The reason I am trying to configure these additional IP's is so that our clients can connect to our internal workstations using pcAnywhere. I've got 6 people here who use pcAnywhere to support clients. We need to take control of the client workstations, so we configure our PCA Remote to "Wait for a Connection". Then we have the client right-click on their PCA host and select "Call Remote". This brings up a dialog asking for the IP of the remote to which they want to connect. I would like the client to be able to type in 206.127.77.50 which would then get port forwarded in to my machine (192.168.10.50).
The only traffic I want to let through on those additional IP's is PCA traffic (TCP 5631 and UDP 5632).
I don't think this qualifies as a DMZ setup because the machines I want to access are the same machines as my internal network. However, if it would work, I wouldn't mind putting another NIC in the Dach box and just connect it to my main switch. Do you think this is the best approach, or is there another solution?
Thanks very much for your help Charles.
OK, so you want port-forwarding on the router, rather than any sort of DMZ setup.
You can probably get this to work, but the configuration details may require some experimentation.
I know Dachstein can run with multiple networks on the same interface, as I have done that several times. I don't think you actually have two networks on your upstream link, but instead have one network with a block of IP's routed to you. This has the potential to confuse the equipment upstream if you assign the extra IP's directly to the external interface.
The "normal" way to do this would be to assign public IP's to the desired desktop systems, but this is not necessarily ideal from either a network topology (I'm assuming you have additional machines you do *NOT* which to connect to, and limited IP space), or a security standpoint.
You're probably going to have to dig around some with tcpdump to make sure whatever you configure is working properly, but the "cleanest" quick solution I can think of is to create a "virtual" DMZ. If you assign your extra public IP's to a third interface, the upstream equipment will not be confused, your internal boxes will not have public IP's, and you should be able to setup port-forwarding from the public IP's to your internal systems.
You could probably also get everything to work with the IP's assigned to the external interace, but you'll likely have to do some sniffing to figure out how to configure everything, and make sure nothing strange is happening behind the scenes (like ICMP redirect messages being sent to the upstream host).
As previously mentioned, there are some tricks the 2.4 series kernels can play with iptables that are not possible with the 2.2 series. I think you can probably make this go with 2.2 if you want, but there might be an easier solution with 2.4/iptables (bering). I don't know enough about the changes for 2.4 to say for sure, however, and it probably depends a lot on exactly how the current traffic is showing up at your router, and why simply adding extra IP addresses didn't work.
Grab a tcpdump package (typically requires libpcap as well), and take a look at your trafffic...
-- Charles Steinkuehler [EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
