Hi there, I am not sure wether this is the right ml to ask, as it is a generic routing issue and not directly related to debian (our router runs woody if that counts) if anyone flames me away as offtopic, please supply me with a more apt ml :)
We were given a subnet with a 255.255.255.224 subnet mask, thus 5Byte for the hostmask. In the prior setup all the hosts in that subnet were behind a switch, so the gateway at the "computer center" (the place where all the networking is done) would send all packets for that subnet down the line. We liked the idea to have a router/firewall at our end of the cable too, to further seperate the network to fit our needs and enforce security policies. At first only the router was reachable from the internet, because the gateway at the computer center expected all these computers at the same line, but only the router would respond. They weren't able for some reason to declare something like: 'route add -host pub.ip.of.router ethX' 'route add -net our.net.ip -netmask 255.255.255.224 gw pub.ip.of.router' As far as I understood, they are using some old Solaris and it would be confused by the routing of a net which is behind a gateway in exactly that net. We had a meeting and they offered to establish a "transport net" with private ip adresses, our topology now looks like this: Internet | router/firewall (computer center) 192.168.96.2 | 192.168.96.1 our router/firewall - WLAN with priv. IPs one public ip | rest of our /27 net But that leads to a subtle problem, the external ip of the router itself is now a private one, so no locally generated packets are able to reach the internet and MASQ for the WLAN clients does not work (in the sense that they have internet access). Furthermore, our router is reachable _from_ the internet, because an internal NIC is configured to its external ip. The other hosts with public ips behind our router/firewall have no problems to reach/be reached (from) the internet. I suspect that we could do something ugly like SNAT on our router/firewall for all locally generated packets to have the public ip adress as source, but as I feel this is a common routing scenario and there has to be an elegant solution, I dislike the idea. Could anyone tell us, what options we have to get this setup working. Not being able to access the internet for some strange routing problem the computer center raises is kind of unsatisfying. Which would be the obvious solution anyone with more experience in routing issues than we have would come up with? tia Stefan
