At 03:17 PM 2/3/03 -0800, Chris Low wrote: [...]
and checked the things Ray asked about: the masq rule reads:0 0 MASQ all ------ 0xFF 0x00 eth0 10.10.10.0/24 0.0.0.0/0 n/a
[...]
Three more question before I go though:Wrong. Since the LEAF router MASQs (NATs) the 10.10.10.0/24 network (that's the import of the MASQ line I asked about), it appears to the ISP's router that all the traffic is coming from 192.168.1.whatever_DHCP_assigns_to_the_external_interface . if you want to MASQ the LAN this way, you will need to
1) Since the ISP's router is set to route incoming mail to our exchange server at it's current address (192.168.1.2) all I should have to do is assign that server a new static IP (something along the lines of 10.10.10.200) and let the ISP know about this change, right?
(a) port forward traffic to port 25 on the LEAF router to the 10.10.10.x mail server
(b) have the ISP router port forward port 25 to the LEAF router's "external" address.
(I'm assuming here that the ISP router NATs 192.168.1.0/24, something you haven't actually said. It is possible that the ISP actually routes to 192.168.1.0/24 rather than NATs it, and that some address translation takes place upstream of you. In that case, everything is different, and you haven't told us enough details to get good advice.)
While this approach should work, it is clumsy. A much better approach might be, if you can arrange this, to put the 192.168.1.0/24 network behind your LEAF firewall, use some other address pair to set up a static route between the ISP's router and the LEAF router, and tell the ISP's router that the LEAF router is its route to 192.168.1.0/24. Then let the ISP's router do the NAT'ing, and use the LEAF rotuer just for firewall rules.
Although I say "much better", a real assessment of the best approach (there are other ways to do it too, such as proxy arp'ing on the LEAF router) requires an evaluation of your actual setup, including what options your ISP will provide, what you need firewalled and why, and probably more. We can talk about possibilities, not really tell you what is beest for your particular circumstances.
2) It looks like our ISP's router is set to renew nonstatic ip addresses every 27000 seconds (7.5 hours). I know this affects the ip address for eth0, will that affect anything else behind the firewall?No. Anything behind the firewall gets its address either via static assignment or from the *LEAF* router's DHCP server. Unless you make special arrangements to forward them, DHCP requests/assignments do not cross routers.
Basically I'm wondering if this is okay to leave as-is or should I try to assign eth0 a static ip.It depends on how you decide to solve the routing and mail-server problems. But a static address would simplify about every solution to them I can think of.
3) How do I enable the weblet application? I changed the settings in the weblet package: SERVER_NAME and SERVER_ADDR to both be 10.10.10.254 to match the eth1 address. I also changed the CLIENT_ADDR to 10.10.10. but so far I've been unable to access is from the internal NT box.Someone else will have to help with this one, since I don't use the weblet. If nothing is forthcoming, though, consider reporting with a more complete description of the changes, of what the "unable to access" failure looks like (what error does the browser report, or does it just try forever?), and of the NT host's network settings.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
