<sigh> We need a FAQ answer for this one too (or do we have one?).
LEAF basic firewalls by default block ALL private-address traffic on the
external interface. (At least Dachstein and Eigerstein do, and I think
Oxygen is the same in that regard.) So traffic on eth0 to private address
192.168.68.1 gets firewalled.
Solutions:
1. Add a suitable rule to ALLOW traffic to 192.168.68.0/24 on eth0.
2. Run a different drop-in firewall package that checks the gateway address
and allows traffic to it. (EchoWall does this, for example.)
Having said all of that, this is really just a guess. Other things could be
going on as well. To see all the possibilities, look at the sections ot the
LEAF FAQ that discuss inteprertation of ping failures. (Examples: does the
workstation have the right gateway address? Is ip_forwarding turned on on
the Oxygen firewall?)
At 11:13 PM 2/6/02 -0800, Greg R wrote:
> This is my specific setup:
>
> ~~~~~~~~~~~~~~~~~~~~~~
> { Internet }
> ~~~~~~~~~~~~~~~~~~~~~~
> |
> ---------------
> | ISP |
> ---------------
> |
> DSL
> |
> ---------------
> | 64.96.78.45 |
> | |
> | DSL |
> | Router |
> | |
> | 192.168.68.1|
> ---------------
> |
> |
> Ethernet
> |
> |
> -----------------------
> | 192.168.68.254 |
> | eth0 |
> | |
> | LEAF ROUTER |
> | |
> | eth1 |
> | 192.168.1.1 |
> -----------------------
> |
> |
> Ethernet
> |
> |
> ----------------
> | Workstation |
> | 192.168.1.50 |
> ----------------
>
>The LEAF Router is running Oxygen 1.8.
>
>The DSL router has a static external IP and
>is performing masquerading NAT on the internal
>interface on the 192.168.68.0 network. Both
>interfaces of the LEAF router are static as is
>the IP of the workstation. The LEAF is also
>performing masquerading NAT.
>
>The default gw of the LEAF router is set to
>192.168.68.1 - the internal interface of the DSL
>router. The default gw of the workstation is set to
>192.168.1.1 - the internal interface of the LEAF
>router.
>
>My symptoms are these: from the LEAF router I
>can ping all of the devices on the local netork
>as well as the greater Internet. However from the
>workstation I can only ping as far as the external
>(eth0 - 192.168.68.254) interface of the LEAF
>router. I can not hit the internal interface of the
>DSL router.
>
>I have disabled checking for martians on the external
>interface of the LEAF router. I can not see anything
>wrong with this setup but I must be missing something
>basic. Any pointers are greatly appreciated.
>
>Thanks in advance
>
>
>#ip addr show
>1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:e0:29:6b:0f:0b brd ff:ff:ff:ff:ff:ff
> inet 192.168.68.254/24 brd 192.168.68.255 scope global eth0
>3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:e0:29:6b:0f:0f brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
>
>
>#ip route sh
>192.168.1.1 dev eth1 scope link
>192.168.1.0 dev eth1 scope link
>192.168.68.254 dev eth0 scope link
>192.168.68.0 dev eth0 scope link
>192.168.68.0/24 dev eth0 proto kernel scope link src 192.168.68.254
>192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
>127.0.0.0/8 dev lo scope link
>default via 192.168.68.1 dev eth0
>
>
>#ip neighbour sh
>192.168.68.1 dev eth0 lladdr 00:20:6f:10:d8:cb nud reachable
>192.168.1.50 dev eth1 lladdr 00:80:c8:8b:9e:01 nud reachable
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
