Ok, I'm hoping this is a fairly trivial issue, and I'm missing something.
I'm trying to use Solaris zones (Nevada Build 117) to act as a DMZ and a
router, using exclusive IPs, VNICs (from Crossbow), and connecting to the
internet (static IP from my ISP).
I've got the DMZ working - that zone sees the internet, can do name lookups,
ftp, telnet, ssh, etc etc etc. The router zone ("router01") can talk to the DMZ
zone ("dmz01"), but it can't do lookups, or connect to the internet.
I'm trying to get the following configuration working:
1. dmz01 connects to the internet (static IP, PPP connection). This part works.
I've enabled routing (routeadm -e ipv4-routing , routeadm -e ipv4-forwarding,
routeadm -u, etc, reboots between tests to check everything). Exclusive IP,
physical nic e1000g0 connected to the DSL modem, device sppp0 picks up the
static IP (I can see the entry "<static IP> ---> <ISP gateway or IP> " on an
ifconfig -a , I can see the route to the ISP's gateway or IP as well with a
netstat -nr).
2. Using dladm, I've created "etherstub0", and attached two vnics to them
(10.10.10.10 , 10.10.10.20). vnic 10.10.10.10 is attached to zone dmz01 ,
10.10.10.20 is attached to zone router01.
3. Zone "router01" has physical NIC e1000g1, and connects to my old router
(haven't tested this part out yet). VNIC 10.10.10.20 connects to etherstub0,
and I'm able to ssh to dmz01 using 10.10.10.10 . Works fine.
The idea is that my original home network would pass packets through the
original router, but it's connected to zone router01 now, which I'll eventually
set up to do the work of a content switch and firewall (and pass packets to
other zones connected to various etherstubs - Crossbow rocks !). Haven't gotten
that far yet, though.
Here's what I'm stuck on : Zone "router01" can't do name lookups (service
dns/client is enabled, resolv.conf has the nameservers, ipv4-routing and
ipv4-forwarding enabled, also ipv6 routing and forwarding enabled on router01
and dmz01). I can set up a route to the static IP that's assigned to sppp0 on
dmz01, and it's pingable, but the packets go no further : I can't ping the
IP/gateway of the ISP, or the nameservers (nameservers are pingable from dmz01,
so they aren't blocking ICMP).
I'm pretty sure that it's getting "stuck" at the sppp0 device. It's almost like
the device defaults to "accept packets with a hop count of 1 only" (allowing
packets from dmz01, but nothing further along the chain).
Oh- both zones were created with a "create -b". I didn't use "zone clones"
either, each is an independent build.
Anyone have any solutions, or suggestions on where I can look next for answers
?
Thanks in advance.
--
This message posted from opensolaris.org
