, but I managed to put everything together ok except for one thing: I can not access my server with the external IP from inside my LAN (no problems from outside).

This is my setup:

Internet
|
|
98.81.118.53 (ppp)
(Modem which forwards every connection to the server)
10.0.0.138 (eth0)
|
|
10.0.0.39 (eth0)
(Server provides IP Masq for LAN)
192.168.0.1 (eth1)
|
|
192.168.0.2
(Internal Masq'ed PC)

So if I try to surf from an internal PC or the server itself to 98.81.118.53 I get nothing, but access from outside works perfectly. If I try 10.0.0.39 it works fine.

I figured it had something to do with my firewall, so I checked the server logs, where every attempt brings up this:
Aug 31 21:11:48 localhost kernel: martian source 10.0.0.39 from 10.0.0.39, on dev eth0
Aug 31 21:11:48 localhost kernel: ll header: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

I know nothing about routing, but could it be something is wrong there?
Thank you!
 
Old 08-31-2004, 04:10 PM   #2
piratebiter
Member
 
Registered: Aug 2003
Location: desert
Distribution: RH 8, Debian
Posts: 61

Rep: Reputation: 15
I messed about with this for quite awhile... and I'd sure like to be able to do it too. The glitch is somewhere in the thought that the LAN becomes vulnerable IF you can go thru the firewall directly from your DMZ to the LAN. It not an "error" so much as the way life is... I have asked this ? several times here and have not received a good way to go yet. Meanwhile, everytime I change my site I gotta go use my wifes dial-up to "see" if it is ok? RATS!

Take heart someone will eventually take pity on us and share this little tidbit of knoweldge on HOW to do it.

piratebiter
 
Old 08-31-2004, 04:25 PM   #3
nukkel
Member
 
Registered: Mar 2003
Location: Belgium
Distribution: Hardened gentoo
Posts: 323

Rep: Reputation: 30
My guess... Apparently this ADSL modem+router box bounces your connection to 98.81.118.53 back to your server's (10.0.0.39) but it doesn't change the source IP to 98.81.118.53 as it does with other connections to the internet.
Now since your connection originates from 10.0.0.39 (because of the NAT your server does) your server sees an incoming connection on eth0 from 10.0.0.39 which is impossible because that's its own IP address
That's what in linux lingo is called "martian source" -- an impossible source IP address which indicates some problem, so it gets logged (usually).

So I guess it's the ADSL router that is a bit sloppy when it sees an outgoing connection to its own outside address...

To be sure, you'd have to do some analysis with e.g. ethereal

regards,
nukkel
 
Old 08-31-2004, 05:11 PM   #4
Jedyte
LQ Newbie
 
Registered: Aug 2004
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by nukkel
My guess... Apparently this ADSL modem+router box bounces your connection to 98.81.118.53 back to your server's (10.0.0.39) but it doesn't change the source IP to 98.81.118.53 as it does with other connections to the internet.
If I understand your explanation, shouldn't the ADSL modem change the source IP to 192.168.0.2 (internal pc) then? Isn't there a simple way to configure this in it's NAT or routing?
 
Old 09-01-2004, 10:21 AM   #5
nukkel
Member
 
Registered: Mar 2003
Location: Belgium
Distribution: Hardened gentoo
Posts: 323

Rep: Reputation: 30
It can't: the ADSL modem doesn't even know about the existance of 192.168.0.2, because the server NATs this to 10.0.0.39. The modem only "sees" one computer with IP 10.0.0.39...

But -- if the ADSL modem forwards every connection from 98.81.118.53 to 10.0.0.39, then what's the point in trying to connect to 98.81.118.53 from the inside LAN, when you can just connect to 10.0.0.39 instead?

If the ADSL modem can be configured, there may be a way to make it work after all... By telling it to change the source IP of anything coming from 10.0.0.39 going to 98.81.118.53, into some other address, like 10.0.0.111.

Anyway it should be possible to "see" your own server from the inside by using 10.0.0.39 as destination address. Piratebiter: have you ever tried it this way?
 
Old 09-01-2004, 10:35 AM   #6
Jedyte
LQ Newbie
 
Registered: Aug 2004
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by nukkel
It can't: the ADSL modem doesn't even know about the existance of 192.168.0.2, because the server NATs this to 10.0.0.39. The modem only "sees" one computer with IP 10.0.0.39...

But -- if the ADSL modem forwards every connection from 98.81.118.53 to 10.0.0.39, then what's the point in trying to connect to 98.81.118.53 from the inside LAN, when you can just connect to 10.0.0.39 instead?

If the ADSL modem can be configured, there may be a way to make it work after all... By telling it to change the source IP of anything coming from 10.0.0.39 going to 98.81.118.53, into some other address, like 10.0.0.111.

Anyway it should be possible to "see" your own server from the inside by using 10.0.0.39 as destination address. Piratebiter: have you ever tried it this way?
Yes indeed that works. I already mentioned it, but maybe I wasn't clear.

Still, if i'm on the server itself, I want to access my different virtual websites (that resolve to the same IP in DNS) so I have to use the external IP. Is that impossible too (let's leave the problem for internal PC's for later)? If the modem can NAT it back to 10.0.0.39, wouldn't it solve the problem?

Last edited by Jedyte; 09-01-2004 at 10:36 AM.
 
Old 09-01-2004, 11:09 AM   #7
nukkel
Member
 
Registered: Mar 2003
Location: Belgium
Distribution: Hardened gentoo
Posts: 323

Rep: Reputation: 30
I have a suggestion that may not solve the problem as such but may work to view your virtual sites anyway: if you tell your browser to use a proxy, which is somewhere on the internet, the site will in effect be retrieved by that proxy -- in other words, from the outside, just as a visitor to your sites would view it.

A google (or other) search for "public proxy list" should give plenty of proxies that can be used -- some may be quite slow though

To really solve the problem, might be worth trying to get the adsl box to really nat it back to 10.0.0.39, however I don't know if it can be configured that specifically...
 
Old 09-01-2004, 11:40 AM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Your packets should not be traveling from the inside of the firewall to the outside and come back in. If that was allowed, then spoofing attacks could allow outside traffic to pretend to be from your internal network.

The solution to your problem is not to break the firewall and make it insecure. The solution is to use "split horizen" DNS zones. You need to tell your internal hosts to use a set of DNS that reflects your internal IPs, while the external world needs to see your external IP addresses.
 
Old 09-01-2004, 11:48 AM   #9
Jedyte
LQ Newbie
 
Registered: Aug 2004
Posts: 10

Original Poster
Rep: Reputation: 0
Hm, seems there is no easy way out then...

Okay, thank you for your answers!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot reach internet from private LAN toodr Linux - Networking 12 10-23-2005 08:44 PM
cisco router messing my lan server around nephish Linux - Networking 4 08-02-2005 11:56 AM
Proftpd: Can reach withing LAN but not outside LAN Harlin Linux - Networking 4 07-18-2005 01:57 AM
LAN Gaming, with router doesn't work, but can reach the internet GT_Onizuka Linux - Networking 4 02-26-2004 10:08 PM
adding linux to a windows lan, using a linksys router lucky_1811 Linux - Networking 12 12-19-2003 05:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration