hi all - looking for some network assistance on Mandrive 2006 - currently I´m stumped

have installed 2006 on a P4 celeron with dual NIC´s. setup is as follows

eth0: external 192.168.10.1 subnet 255.255.255.0
eth2: internal 10.10.10.1 subnet 255.255.255.0

disabled onboard NIC (eth1) as it was mentioned in these forums that it may be faulty.

now for some reason I can´t ping from one sub 192.168.10.x (eth0) to the other 10.10.10.x (eth2) ... and no connection to the 192.168.10.x network from clients on 10.10.10.x

[root@linux_FW etc]# ping 192.168.10.1 -I eth2
PING 192.168.10.1 (192.168.10.1) from 10.10.10.1 eth2: 56(84) bytes of data.
From 10.10.10.1 icmp_seq=2 Destination Host Unreachable
From 10.10.10.1 icmp_seq=3 Destination Host Unreachable
From 10.10.10.1 icmp_seq=4 Destination Host Unreachable

I can ping the def GW 192.168.10.254 from eth0 (192.168.10.1). below is my ROUTE output

[root@linux_FW /]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.10.0 * 255.255.255.0 U 10 0 0 eth2
192.168.10.0 * 255.255.255.0 U 10 0 0 eth0
default default 0.0.0.0 UG 10 0 0 eth0

I have enabled ip_forward=1 in the /etc/sysctl.conf ...

# Packet Forwarding
net.ipv4.ip_forward=1

and I have added the IP_FORWARD to the /ect/sysconfig/network

[root@linux_FW /]# cat /etc/sysconfig/network
HOSTNAME=linux_FW
NETWORKING=yes
GATEWAY=192.168.10.254
FORWARD_IPV4=TRUE

here is the the kernel routing output

[root@linux_FW etc]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.10.254 0.0.0.0 UG 0 0 0 eth0

both DNS and DHCP and currently disabled, and the FW is turned off (accept all). below is ifconfig output for the NIC´s

[root@linux_FW etc]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0E:0C:65:4D:8D
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20e:cff:fe65:4d8d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1184 errors:0 dropped:0 overruns:0 frame:0
TX packets:886 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:462574 (451.7 KiB) TX bytes:137505 (134.2 KiB)
Interrupt:21

eth0:0 Link encap:Ethernet HWaddr 00:0E:0C:65:4D:8D
inet addr:192.168.10.2 Bcast:192.168.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:21

eth2 Link encap:Ethernet HWaddr 00:08:A1:28:2A0
inet addr:10.10.10.1 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::208:a1ff:fe28:2ad0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:580 errors:0 dropped:0 overruns:0 frame:0
TX packets:219 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:58303 (56.9 KiB) TX bytes:22182 (21.6 KiB)
Interrupt:18 Base address:0xa000

eth2:2 Link encap:Ethernet HWaddr 00:08:A1:28:2A0
inet addr:10.10.10.2 Bcast:10.10.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:18 Base address:0xa000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:73 errors:0 dropped:0 overruns:0 frame:0
TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3974 (3.8 KiB) TX bytes:3974 (3.8 KiB)

and when I issue the /etc/rc.d/init.d/network restart

[root@linux_FW etc]# /etc/rc.d/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down interface eth2: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: [ OK ]
Setting network parameters: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth2: [ OK ]
Bringing up interface sit0: [ OK ]

so it looks like IP packet forwarding is running ?? any idea´s

thanks - Justin

Please update few more details for me...

First --> wht are the gateways on both the 192.168.*.* & 10.10.*.* series ?
Like you have mentioned you have 192.168.10.254 as gw on eth0.
But AFAIK... if you want you linux box to act as a router you should mention it as the gateway for your respective clients configurations

Second as you said.. you have two local lan & you are actually using your linux box to act as router so that it can forward the packets for cross lan communication. .

Also do one thing.. do traceroute for one subnet ip from another & post the results in your reply.
Lets c where actually it is getting stuck at.

hi, well basically this linux box is going to act as a FireWall, so
on the external (eth0) interface I have configured the NIC to 192.168.10.1 255.255.255.0.
on the internal (eth2) interface I have configured the NIC to 10.10.10.1 255.255.255.0.

we have 1 ADSL router which is our GW 192.168.10.254 which I can get to from eth0 BUT NOT from eth2

I imagine the def GW from the 10.10.10.x network should be eth2 which passes traffic through to eth0

I only have 1 local LAN which all my clients sit on, and my clients are configured to use (eth2) 10.10.10.1 as their def GW ... but I cant get to the 192.168.10.0 network

traceroute from eth2 - eth0 seems to be fine

[root@linux_FW djbdns-1.05]# traceroute 10.10.10.2 -s 192.168.10.2
traceroute to 10.10.10.2 (10.10.10.2) from 192.168.10.2, 30 hops max, 38 byte packets
1 eth2 (10.10.10.2) 0.118 ms 0.077 ms 0.029 ms
[root@linux_FW djbdns-1.05]# traceroute 192.168.10.2 -s 10.10.10.2
traceroute to 192.168.10.2 (192.168.10.2) from 10.10.10.2, 30 hops max, 38 byte packets
1 eth0 (192.168.10.2) 0.123 ms 0.074 ms 0.030 ms


basically my goal is fro the linux box to sit between my ADSL router and my internal LAN. 192.168.10.x will be my DMZ (which will include the 192.168.10.254 router and eth0) -> all traffic will pass from 192.168.10.x via IPTABLES firewall to the 10.10.10.x LAN

thanks for the help

Now i got you.. earlier i was confused for you to have two local lan.

Eth0 -ip - 192.168.10.1
Eth1 -ip - 10.10.10.1
ADSL router - ip - 192.168.10.254

Install SQUID over to your linux box... for providing internet through squid proxy server. If you want i can provide you more help in setting it. It will do needful & you do not have to do anything other than specifiying your proxy server ip & proxy server port in your clients browser configurations.

You can Run this route add command.. if you want to ping both your externet net & local lan net from your Proposed SQUID box. But its not a necessity too.
route add -net 10.10.10.0 netmask 255.255.255.0 dev eth1

You actually do not have to set any gateway IP for your clients boxes. Leave it blank, coz its not necessary.

I also have the very same setup.
I have ADSL connected @ eth1 & local lan 192.168.55.x @eth0.
I run squid at this box to provide internet for all my lan users.
But as if i have around 20 odd other offices for my company i do use a router to connect to other lan & thts y i specify this router ip as the GW for my clients.

cheers
..amit..

The server has 2 NICS installed, but they are on different subnets, thus to act as a DMZ between the WAN and my LAN.

eth0: DMZ: 192.168.10.2
eth2: LAN: 10.10.10.2

Now I cannot get traffic to pass from 1 NIC to the other

I have enabled /proc/sys/net/ipv4/ip_forwarding
I have made changes to /etc/sysctl.conf to enable ip_forwarding
I have made changes to /etc/sysctl.conf to enable ping (for testing purposes)

When I add a client ot the respective subnet, I can ping the server NIC on that subnet.

But I cannot ping from 1 NIC on the server to the other NIC
ie: ping eth0 -I eth1 or ping eth1 -I eth0


Now it would seem to me that it might have some thing to do with the kernel perhaps ... here is my uname info

2.6.12-12mdksmp #1 SMP Fri Sep 9 17:43:23 CEST 2005 i686 Intel(R) Celeron(R) CPU 3.06GHz unknown GNU/Linux

I have installed SQUID, but that doesn help as the client traffic does not pass through to the GATEWAY.

How does my kernel know to pass traffic from the 1 NIC to the other NIC, thus acting a firewall ?? Does it use the info from /proc/sys/net/ipv4

Use this squid.conf
I've configured this to fit to your network.

Second thing.. on your SQUID box, put appropriate GW on 10.10.10.2 ethernet & make it as default route.

Restart SQUID service.

& do nothing else, goto your client box, put proxy address as 192.168.10.2 & port nos as 8080. Now surf the net.

-----------
You actually do not need any packet forwarding thing in your scenario, SQUID is doing all that for you.
As you put default gateway on your 10.10.10.2 ethernet card, SQUID will route all the traffic to go out from this card.

Yup also put nameserver addresses in /etc/resolv.conf

..AMIT..

that worked like a charm Amit, thanks.

have got Internet access with all clients on 10.10.10.x network, using proxy on port 8080.

only problem is that remote POP mail downloads to Outlook Express clients now do not work and will need some tweaking. have enabled relevant ports for POP access in SQUID and on SHOREWALL (ports: 110; 143; 995) - to no avail

will investigate further - but since POP uses name resolution, I can only assume that it is a DNS misconfig on my linux server


thanks

Justin

Since we have a small network, all mail is currently downloaded from external POP mail servers to all XP client apps (outlook & outlook express). Since installing Squid on the f/w, we can no longer download POP mail to clients, and from what I have read, this is due to the fact that Squid does not support external POP mail downloading. We have 4 or 5 different POP severs being hosted on external mail servers which our clients will need to download from.

Do you know of a work-around for this, so that we can download POP mail to the XP clients and by-pass the Squid server?

Firewall has 2 network cards on different subnets
eth0 - 192.168.10.x/24 DMZ
eth2 - 10.10.10.x/24 LAN

Have tried adding POP/SMTP ports in the Squid.conf file - did not help. Also have enabled the ports on the f/w, but the problem seems to be with Squid itself.

Thanks
Justin

Justin:

Did you solve your Squid-POP issue?

Best regards,


FODIO