On Sep 26, 2016, at 10:42 PM, Armin Tüting <armin.tuet...@tueting-online.com> wrote:
>>>>>>> ip route >>>>>>> default via 192.168.60.1 dev eth0 metric 2 >>>>>>> 192.168.10.0/24 via 192.168.40.1 dev eth1 metric 1 >>>>>>> 192.168.40.0/24 dev eth1 proto kernel scope link src >>>>>>> 192.168.40.6 >>>>>>> 192.168.50.0/24 via 192.168.40.1 dev eth1 metric 1 >>>>>>> 192.168.60.0/24 dev eth0 proto kernel scope link src >>>>>>> 192.168.60.6 >>>>>>> >>>>>>> Armin. >>>>>> >>>>>> Your network CIDR's look fine. >>>>>> >>>>>> Where are the "metric 1" routes coming from ?: >>>>>> -- >>>>>> 192.168.10.0/24 via 192.168.40.1 dev eth1 metric 1 >>>>>> 192.168.50.0/24 via 192.168.40.1 dev eth1 metric 1 >>>>>> -- >>>>>> are you adding those manually ? >>>>> Yes! I've added them through /mnt/kd/rc.elocal! They're >>>>> static >>>>> routes >>>>> off eth1! >>>>> >>>>>> >>>>>> >>>>>> Where are the 192.168.10.0/24 and 192.168.50.0/24 networks in >>>>>> your >>>>>> configuration ? >>>>> I've added them through /mnt/kd/rc.elocal >>>> >>>> OK, we are at the point where we need to draw a picture, I'll >>>> start, >>>> edit anything I got wrong: >>>> >>>> 192.168.60.6/24 - eth0 External - APU1 - LAN eth1 - >>>> 192.168.40.6/24 >>>> >>>> How do the 192.168.10.0/24 and 192.168.50.0/24 networks fit in ? >>> 192.168.40.1/24 - switch - 192.168.10.0/24 >>> 192.168.40.1/24 - switch - 192.168.50.0/24 >>> Clearly the subnets are "behind" AstLinux on a different device... >> >> Ahhh, so I presume that is a fancy layer-3 switch which is routing >> the 192.168.10.0/24 and 192.168.50.0/24 networks via 192.168.40.1 ? > Right :) > >> We recently added (AstLinux 1.2.7) a user.conf variable >> NAT_FOREIGN_NETWORK to allow these downstream networks to reach eth0 >> and beyond. >> -- user.conf snippet --- >> NAT_FOREIGN_NETWORK="192.168.10.0/24 192.168.50.0/24" >> -- >> More Info: http://doc.astlinux.org/userdoc:tt-internal-downstream-rou >> ter >> >> Of course your 192.168.10.0/24 and 192.168.50.0/24 networks can SSH >> 192.168.40.6 and get to the AstLinux box without NAT_FOREIGN_NETWORK >> defined, but if these networks want to reach outside eth0 and get to >> the internet, then NAT_FOREIGN_NETWORK must be defined to NAT with >> eth0. > OK - I'll add the above setting and confirm back! ... > I've made the suggested changes, but still no joy! > I'm seeing the traffic arriving with tcpdump, but the chain > 'EXT_INPUT_CHAIN' doesn't show the packet. Please be more precise, from what source IP are you trying to reach which destination IP using which service (SSH, SIP, etc.). Precisely what Firewall rule is defined to allow that on the external interface ? >From a 192.168.10.0/24 or 192.168.50.0/24 network does "ssh root@192.168.40.6" >work ? Without NAT_FOREIGN_NETWORK your 192.168.10.0/24 and 192.168.50.0/24 networks could not ping www.google.com (upstream from eth0), does that work now ? Also, it would seem your layer-3 switch is providing DHCP to the 192.168.10.0/24 and 192.168.50.0/24 networks, is the switch's gateway (default route) set to 192.168.40.6 ? > > BTW - Does 'IP_FORWARDING=0' disable the whole FORWARD chain? That would disable all interface routing, we set that automatically, leave IP_FORWARDING alone. Lonnie ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
