> I have my game servers in the DMZ, and they can "see" the internet, browse
the web, etc. I have tested an http server running on one of them, and it
is accessible from the outside. My external testers still can't see the
game servers --- but I'll park that concern for now, since the http server
works. So in short, 64.81.226.173 appears to be working with proper proxy
arp configuration and filters for one service at least --- hooray for small
progress :)
I think you're getting close...I'll try to help you get everything working
properly.
> What is NOT happening -- I can't access or ping DMZ servers from the
internal network or from the LRP command line on the router itself. I
assume this is caused by eth0 and eth1 not knowing how to get to eth2 ---
but I don't know what might make this happen. Is that accurate?
I assume your reports of ping failures are accurate, but the cause is not.
Your routing tables are setup properly (assuming your server machines are on
the DMZ and not plugged directly into the cable-modem network).
I'm going to need more info to figure out what's broken, as your
network.conf and routing tables look OK to me. Please provide your current
firewall rules (svi network ipfilter list), and details regarding:
Accessing the DMZ servers from the internal net...what services on which
machines...does accessing the same service & machine work from the internet?
Pinging from the LRP box and from client machines...it looks like you've got
ICMP forwarding enabled for the DMZ, so this *should* be working...please
provide details on exactly what you tried, and the exact error message ping
returned (if any).
> When I park a server outside the DMZ, in the public space via one of my
DSL bridge ports, I can't see it from inside --- but the whole world can.
That's my Linux server --- when plugged directly into one of the Flowpoint's
external hub ports it hums along --- for everyone but me.
This is because your LRP box still thinks these IP's are on eth2. If you
move one of your servers from the DMZ to the 'outside', you'll need to
remove it's IP from eth2_ROUTES, and add it's IP to DMZ_EXT_ADDRS for
everything to work properly.
NOTE: Swapping an IP between DMZ_EXT_ADDRS and eth2_ROUTES *should* be all
that's required to migrate a server from your DMZ net to the outside
world...this might be handy for testing...you can leave the other DMZ rules
in place for the server, as any in-bound packets for that machine will be
ignored by the LRP box when the IP is listed in DMZ_EXT_ADDRS.
> I have read several threads from last year discussing where to put the
route statements in Eiger configs. Most of the explanations were a bit over
my head, since I lack any clue when it comes to scipts. If you could give
me some baby-step instructions on how these <ip route add xxxx> statements
are constructed, and exactly how and where they are implemented in the
configuration files, that would be helpful.
This is handled by the <iface>_ROUTES variable in my proxy-arp scripts, so
you don't need to do any hacking on the scripts...
> Also, are there local setting on each of the 3 DMZ machines that need to
be changed? Do they need persistent special routes configured?
The DMZ machines should be configured just like they were tied directly to
your cable-modem. They should be configured with the full /24 subnet, and
can use either your LRP box (.172 IIRC) or the cable gateway (.1) IP for
their default gateway. If you use the cable-gateway (.1) as the gateway,
you won't have to do any re-configuration to move your servers from a direct
connection to being firewalled behind the LRP system (hence why proxy-arp
systems are called transparent firewalls).
> An updated network diagram is here http://64.81.226.171/netdiagram2.txt
> Current network.conf is here: http://64.81.226.171/net.txt
Could you also provide the current firewall rules?
> Current routing table:
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
Iface
> 64.81.226.174 0.0.0.0 255.255.255.255 UH 0 0 0
eth2
> 64.81.226.172 0.0.0.0 255.255.255.255 UH 0 0 0
eth2
> 64.81.226.173 0.0.0.0 255.255.255.255 UH 0 0 0
eth2
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
> 64.81.226.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
> 0.0.0.0 64.81.226.1 0.0.0.0 UG 0 0 0
eth0
Your routing table looks fine. I don't think you need any changes...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
