Routing problems
Hi all.
EDIT: Every "/8" should be "/24", sorry! I have a problem with routing, I think. Let me tell you about my setup first: I have a Netgear WGR614v6 wired/wireless router between all my computers and the internet. This router (192.168.1.1) serves as a router, firewall and DHCP server for my first network (192.168.1.0/8). On IP address 192.168.1.5 I have a second router (Debian 3.1 Sarge) behind which is my second network, 192.168.2.0/8. 192.168.1.1 has a static route to 192.168.1.5 for all traffic to the 192.168.2.0/8 network. The Netgear router forwards port 80 to 192.168.1.5. The clients (including the debian-router) on the 192.168.1.0/8 connects fine to the Internet. The clients on the 192.168.2.0/8 network can connect all the computers on the network. Here's some consoledumps from the debian router: Code:
tfault@debian-router:~$ /sbin/ifconfig ath0; /sbin/ifconfig eth0 Code:
tfault@192.168.2-client:~$ /sbin/ifconfig eth0 Finaly, the problems. The clients on the 192.168.1.0/8 network cannot connect to the 192.168.2.0/8 network and the clients on the 192.168.2.0/8 network cannot connect to computers outside the entire network (that would be the internet). As I mentioned previously, I have forwarded port 80 on the netgear-router to the 192.168.1.5 IP, but I cannot connect to this port from the internet. As far as I can see, the setup on the debian-router looks okay. Doesn't it? I think the netgear router is set up as it should be (btw, that interface royally sucks) but I am not completely sure. Anyone have some input as to what could be the solution? |
your subnet isn't a /8, it is actually a /24...that confused me for a second.
Also, is 192.168.1.5/24 an http server? Why are you forwarding port 80 to it? I am going to read your post a couple more times to see if I understand you setup better. |
first of all 192.168.1.0/8 and 192.168.2.0/8 are the same network. You mean 192.168.1.0/24 and 192.168.2.0/24.
can you ping from your client to the first router? "ping 192.168.1.1" from the client in the 2.0 network? during the ping can you try a packet capture with tcpdump? also what do you see pinging the internet from the debian router sourced from the 2.1 interface? "ping -I 192.168.2.1 www.yahoo.com" |
Whoops, sorry. The netmask of the two subnets is 255.255.255.0 which i though translated to /8. I'm so sorry!
I have a lot of servers on the debian-router (.1.5): Squid, DHCP for the .2.0 network and Apache2. I forward port 80 to .1.5 to server web pages to the internet. I can ping the first router (both internal and external interfaces) from both networks. Also, I can ping computers on the .2.0 network from the .1.0 network. "ping -I 192.168.2.1 www.yahoo.com" gives a timeout, but isn't that expected as I tell 'ping' to use the .2.1 interface? I will create a tcpdump later (it is too late now, must sleep). How verbose would you like it? |
well by pinging from the 2.1 interface its like telling it that you are coming from the 2.0 network.
so you can ping the first router (1.1) from the 2.0 computers? your routing seems fine if this is the case. Maybe it just doesn't nat for addresses not on the 1.0 network. Yes a tcpdump will help as long as we see the src and dst packets. |
Could you check if you have the "ip_conntrack" module loaded on the debian-router?
I had once used my laptop to route desktop traffic to my wireless router. Even though the routes were correct and ip_forward was set, the traffic wasn't getting through until I loaded the ip_conntrack module, even though the laptop wasn't being used to NAT addresses. |
"ping 192.168.1.1" from the .2.0 network works fine! Here's the tcpdump from 192.168.1.5 interface on the debian router:
Code:
14:49:55.524572 IP 192.168.2.100 > 192.168.1.1: icmp 64: echo request seq 1 Code:
15:02:04.117753 IP 83.XX.XXX.XXX > 192.168.2.100: icmp 64: echo request seq 55034 When I do "telnet 83.XX.XXX.XXX 80" from a client on the .2.0 network I get the following output from tcpdump (still on the same interface): Code:
15:20:13.541009 IP 192.168.2.100.56285 > 83.XX.XXX.XXX.XX: S 3050318295:3050318295(0) win 5840 <mss 1460,sackOK,timestamp 62411280 0,nop,wscale 2> EDIT: After messing around with the W3 online HTML validator I noticed I was able to make connections from outside (the internet) the network, to the forwarded port 80. Alas, I still cannot get a connection through from inside the networks to the forwarded port. |
Did YOU load the module "ip_conntrack" yet? Did YOU enable "IP forwarding"? Have YOU setup a Firewall? Have YOU checked the Firewall rules, are they correct for YOUR needs? If YOU disable Port 80, can YOU still ping the same directions as before, or in only one direction? Hope this helps. Also, some great reading...http://tldp.org/HOWTO/HOWTO-INDEX/howtos.html
|
All times are GMT -5. The time now is 12:04 AM. |