Graham, Normally you would set:
INTIP="192.168.7.1" INT2IP="192.168.207.1" as the internal interface gateways, I see you have: INTIP="192.168.7.250" INT2IP="192.168.207.249" I'm not sure if that is the problem, but I would try that first. > iPBX rc.conf.d # grep TRUST * > user.conf:TRUSTED_IF="" > user.conf:IF_TRUSTS="eth1 eth2" Your probably added the user.conf entries, but forgot about them. I would delete both the TRUSTED_IF and IF_TRUSTS lines in user.conf ( Network tab -> {Edit User Variables} ). Save-Settings and restart the firewall. Though they shouldn't have caused the problem. Lonnie On Oct 9, 2010, at 2:57 PM, Graham S. Jarvis wrote: > Hello Lonnie, > > Thanks for the quick reply. > > The reason I looked up the post from 2009 was because I _have_ ticked the box > for the firewall options "LAN to LAN" on the webGUI and this is what's in the > gui file: > iPBX rc.conf.d # grep ALLOWLANS * > gui.firewall.conf:ALLOWLANS="INTIF INT2IF" > iPBX rc.conf.d # > > and just to show that the interfaces are configured: > iPBX rc.conf.d # grep INT * > gui.firewall.conf:ALLOWLANS="INTIF INT2IF" > gui.network.conf:INTIF="eth1" > gui.network.conf:INTIP="192.168.7.250" > gui.network.conf:INTNM="255.255.255.0" > gui.network.conf:INT2IF="eth2" > gui.network.conf:INT2IP="192.168.207.249" > gui.network.conf:INT2NM="255.255.255.0" > gui.network.conf:INT3IF="" > gui.network.conf:INT3IP="" > gui.network.conf:INT3NM="255.255.255.0" > iPBX rc.conf.d # > > > I still don't get traffic from one lan to the other. > I have a net4801 ie 3 Ethernet (eth0, eth1, eth2) >> From iPBX (192.168.7.250) I can ping hosts on both networks. >> From a host on 192.168.7.0 I can ping INTIF (192.168.7.250) and INT2IF >> (192.168.207.249) >> From a host on 192.168.207.0 I can _only_ ping INT2IF (192.168.207.249) and >> not even > 192.168.7.250 > > I'm not so worried about traffic passing 207->7 in fact I'd like to block it. > But I need to access resources on the "207" network from the "7" network > (printers etc.) > > Any ideas? I seem to be overlooking something . . . > > -Graham- > > > PS: What's the difference between TRUSTED_IF and IF_TRUSTS > and how do these get set up and used? > I have: > iPBX rc.conf.d # grep TRUST * > user.conf:TRUSTED_IF="" > user.conf:IF_TRUSTS="eth1 eth2" > iPBX rc.conf.d # > and I didn't set (any of) them by hand. > > PPS/FYI: > iPBX rc.conf.d # route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 192.168.207.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 > 224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth2 > 224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth1 > 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 > iPBX rc.conf.d # > > on my Windows PC (in french) > Itinéraires actifs : > Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique > 0.0.0.0 0.0.0.0 192.168.7.250 192.168.7.207 20 > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 > 169.254.2.0 255.255.255.0 169.254.2.2 169.254.2.2 30 > 169.254.2.2 255.255.255.255 127.0.0.1 127.0.0.1 30 > 169.254.255.255 255.255.255.255 169.254.2.2 169.254.2.2 30 > 192.168.7.0 255.255.255.0 192.168.7.207 192.168.7.207 20 > 192.168.7.207 255.255.255.255 127.0.0.1 127.0.0.1 20 > 192.168.7.255 255.255.255.255 192.168.7.207 192.168.7.207 20 > 224.0.0.0 240.0.0.0 169.254.2.2 169.254.2.2 30 > 224.0.0.0 240.0.0.0 192.168.7.207 192.168.7.207 20 > 255.255.255.255 255.255.255.255 169.254.2.2 3 1 > 255.255.255.255 255.255.255.255 169.254.2.2 169.254.2.2 1 > 255.255.255.255 255.255.255.255 192.168.7.207 192.168.7.207 1 > Passerelle par défaut : 192.168.7.250 > =========================================================================== > Itinéraires persistants : > Aucun > > > Lonnie Abelbeck wrote on 07/10/2010 00:22: >> Hi Graham, >> >> You have several options... >> >> 1) The web interface allows you to specify which LAN interfaces can talk to >> each other >> >> 2) There is a ALLOWLANS AstLinux variable... >> >> ## Allow LAN to LAN traffic for internal interfaces, defaults to disallow >> ## Space separate "INTIF" for 1st, "INT2IF" for 2nd, and "INT3IF" for 3rd >> Internal Interface >> ## Separate groups using a ~ (tilde) >> >> #ALLOWLANS="INTIF INT2IF" >> #ALLOWLANS="INTIF INT2IF~INTIF INT3IF" # (INTIF <=> INT2IF talk and INTIF >> <=> INT3IF talk, but *not* INT2IF <=> INT3IF) >> #ALLOWLANS="INTIF INT2IF INT3IF" >> >> 3) Use the IF_TRUSTS variable directly (which both above use) >> >> Lonnie >> >> PS: The INT_IF_TRUST variable went away in the AIF firewall some time ago, >> replaced by the more powerful IF_TRUSTS. >> ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.