Re: [Efw-user] static routing

Thu, 28 Sep 2006 04:36:52 -0700 

I spent entire day to try what you wrote, but it dosen't still work.
eventhough this , the situation is kind of different from before.
here is my lab 
       
              PC(210.17.1.2/24)
                |
                |
              eth1(210.17.1.1/24)
             [EFW]
               br0(192.168.3.89/24)
                |
                |
              e0/0(192.168.3.100/24)
          [cisco router]
              loop0(192.168.4.100/24)
configuration:
[EFW]
 1.allow all traffic from Green interface to RED interface
 2.disable proxy
 3. iptables -I FORWARD 1 -s 192.168.4.0/24 -d 0.0.0.0/0 -j ACCEPT
     iptables -I FORWARD 1 -d 192.168.4.0/24 -s 0.0.0.0/0 -j ACCEPT

 4. Kernel IP routing table
       Destination     Gateway                Genmask             Flags    
Metric     Ref        Use Iface
       192.168.3.0   *                           255.255.255.0      U        
0          0            0 br0
       210.17.1.0     *                           255.255.255.0      U        
0          0            0 eth1
       192.168.4.0   192.168.3.100         255.255.255.0      UG       0        
 
0            0 br0
        default         210.17.1.254           0.0.0.0                 UG      
0          0            0 eth1

symptom
 1.cisco router source 192.168.3.100 -->ping-->pc   ok
 2.EFW source 192.168.3.89--> ping --> 192.168.4.100 ok
 3.cisco router source 192.168.4.100 -->ping->pc failed
 tcpdump -n -p icmp -i br0
  IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
  IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
  IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
  IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280
  IP 192.168.4.100 > 210.17.1.2: icmp 80: echo request seq 1280

 tcpdump -n -p icmp -i eth1
  IP 210.17.1.1> 210.17.1.2: icmp 80: echo request  seq 1280
  IP 210.17.1.2> 210.17.1.1: icmp 80: echo reply seq 1280
  IP 210.17.1.1> 210.17.1.2: icmp 180: host 192.168.4.100 unreachable
  
  ...

  thanks for help



Patricio Bruna V.-2 wrote:
> 
> I think you have to add a "routeback" rules for ping from IP_B(PC1) to
> IP_A. I had a similar setup, but with 17 subnets. 
> What i do was: 
> iptables -I FORWARD 1 -s IP_NETWORK_B/NETMASK -d IP_NETWORK_A/NETMASK -i
> br0 -o br0 -j ACCEPT 
> iptables -I FORWARD 1 -d IP_NETWORK_B/NETMASK -s IP_NETWORK_A/NETMASK -i
> br0 -o br0 -j ACCEPT 
> 
> i had to put those lines in /etc/init.d/rc.local 
> 
> ----- Original Message ----- 
> From: Josephw <[EMAIL PROTECTED]> 
> To: [email protected] 
> Sent: martes 26 de septiembre de 2006 23H35 GMT-0400 
> Subject: Re: [Efw-user] static routing 
> 
> 
> 
> 
> Patricio Bruna V.-2 wrote: 
>> 
>> What problems do you have with statict routing? 
>> 
> 
> ok Here is the network diagram 
> 
> Internet 
> | 
> | 
> IP_A 
> [EFW] 
> ip_a 
> | 
> | 
> LAN_A 
> | 
> | 
> [cisco router] 
> | 
> | 
> LAN_B 
> | 
> | 
> ip_b[PC1] 
> 
> 
> 1.I want to make PC1 be able to connect to the internet via EFW 
> 
> 2.I added the route for reaching LAN_B on EFW 
> 
> 3. I added the default route for accessing the internet on cisco router. 
> 
> 4.I added firewall policy which allows nods on LAN_B accessing the
> internet 
> 
> 5. The nodes on LAN_A could reach the internet. 
> 
> 6.I could ping EFW/ip_a from PC1 
> 
> 7. I also could ping PC1 with source ip EFW/ip_a 
> 
> 8. But I could not ping IP_A and other ip addresses in the internet from 
> PC1 
> 
> 9.I used command tcpdump to observe icmp packets while I ping from PC1 to 
> internet ip. there are always two related packets like below 
> ICMP reply Destination -> IP_A 
> ICMP reply Destination -> ip_b 
> compare with ping from nodes on LAN_A , there's no 2nd ICMP reply packet. 
> 
> thanks for help 
> -- 
> View this message in context:
> http://www.nabble.com/static-routing-tf2115612.html#a6519965 
> Sent from the efw-user mailing list archive at Nabble.com. 
> 
> 
> ------------------------------------------------------------------------- 
> Take Surveys. Earn Cash. Influence the Future of IT 
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your 
> opinions on IT & business topics through brief surveys -- and earn cash 
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV 
> _______________________________________________ 
> Efw-user mailing list 
> [email protected] 
> https://lists.sourceforge.net/lists/listinfo/efw-user 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Efw-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/efw-user
> 
> 

-- 
View this message in context: 
http://www.nabble.com/static-routing-tf2115612.html#a6544688
Sent from the efw-user mailing list archive at Nabble.com.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Efw-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/efw-user

Reply via email to