Linux Nat Router with vista users

edong23 · 05-03-2008, 12:44 PM

i have a linux nat router setup for my office... it is to be the office lan router, and provide vpn with openvpn, and also route public ips to my servers. the problem is, every system in the office works fine except the vista systems. they all get the ip they need... and i can ping the gateway (which is eth2 on my router) but i cant ping the next hop. but the windows xp machines, and my linux machine works fine. here are my interfaces.

Code:

eth0      Link encap:Ethernet  HWaddr 00:18:F3:A6:DC:8C  
          inet addr:64.193.127.2  Bcast:64.193.127.63  Mask:255.255.255.192
          inet6 addr: fe80::218:f3ff:fea6:dc8c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:101371 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58072 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:36347095 (34.6 MiB)  TX bytes:17147914 (16.3 MiB)
          Interrupt:16 

eth1      Link encap:Ethernet  HWaddr 00:18:F3:A6:DC:8D  
          inet addr:64.193.127.65  Bcast:64.193.127.127  Mask:255.255.255.192
          inet6 addr: fe80::218:f3ff:fea6:dc8d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1391613 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45728 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:100082875 (95.4 MiB)  TX bytes:4087158 (3.8 MiB)
          Interrupt:17 

eth2      Link encap:Ethernet  HWaddr 00:1B:21:17:9C:82  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:21ff:fe17:9c82/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:18352 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23293 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9765983 (9.3 MiB)  TX bytes:27562784 (26.2 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth0 is my wan interface connected to the world. eth1 is my server interface connected to a switch where my servers connect. eth2 is connected to another switch where the office lan is. here is my routing table:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.0   0.0.0.0         255.255.255.255 UH    0      0        0 eth2
64.193.127.0    0.0.0.0         255.255.255.192 U     0      0        0 eth0
64.193.127.64   64.193.127.65   255.255.255.192 UG    0      0        0 eth1
64.193.127.64   0.0.0.0         255.255.255.192 U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         64.193.127.1    0.0.0.0         UG    1      0        0 eth0

as you can see my eth0 interface is 64.193.127.2 and routed to me is 64.193.127.64/26, which i point at my servers. and that is working fine. 192.168.0.0/24 is on eth2. (ignore the first 255.255.255.0 cause it is so dhcpd doesnt give me problems broadcasting.)

here is my iptables -L -t nat:

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.0.0/24       anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

i have tried multiple ways other than masquerade, like snat, they all have the same problem. vista users wont connect. they get an ip, and can browse the network, but keeps saying local for ipv4 connectivity. i have read that this my be a ipv6 problem, but if that is the case, why does a little linksys or netgear router work fine? any help is greatly appreciated.

i can give any information you need... just ask.

acid_kewpie · 05-03-2008, 01:37 PM

I'm not familiar with how Vista does it's "local" and "internet" tests, and what they really mean, maybe it just means if it's got a default gateway or not... do you have a default gateway listed on the vista machines?

Most problems seem to come back to Vista's IPv6 implementation, with disabling it being a common suggestion so give that a whirl...

1. Run regedit.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponents. If you don't see DisabledComponents, create it by adding the following registry value (DWORD type).
3. Change one or some values:
1 = Disable tunnel interfaces
2 = Disable 6to4
3 = Disable ISATAP
8 = Disable Teredo
16 = Disable LAN and PPP interfaces
32 = Set preference of IPv4 over IPv6
255 = Disable IPv6 completely

(apparently.. cut and paste job there i admit)

Worth saying that this does wholly appear to be a M$ problem start to finish...

edong23 · 05-03-2008, 01:50 PM

thanks for the quick post. yeah, my dhcp server is assigning address, mask, and gateway as well as dns server. i have tried using dhcp to assign public ip of dns server first, then i tried assigning a private with dnsmasq running. neither work in vista. all other machines work fine. i was thinking about trying the ipv6 disabling,but again, i have to ask, why do the linksys netgear and d-link routers work fine? it has to be something i have wierd. maybe just the fact that i have support for ipv6 in my router. maybe i should remove it?

also, for any future readers. the current MASQUERADE is just that, current configuration. i have tried natting to the ip of my outbound and everything already. IT IS JUST VISTA AND IT IS PISSING ME MAD!

anyway, i just dont see how the little routers, work but mine doesnt.

acid_kewpie · 05-03-2008, 02:25 PM

well let's do my personal favourite and run a tcpdump on the linux box. run "tcpdump -n host ip.of.vista.client" and while that's running, use the vista machine. I'd be tempted to think that you'll see nothing, as if it's reporting "Local only" or whatever it does these days, then i'd not expect it to try to hit the box at all.

edong23 · 05-03-2008, 05:41 PM

Quote:

Originally Posted by acid_kewpie

well let's do my personal favourite and run a tcpdump on the linux box. run "tcpdump -n host ip.of.vista.client" and while that's running, use the vista machine. I'd be tempted to think that you'll see nothing, as if it's reporting "Local only" or whatever it does these days, then i'd not expect it to try to hit the box at all.

well i can ping the gateway of the router... so it is leaving the vista box, but i will try tcpdump. i just figure it has something to do with this dns ipv6 thing. and i didnt know if anyone else has run into this. illt ry that and post back.

edong23 · 05-03-2008, 08:19 PM

Quote:

Originally Posted by acid_kewpie

well let's do my personal favourite and run a tcpdump on the linux box. run "tcpdump -n host ip.of.vista.client" and while that's running, use the vista machine. I'd be tempted to think that you'll see nothing, as if it's reporting "Local only" or whatever it does these days, then i'd not expect it to try to hit the box at all.

after reading your post again, that is a good idea. i was thinking that we were... nevermind. but i see what you mean now. at any rate, at least i can actually see what vista is doing, and why it is not working. then i know if i need to do something weird for it. why cant microsoft just get it right? ill try that and post back.

edong23 · 05-03-2008, 08:55 PM

HA!!!!!! acid you are a freaking genius!!! it isnt vista, and i almost apologize to microshaft. but, here is the problem. i ran tcpdump like you suggested. i had my friend ping the router while i ran tcpdump, as you suggested. i never saw the ICMP requests. so then while he was seeing replys, i unplugged the cable, and lo and behold, it still replyed. someone is using the same address as that system. now i have to crack some skulls in the office. thanks for your idea.

acid_kewpie · 05-04-2008, 01:20 AM

very strange... I was wondering if Vista was even going to be correctly using DHCP here, and maybe just seeing other arps and things on the network to guess the local details. That sort of behaviour seems useful at a really simplistic level but often breaks down into a nasty mess when you have anything vaguely larger... I'm still blaming vista myself!

edong23 · 05-11-2008, 07:46 PM

ha, nope. not in this case. i hate vista too, but it wasnt the problem here.