At 02:55 AM 10/3/02 -0700, Liu Mei wrote:
>First of all, thank all of you very much indeed.
>
>I am sorry I still have not given very clear
>information to you.
This is correct. So, for the THIRD time, please read the SR FAQ, then
follow its instructions about what information to include. Don't pick and
choose; quote the diagnostics we ask for.
>Now the problem seems more interesting.
>
>The eth0 (the external port) is 192.168.1.113,
>which is given by ISP's DHCP server.
>
>The eth1 (the internal port) is 192.168.2.1, which
>is assigned by myself.
>
>
>I have re-setupped a pc in the LAN.
>Its ip is 192.168.2.100.
>Its gateway now is 192.168.2.1, which used to be
>192.168.1.254.
>The subnet mask is 255.255.255.0
>The DNS IP has been also setupped to be the ISP's DNS
>server.
>
>I have flushed all rules and restarted the route. The
>output of ipchains -nvL is
>
>Chain input (policy ACCEPT: 0 packets, 0 bytes):
>Chain forward (policy ACCEPT: 0 packets, 0 bytes):
>Chain output (policy ACCEPT: 0 packets, 0 bytes):
>
>Route itself works fine. It can ping the internet,
You mean "router", not "route". (I don't usually correct typos, but this
one can lead to misunderstandings, since a "route" is something different
from but relevant to a "router" ... and you call your router a "route"
several times, which makes me think you don't know the correct terminology.)
>itself(eth0 and eth1) and the pc in the LAN.
>
>I could also ping from the pc in the LAN to the route(
>both 2.1 and 1.113). But got "Request timed out."
>error when I tried to ping the 1.254 and the ISP's DNS
>server.
Is "1.254" the router's gateway address at the ISP?
>the new output of ipchains -nvL is
>
>Chain input (policy ACCEPT: 294 packets, 40399 bytes):
>Chain forward (policy ACCEPT: 47 packets, 3965 bytes):
>Chain output (policy ACCEPT: 81 packets, 6533 bytes):
Your problem comes from not using the 192.168.2.0/24 LAN subnet correctly.
There are only two ways you can get IP addresses to use on your LAN. Only
two; no others. They are:
1. Use addresses that you have been assigned by your ISP. If your ISP
assigns you an address range, then it will, at its end, know to route
traffic for those addresses to your LAN. You and the ISP may still need to
work out some specifics about using the addresses successfully, but that's
just a detail. In this case, you will not NAT (MASQ) the addresses, but you
may need to proxy-arp them (see below).
2. Use private-range addresses and NAT (MASQ) them at your router.
You are not following either of these procedures. Now your setup is a bit
confusing, in that your ISP uses private-range addresses (the
192.168.1.0/24 network, it appears, in your case) for the external
connection. But that does not change the limitations on you.
So ... the simplest quick way to get your LAN communicating with the
Internet is to add (or restore) to the router's forward chain a rule that
MASQs traffic from 192.168.2.0/24 to eth0. Since this message does not
mention which LEAF variant you are using, and I don't remember your earlier
messages well enough to recall, I can't tell you specifically how to add
this rule during boot/init ... consult the docs for your LEAF variant.
>I suppose that I may not be able to add a new private
>subnet under the private 192.168.1.xxx. However, I do
>need to separate the whole 1.xxx subnet into two or
>more subnet.
Why? As I read your postings, it's not your network (it is the ISP's
network), so you shouldn't be able to subnet it. Presumably other clients
of the ISP use other addresses on it to connect to the ISP ... if this is
wrong, then to get help here, you simply MUST give us a coherent
explanation of your rights to addresses in the 192.168.1.0/24 network.
>May be I should try to use 192.168.1.192
>to be my new subnet mask to separte the private subnet
>but I don't know whether it will work under this
>situation.
192.168.1.192 is not a "subnet mask". You probably mean netmask
255.255.255.192 (also written as /26),, ascociated with network address
192.168.1.192 . But that will not work unless:
1. the ISP has assigned to you the entire 192.168.1.0/24 network
(or at least the 192.168.1.192/26 portion of it).
2. -EITHER- the ISP knows that your router's external address is
its route to the rest of that network,
-OR- you use proxy-arp on the router to make the LAN's IP
addresses in this network "visible" to the ISP's router.
>Oh, dear. I don't know what I can do next even though
>I just want to make the LAN see the internet.
>
>I may not be to worry about the attack from the
>internet anymore since it seems that my ADSL modem is
>connecting to a managed route on ISP side.
>
>Any suggestion, please?
I'll close by repeating once again the advice you seem to ignore: read the
SR FAQ and be guided by it in your presentation of information next time.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
