[Vyatta-users] vyatta in a fully-virtualized (hvm) domU; console issues

[snowcrash+vyatta]

hi,

i've installed vyatta community edition, from vyatta-livecd-vc3.iso,
as a fully-virutalized (HVM) Xen DomU on a Fedora8 Dom0.

install went without a noticeable hitch.

on domain shutdown/restart,

xm create -c vyatta_run.cfg

@ console, i see,

Using config file "/etc/xen/vyatta_run.cfg".
Started domain vyatta
xenconsole: Could not read tty from store: No such file or directory

searching, i find

http://readlist.com/lists/lists.xensource.com/xen-users/3/16722.html

which suggests adding to vyatta domain's /etc/inittab,

co:2345:respawn:/sbin/mingetty console

mounting the domain's LV from Dom0 with,

kpartx -av /dev/VG00/vyatta
mount -t ext2 /dev/mapper/vyatta1 /mnt

i note in /sbin only 'getty' -- no 'minggetty'. so, instead, i add a similar

co:2345:respawn:/sbin/getty console

to

/mnt/etc/inittab


but on domain restart i see the same,

Using config file "/etc/xen/vyatta_run.cfg".
Started domain vyatta
xenconsole: Could not read tty from store: No such file or directory

@ Dom0, the vyatta DomU's console displays,

Press F10 to select boot device.
Booting from Hard Disk ...
GRUB Loading stage 2..
Press any key to continue.

and there it sits. doing nothing.

other DomU's, e.g. Fedora8, have no probs so far ...

anyone here have any hints as to how to get past this?

thanks!
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[An-Cheng Huang]

Hi Nate,

If the problem you're seeing is caused by external vs. internal DNS problem 
(external access is fine, but internal hosts resolve the server to the external 
address and therefore cannot access it), you might be able to work around it 
using NAT. See the following message from the list archive for more details.

http://mailman.vyatta.com/pipermail/vyatta-users/2007-August/001741.html

An-Cheng

Nathan McBride wrote:
> hmmm, guess i should make an internal dns server then... :D
> 
> nate
> 
> On Tue, 2008-01-29 at 22:34 -0500, Aubrey Wells wrote:
>> Its been a while since I researched it, but I think there was  
>> something about the way netfilter_conntrac tracks the NAT sessions  
>> that prevents the hairpin nat from working. I never figured out a way  
>> around it and no one on google was helpful either.
>>
>> The usual solution is to put a dns entry in your internal dns server  
>> to point the domain name to the internal ip of the web site.
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
>>> Can't I do another nat rule?
>>>
>>> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
 It sounds like you're a victim of hairpin natting. Very frustrating.
 Iptables doesnt do it (that I know of.) I first encountered this on a
 PIX firewall years ago and thought it was an absurd limitation  
 (then I
 found out my beloved linux couldn't do it either and was crushed).
 Cisco fixed it in v7 of the PIX software IIRC but iptables still  
 can't
 do it.

 --
 Aubrey Wells
 Senior Engineer
 Shelton | Johns Technology Group
 A Vyatta Ready Partner
 www.sheltonjohns.com

 On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:

> John just told me he can get to the page too.
>> From inside the lan I am going to a browser and typing
> www.nombyte.com.  And it doesn't work?
>
> Nate
>
> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
>> *shrug* same here
>>
>> Are you trying to hit the natted address from inside the LAN that  
>> is
>> being natted to? Hairpin NAT doesnt work in iptables...
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>>
>>
>>
>>
>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
>>
>>> I just connected and see the Apache 2 test page running on CentOS
>>>
>>> John
>>>
>>>
>>>
>>> Nathan McBride wrote:
 First off I appreciate help from everyone, this is a nice  
 change to
 some
 mailing lists I'm used to.  Unfortunately, I am still having the
 same
 problem.  I'm giving out real information, probably shouldn't,  
 but
 that's how frustrated I am.  I just get an unable to connect
 error.  The
 firewalls are fine I promise.  I can see the page on  
 192.168.0.105
 from
 inside the lan, and I can see and use the webgui of the router  
 just
 fine.  Altho I did disable it of course since I want the port
 forwarded.
 In the ssh example sent to me which is below, I notice that the
 address
 are just numbers where mine have "" around them.  Does this
 matter?  Can
 anyone please give any suggestions?

 Thanks alot,
 Nate

 My domain is:
 www.nombyte.com

 The IP is:
 71.62.193.105

 Full Nat is:

 nat {
  rule 1 {
  type: "destination"
  inbound-interface: "eth0"
  protocols: "tcp"
  source {
  network: "0.0.0.0/0"
  }
  destination {
  address: "71.62.193.105"
  port-name http
  }
  inside-address {
  address: 192.168.0.105
  }
  }
  rule 2 {
  type: "masquerade"
  outbound-interface: "eth0"
  protocols: "all"
  source {
  network: "192.168.0.0/24"
  }
  destination {
  network: "0.0.0.0/0"
  }
  }
  rule 3 {
  type: "masquerade"
  outbound-interface: "eth0"
  protocols: "all"
  source {
  network: "192.168.1.0/24"
>>

[Vyatta-users] help me with firewall

[Go Wow]

This is my complete configuration, I want to add firewall such that all the
internal LAN should be able to access internet as there are having access
now without firewall, I want only port 80 443 to be open to all (yes it
should be accessible from anywhere) and lastly I have a webserver nat'ted on
port 81 of eth0 I want to access that too rest all should be blocked, can
someone please define the rules for this.


  protocols {
rip {
interface eth0 {
address 192.168.10.45 {
metric: 1
horizon: "split-horizon-poison-reverse"
disable: false
passive: false
accept-non-rip-requests: true
accept-default-route: true
advertise-default-route: true
route-timeout: 180
deletion-delay: 120
triggered-delay: 3
triggered-jitter: 66
update-interval: 30
update-jitter: 16
request-interval: 30
interpacket-delay: 50
}
}
interface eth1 {
address 192.168.1.1 {
metric: 1
horizon: "split-horizon-poison-reverse"
disable: false
passive: false
accept-non-rip-requests: true
accept-default-route: true
advertise-default-route: true
route-timeout: 180
deletion-delay: 120
triggered-delay: 3
triggered-jitter: 66
update-interval: 30
update-jitter: 16
request-interval: 30
interpacket-delay: 50
}
}
}
}
policy {
}
interfaces {
restore: false
loopback lo {
description: ""
address 192.168.2.1 {
prefix-length: 32
disable: false
}
}
ethernet eth0 {
disable: false
discard: false
description: ""
hw-id: 00:1c:c0:0d:0c:85
duplex: "auto"
speed: "auto"
address 192.168.10.45 {
prefix-length: 24
disable: false
}
}
ethernet eth1 {
disable: false
discard: false
description: ""
hw-id: 00:08:a1:83:b7:1e
duplex: "auto"
speed: "auto"
address 192.168.1.1 {
prefix-length: 24
disable: false
}
}
}
service {
nat {
rule 10 {
type: "destination"
inbound-interface: "eth0"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "192.168.10.45"
port-number 81
}
inside-address {
address: 192.168.1.244
port-number: 80
}
}
rule 1000 {
type: "masquerade"
outbound-interface: "eth0"
source {
network: "192.168.1.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
}
ssh {
port: 22
protocol-version: "v2"
}
webgui {
http-port: 80
https-port: 443
}
}
system {
host-name: "vyatta"
domain-name: ""
name-server 202.56.250.6
time-zone: "GMT"
ntp-server "69.59.150.135"
gateway-address: 192.168.10.2
login {
user root {
full-name: ""
authentication {
encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
}
}
user vyatta {
full-name: ""
authentication {
encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
}
}
}
package {
auto-sync: 1
repository community {
component: "main"
url: "http://archive.vyatta.com/vyatta";
}
}
}
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Go Wow]

> Another way would be to have these kind of servers (which needs to be
> access from LAN ) on another subnet. Looks feasible to me.
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[John Mason Jr]

Or if network is very small or doesn't have internal DNS the hosts file 
works as well.

I found a link that is interesting but don't have time to experiment



John

Aubrey Wells wrote:
> Its been a while since I researched it, but I think there was  
> something about the way netfilter_conntrac tracks the NAT sessions  
> that prevents the hairpin nat from working. I never figured out a way  
> around it and no one on google was helpful either.
> 
> The usual solution is to put a dns entry in your internal dns server  
> to point the domain name to the internal ip of the web site.
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
> 
>> Can't I do another nat rule?
>>
>> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
>>> It sounds like you're a victim of hairpin natting. Very frustrating.
>>> Iptables doesnt do it (that I know of.) I first encountered this on a
>>> PIX firewall years ago and thought it was an absurd limitation  
>>> (then I
>>> found out my beloved linux couldn't do it either and was crushed).
>>> Cisco fixed it in v7 of the PIX software IIRC but iptables still  
>>> can't
>>> do it.
>>>
>>> --
>>> Aubrey Wells
>>> Senior Engineer
>>> Shelton | Johns Technology Group
>>> A Vyatta Ready Partner
>>> www.sheltonjohns.com
>>>
>>>
>>>
>>>
>>>
>>> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
>>>
 John just told me he can get to the page too.
> From inside the lan I am going to a browser and typing
 www.nombyte.com.  And it doesn't work?

 Nate

 On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
> *shrug* same here
>
> Are you trying to hit the natted address from inside the LAN that  
> is
> being natted to? Hairpin NAT doesnt work in iptables...
>
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
>
>
>
>
>
> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
>
>> I just connected and see the Apache 2 test page running on CentOS
>>
>> John
>>
>>
>>
>> Nathan McBride wrote:
>>> First off I appreciate help from everyone, this is a nice  
>>> change to
>>> some
>>> mailing lists I'm used to.  Unfortunately, I am still having the
>>> same
>>> problem.  I'm giving out real information, probably shouldn't,  
>>> but
>>> that's how frustrated I am.  I just get an unable to connect
>>> error.  The
>>> firewalls are fine I promise.  I can see the page on  
>>> 192.168.0.105
>>> from
>>> inside the lan, and I can see and use the webgui of the router  
>>> just
>>> fine.  Altho I did disable it of course since I want the port
>>> forwarded.
>>> In the ssh example sent to me which is below, I notice that the
>>> address
>>> are just numbers where mine have "" around them.  Does this
>>> matter?  Can
>>> anyone please give any suggestions?
>>>
>>> Thanks alot,
>>> Nate
>>>
>>> My domain is:
>>> www.nombyte.com
>>>
>>> The IP is:
>>> 71.62.193.105
>>>
>>> Full Nat is:
>>>
>>> nat {
>>>  rule 1 {
>>>  type: "destination"
>>>  inbound-interface: "eth0"
>>>  protocols: "tcp"
>>>  source {
>>>  network: "0.0.0.0/0"
>>>  }
>>>  destination {
>>>  address: "71.62.193.105"
>>>  port-name http
>>>  }
>>>  inside-address {
>>>  address: 192.168.0.105
>>>  }
>>>  }
>>>  rule 2 {
>>>  type: "masquerade"
>>>  outbound-interface: "eth0"
>>>  protocols: "all"
>>>  source {
>>>  network: "192.168.0.0/24"
>>>  }
>>>  destination {
>>>  network: "0.0.0.0/0"
>>>  }
>>>  }
>>>  rule 3 {
>>>  type: "masquerade"
>>>  outbound-interface: "eth0"
>>>  protocols: "all"
>>>  source {
>>>  network: "192.168.1.0/24"
>>>  }
>>>  destination {
>>>  network: "0.0.0.0/0"
>>>  }
>>>  }
>>>
>>>
>>>
>>>
>>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
 Here's what I use to port-forward ssh; just adjust for address
 (where
 destination address is the public IP) and change it to http.

  ru

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Nathan McBride]

hmmm, guess i should make an internal dns server then... :D

nate

On Tue, 2008-01-29 at 22:34 -0500, Aubrey Wells wrote:
> Its been a while since I researched it, but I think there was  
> something about the way netfilter_conntrac tracks the NAT sessions  
> that prevents the hairpin nat from working. I never figured out a way  
> around it and no one on google was helpful either.
> 
> The usual solution is to put a dns entry in your internal dns server  
> to point the domain name to the internal ip of the web site.
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
> 
> > Can't I do another nat rule?
> >
> > On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
> >> It sounds like you're a victim of hairpin natting. Very frustrating.
> >> Iptables doesnt do it (that I know of.) I first encountered this on a
> >> PIX firewall years ago and thought it was an absurd limitation  
> >> (then I
> >> found out my beloved linux couldn't do it either and was crushed).
> >> Cisco fixed it in v7 of the PIX software IIRC but iptables still  
> >> can't
> >> do it.
> >>
> >> --
> >> Aubrey Wells
> >> Senior Engineer
> >> Shelton | Johns Technology Group
> >> A Vyatta Ready Partner
> >> www.sheltonjohns.com
> >>
> >>
> >>
> >>
> >>
> >> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
> >>
> >>> John just told me he can get to the page too.
>  From inside the lan I am going to a browser and typing
> >>> www.nombyte.com.  And it doesn't work?
> >>>
> >>> Nate
> >>>
> >>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
>  *shrug* same here
> 
>  Are you trying to hit the natted address from inside the LAN that  
>  is
>  being natted to? Hairpin NAT doesnt work in iptables...
> 
>  --
>  Aubrey Wells
>  Senior Engineer
>  Shelton | Johns Technology Group
>  A Vyatta Ready Partner
>  www.sheltonjohns.com
> 
> 
> 
> 
> 
>  On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
> 
> > I just connected and see the Apache 2 test page running on CentOS
> >
> > John
> >
> >
> >
> > Nathan McBride wrote:
> >> First off I appreciate help from everyone, this is a nice  
> >> change to
> >> some
> >> mailing lists I'm used to.  Unfortunately, I am still having the
> >> same
> >> problem.  I'm giving out real information, probably shouldn't,  
> >> but
> >> that's how frustrated I am.  I just get an unable to connect
> >> error.  The
> >> firewalls are fine I promise.  I can see the page on  
> >> 192.168.0.105
> >> from
> >> inside the lan, and I can see and use the webgui of the router  
> >> just
> >> fine.  Altho I did disable it of course since I want the port
> >> forwarded.
> >> In the ssh example sent to me which is below, I notice that the
> >> address
> >> are just numbers where mine have "" around them.  Does this
> >> matter?  Can
> >> anyone please give any suggestions?
> >>
> >> Thanks alot,
> >> Nate
> >>
> >> My domain is:
> >> www.nombyte.com
> >>
> >> The IP is:
> >> 71.62.193.105
> >>
> >> Full Nat is:
> >>
> >> nat {
> >>  rule 1 {
> >>  type: "destination"
> >>  inbound-interface: "eth0"
> >>  protocols: "tcp"
> >>  source {
> >>  network: "0.0.0.0/0"
> >>  }
> >>  destination {
> >>  address: "71.62.193.105"
> >>  port-name http
> >>  }
> >>  inside-address {
> >>  address: 192.168.0.105
> >>  }
> >>  }
> >>  rule 2 {
> >>  type: "masquerade"
> >>  outbound-interface: "eth0"
> >>  protocols: "all"
> >>  source {
> >>  network: "192.168.0.0/24"
> >>  }
> >>  destination {
> >>  network: "0.0.0.0/0"
> >>  }
> >>  }
> >>  rule 3 {
> >>  type: "masquerade"
> >>  outbound-interface: "eth0"
> >>  protocols: "all"
> >>  source {
> >>  network: "192.168.1.0/24"
> >>  }
> >>  destination {
> >>  network: "0.0.0.0/0"
> >>  }
> >>  }
> >>
> >>
> >>
> >>
> >> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> >>> Here's what I use to port-forward ssh; just adjust for address
> >>> (where
> >>> destination address is the public IP) and change it to http.
> >>>

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Aubrey Wells]

Its been a while since I researched it, but I think there was  
something about the way netfilter_conntrac tracks the NAT sessions  
that prevents the hairpin nat from working. I never figured out a way  
around it and no one on google was helpful either.

The usual solution is to put a dns entry in your internal dns server  
to point the domain name to the internal ip of the web site.

--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:

> Can't I do another nat rule?
>
> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
>> It sounds like you're a victim of hairpin natting. Very frustrating.
>> Iptables doesnt do it (that I know of.) I first encountered this on a
>> PIX firewall years ago and thought it was an absurd limitation  
>> (then I
>> found out my beloved linux couldn't do it either and was crushed).
>> Cisco fixed it in v7 of the PIX software IIRC but iptables still  
>> can't
>> do it.
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>>
>>
>>
>>
>> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
>>
>>> John just told me he can get to the page too.
 From inside the lan I am going to a browser and typing
>>> www.nombyte.com.  And it doesn't work?
>>>
>>> Nate
>>>
>>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
 *shrug* same here

 Are you trying to hit the natted address from inside the LAN that  
 is
 being natted to? Hairpin NAT doesnt work in iptables...

 --
 Aubrey Wells
 Senior Engineer
 Shelton | Johns Technology Group
 A Vyatta Ready Partner
 www.sheltonjohns.com





 On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:

> I just connected and see the Apache 2 test page running on CentOS
>
> John
>
>
>
> Nathan McBride wrote:
>> First off I appreciate help from everyone, this is a nice  
>> change to
>> some
>> mailing lists I'm used to.  Unfortunately, I am still having the
>> same
>> problem.  I'm giving out real information, probably shouldn't,  
>> but
>> that's how frustrated I am.  I just get an unable to connect
>> error.  The
>> firewalls are fine I promise.  I can see the page on  
>> 192.168.0.105
>> from
>> inside the lan, and I can see and use the webgui of the router  
>> just
>> fine.  Altho I did disable it of course since I want the port
>> forwarded.
>> In the ssh example sent to me which is below, I notice that the
>> address
>> are just numbers where mine have "" around them.  Does this
>> matter?  Can
>> anyone please give any suggestions?
>>
>> Thanks alot,
>> Nate
>>
>> My domain is:
>> www.nombyte.com
>>
>> The IP is:
>> 71.62.193.105
>>
>> Full Nat is:
>>
>> nat {
>>  rule 1 {
>>  type: "destination"
>>  inbound-interface: "eth0"
>>  protocols: "tcp"
>>  source {
>>  network: "0.0.0.0/0"
>>  }
>>  destination {
>>  address: "71.62.193.105"
>>  port-name http
>>  }
>>  inside-address {
>>  address: 192.168.0.105
>>  }
>>  }
>>  rule 2 {
>>  type: "masquerade"
>>  outbound-interface: "eth0"
>>  protocols: "all"
>>  source {
>>  network: "192.168.0.0/24"
>>  }
>>  destination {
>>  network: "0.0.0.0/0"
>>  }
>>  }
>>  rule 3 {
>>  type: "masquerade"
>>  outbound-interface: "eth0"
>>  protocols: "all"
>>  source {
>>  network: "192.168.1.0/24"
>>  }
>>  destination {
>>  network: "0.0.0.0/0"
>>  }
>>  }
>>
>>
>>
>>
>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>>> Here's what I use to port-forward ssh; just adjust for address
>>> (where
>>> destination address is the public IP) and change it to http.
>>>
>>>  rule 2 {
>>>  type: "destination"
>>>  inbound-interface: "eth0"
>>>  protocols: "tcp"
>>>  source {
>>>  network: 0.0.0.0/0
>>>  }
>>>  destination {
>>>  address: 1.2.3.4
>>>  port-name ssh
>>>  }
>>>  inside-address {
>>>  address: 10.0.0.30
>>>  

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Nathan McBride]

Can't I do another nat rule?

On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
> It sounds like you're a victim of hairpin natting. Very frustrating.  
> Iptables doesnt do it (that I know of.) I first encountered this on a  
> PIX firewall years ago and thought it was an absurd limitation (then I  
> found out my beloved linux couldn't do it either and was crushed).  
> Cisco fixed it in v7 of the PIX software IIRC but iptables still can't  
> do it.
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
> 
> > John just told me he can get to the page too.
> >> From inside the lan I am going to a browser and typing
> > www.nombyte.com.  And it doesn't work?
> >
> > Nate
> >
> > On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
> >> *shrug* same here
> >>
> >> Are you trying to hit the natted address from inside the LAN that is
> >> being natted to? Hairpin NAT doesnt work in iptables...
> >>
> >> --
> >> Aubrey Wells
> >> Senior Engineer
> >> Shelton | Johns Technology Group
> >> A Vyatta Ready Partner
> >> www.sheltonjohns.com
> >>
> >>
> >>
> >>
> >>
> >> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
> >>
> >>> I just connected and see the Apache 2 test page running on CentOS
> >>>
> >>> John
> >>>
> >>>
> >>>
> >>> Nathan McBride wrote:
>  First off I appreciate help from everyone, this is a nice change to
>  some
>  mailing lists I'm used to.  Unfortunately, I am still having the  
>  same
>  problem.  I'm giving out real information, probably shouldn't, but
>  that's how frustrated I am.  I just get an unable to connect
>  error.  The
>  firewalls are fine I promise.  I can see the page on 192.168.0.105
>  from
>  inside the lan, and I can see and use the webgui of the router just
>  fine.  Altho I did disable it of course since I want the port
>  forwarded.
>  In the ssh example sent to me which is below, I notice that the
>  address
>  are just numbers where mine have "" around them.  Does this
>  matter?  Can
>  anyone please give any suggestions?
> 
>  Thanks alot,
>  Nate
> 
>  My domain is:
>  www.nombyte.com
> 
>  The IP is:
>  71.62.193.105
> 
>  Full Nat is:
> 
>  nat {
>    rule 1 {
>    type: "destination"
>    inbound-interface: "eth0"
>    protocols: "tcp"
>    source {
>    network: "0.0.0.0/0"
>    }
>    destination {
>    address: "71.62.193.105"
>    port-name http
>    }
>    inside-address {
>    address: 192.168.0.105
>    }
>    }
>    rule 2 {
>    type: "masquerade"
>    outbound-interface: "eth0"
>    protocols: "all"
>    source {
>    network: "192.168.0.0/24"
>    }
>    destination {
>    network: "0.0.0.0/0"
>    }
>    }
>    rule 3 {
>    type: "masquerade"
>    outbound-interface: "eth0"
>    protocols: "all"
>    source {
>    network: "192.168.1.0/24"
>    }
>    destination {
>    network: "0.0.0.0/0"
>    }
>    }
> 
> 
> 
> 
>  On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> > Here's what I use to port-forward ssh; just adjust for address
> > (where
> > destination address is the public IP) and change it to http.
> >
> >   rule 2 {
> >   type: "destination"
> >   inbound-interface: "eth0"
> >   protocols: "tcp"
> >   source {
> >   network: 0.0.0.0/0
> >   }
> >   destination {
> >   address: 1.2.3.4
> >   port-name ssh
> >   }
> >   inside-address {
> >   address: 10.0.0.30
> >   }
> >   }
> >
> > Best,
> > Justin
> >
> > On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]>  
> > wrote:
> >> Can someone please help me get this worked out?
> >> Nate
> >>
> >>
> >>> Ok these are my nat rules now, I didn't see a command to change
>  the rule
> >>> numbers so i just redid them all by hand.  It still doesn't  
> >>> work.
> >>>
> >>> rule 1 {
> >>>   type: "destination"
> >>>   inbound-interface: "eth0"
> >>>   protocols: "tcp"
> >>>   destinatio

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Aubrey Wells]

It sounds like you're a victim of hairpin natting. Very frustrating.  
Iptables doesnt do it (that I know of.) I first encountered this on a  
PIX firewall years ago and thought it was an absurd limitation (then I  
found out my beloved linux couldn't do it either and was crushed).  
Cisco fixed it in v7 of the PIX software IIRC but iptables still can't  
do it.

--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:

> John just told me he can get to the page too.
>> From inside the lan I am going to a browser and typing
> www.nombyte.com.  And it doesn't work?
>
> Nate
>
> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
>> *shrug* same here
>>
>> Are you trying to hit the natted address from inside the LAN that is
>> being natted to? Hairpin NAT doesnt work in iptables...
>>
>> --
>> Aubrey Wells
>> Senior Engineer
>> Shelton | Johns Technology Group
>> A Vyatta Ready Partner
>> www.sheltonjohns.com
>>
>>
>>
>>
>>
>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
>>
>>> I just connected and see the Apache 2 test page running on CentOS
>>>
>>> John
>>>
>>>
>>>
>>> Nathan McBride wrote:
 First off I appreciate help from everyone, this is a nice change to
 some
 mailing lists I'm used to.  Unfortunately, I am still having the  
 same
 problem.  I'm giving out real information, probably shouldn't, but
 that's how frustrated I am.  I just get an unable to connect
 error.  The
 firewalls are fine I promise.  I can see the page on 192.168.0.105
 from
 inside the lan, and I can see and use the webgui of the router just
 fine.  Altho I did disable it of course since I want the port
 forwarded.
 In the ssh example sent to me which is below, I notice that the
 address
 are just numbers where mine have "" around them.  Does this
 matter?  Can
 anyone please give any suggestions?

 Thanks alot,
 Nate

 My domain is:
 www.nombyte.com

 The IP is:
 71.62.193.105

 Full Nat is:

 nat {
   rule 1 {
   type: "destination"
   inbound-interface: "eth0"
   protocols: "tcp"
   source {
   network: "0.0.0.0/0"
   }
   destination {
   address: "71.62.193.105"
   port-name http
   }
   inside-address {
   address: 192.168.0.105
   }
   }
   rule 2 {
   type: "masquerade"
   outbound-interface: "eth0"
   protocols: "all"
   source {
   network: "192.168.0.0/24"
   }
   destination {
   network: "0.0.0.0/0"
   }
   }
   rule 3 {
   type: "masquerade"
   outbound-interface: "eth0"
   protocols: "all"
   source {
   network: "192.168.1.0/24"
   }
   destination {
   network: "0.0.0.0/0"
   }
   }




 On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> Here's what I use to port-forward ssh; just adjust for address
> (where
> destination address is the public IP) and change it to http.
>
>   rule 2 {
>   type: "destination"
>   inbound-interface: "eth0"
>   protocols: "tcp"
>   source {
>   network: 0.0.0.0/0
>   }
>   destination {
>   address: 1.2.3.4
>   port-name ssh
>   }
>   inside-address {
>   address: 10.0.0.30
>   }
>   }
>
> Best,
> Justin
>
> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]>  
> wrote:
>> Can someone please help me get this worked out?
>> Nate
>>
>>
>>> Ok these are my nat rules now, I didn't see a command to change
 the rule
>>> numbers so i just redid them all by hand.  It still doesn't  
>>> work.
>>>
>>> rule 1 {
>>>   type: "destination"
>>>   inbound-interface: "eth0"
>>>   protocols: "tcp"
>>>   destination {
>>>   address: "71.62.193.105"
>>>   port-name http
>>>   }
>>>   inside-address {
>>>   address: 192.168.0.105
>>>   }
>>>   }
>>>   rule 2 {
>>>   type: "masquerade"
>>>   outbound-interface: "eth0"
>>>   protocols: "all"
>>>   source {
>>>   network: "192.168.0.0/24"
>>>   }
>>> 

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Nathan McBride]

Hmm, gotcha.  I guess that makes sense actually.
I'll see if I can't figure it out.

Nate

On Wed, 2008-01-30 at 08:49 +0530, Go Wow wrote:
> Nathan i can even view it, from inside LAN you cannot view it, if i
> remember correctly someone said when you try to enter on NAT'ted ip
> from inside network the router doesnt know the address where it needs
> to forward your request. Now look im not a networking guru and not
> even iptables guru so dont know why it happens but you would like to
> even visit it from inside LAN then you need to add couple of more nat
> rules i guess. someone may help you with additional rules.

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Go Wow]

Nathan i can even view it, from inside LAN you cannot view it, if i remember
correctly someone said when you try to enter on NAT'ted ip from inside
network the router doesnt know the address where it needs to forward your
request. Now look im not a networking guru and not even iptables guru so
dont know why it happens but you would like to even visit it from inside LAN
then you need to add couple of more nat rules i guess. someone may help you
with additional rules.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Nathan McBride]

John just told me he can get to the page too.
>From inside the lan I am going to a browser and typing 
www.nombyte.com.  And it doesn't work?

Nate

On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
> *shrug* same here
> 
> Are you trying to hit the natted address from inside the LAN that is  
> being natted to? Hairpin NAT doesnt work in iptables...
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
> 
> > I just connected and see the Apache 2 test page running on CentOS
> >
> > John
> >
> >
> >
> > Nathan McBride wrote:
> >> First off I appreciate help from everyone, this is a nice change to  
> >> some
> >> mailing lists I'm used to.  Unfortunately, I am still having the same
> >> problem.  I'm giving out real information, probably shouldn't, but
> >> that's how frustrated I am.  I just get an unable to connect  
> >> error.  The
> >> firewalls are fine I promise.  I can see the page on 192.168.0.105  
> >> from
> >> inside the lan, and I can see and use the webgui of the router just
> >> fine.  Altho I did disable it of course since I want the port  
> >> forwarded.
> >> In the ssh example sent to me which is below, I notice that the  
> >> address
> >> are just numbers where mine have "" around them.  Does this  
> >> matter?  Can
> >> anyone please give any suggestions?
> >>
> >> Thanks alot,
> >> Nate
> >>
> >> My domain is:
> >> www.nombyte.com
> >>
> >> The IP is:
> >> 71.62.193.105
> >>
> >> Full Nat is:
> >>
> >> nat {
> >>rule 1 {
> >>type: "destination"
> >>inbound-interface: "eth0"
> >>protocols: "tcp"
> >>source {
> >>network: "0.0.0.0/0"
> >>}
> >>destination {
> >>address: "71.62.193.105"
> >>port-name http
> >>}
> >>inside-address {
> >>address: 192.168.0.105
> >>}
> >>}
> >>rule 2 {
> >>type: "masquerade"
> >>outbound-interface: "eth0"
> >>protocols: "all"
> >>source {
> >>network: "192.168.0.0/24"
> >>}
> >>destination {
> >>network: "0.0.0.0/0"
> >>}
> >>}
> >>rule 3 {
> >>type: "masquerade"
> >>outbound-interface: "eth0"
> >>protocols: "all"
> >>source {
> >>network: "192.168.1.0/24"
> >>}
> >>destination {
> >>network: "0.0.0.0/0"
> >>}
> >>}
> >>
> >>
> >>
> >>
> >> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> >>> Here's what I use to port-forward ssh; just adjust for address  
> >>> (where
> >>> destination address is the public IP) and change it to http.
> >>>
> >>>rule 2 {
> >>>type: "destination"
> >>>inbound-interface: "eth0"
> >>>protocols: "tcp"
> >>>source {
> >>>network: 0.0.0.0/0
> >>>}
> >>>destination {
> >>>address: 1.2.3.4
> >>>port-name ssh
> >>>}
> >>>inside-address {
> >>>address: 10.0.0.30
> >>>}
> >>>}
> >>>
> >>> Best,
> >>> Justin
> >>>
> >>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
>  Can someone please help me get this worked out?
>  Nate
> 
> 
> > Ok these are my nat rules now, I didn't see a command to change
> >> the rule
> > numbers so i just redid them all by hand.  It still doesn't work.
> >
> > rule 1 {
> >type: "destination"
> >inbound-interface: "eth0"
> >protocols: "tcp"
> >destination {
> >address: "71.62.193.105"
> >port-name http
> >}
> >inside-address {
> >address: 192.168.0.105
> >}
> >}
> >rule 2 {
> >type: "masquerade"
> >outbound-interface: "eth0"
> >protocols: "all"
> >source {
> >network: "192.168.0.0/24"
> >}
> >destination {
> >network: "0.0.0.0/0"
> >}
> >}
> >rule 3 {
> >type: "masquerade"
> >outbound-interface: "eth0"
> >protocols: "all"
> >source {
> >network: "192.168.1.0/24"
> >}
> >destination {
> >network: "0.0.0.0/0"
> >}
> >}
> >
> > Nate
> >
> > On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> >> Hi

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Go Wow]

Yeah I was about to say the same thing as Aubrey said, I had the same issue
when i was trying to access the NATt'ed ip from inside the LAN, try to
access it from outside any ip.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Aubrey Wells]

*shrug* same here

Are you trying to hit the natted address from inside the LAN that is  
being natted to? Hairpin NAT doesnt work in iptables...

--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:

> I just connected and see the Apache 2 test page running on CentOS
>
> John
>
>
>
> Nathan McBride wrote:
>> First off I appreciate help from everyone, this is a nice change to  
>> some
>> mailing lists I'm used to.  Unfortunately, I am still having the same
>> problem.  I'm giving out real information, probably shouldn't, but
>> that's how frustrated I am.  I just get an unable to connect  
>> error.  The
>> firewalls are fine I promise.  I can see the page on 192.168.0.105  
>> from
>> inside the lan, and I can see and use the webgui of the router just
>> fine.  Altho I did disable it of course since I want the port  
>> forwarded.
>> In the ssh example sent to me which is below, I notice that the  
>> address
>> are just numbers where mine have "" around them.  Does this  
>> matter?  Can
>> anyone please give any suggestions?
>>
>> Thanks alot,
>> Nate
>>
>> My domain is:
>> www.nombyte.com
>>
>> The IP is:
>> 71.62.193.105
>>
>> Full Nat is:
>>
>> nat {
>>rule 1 {
>>type: "destination"
>>inbound-interface: "eth0"
>>protocols: "tcp"
>>source {
>>network: "0.0.0.0/0"
>>}
>>destination {
>>address: "71.62.193.105"
>>port-name http
>>}
>>inside-address {
>>address: 192.168.0.105
>>}
>>}
>>rule 2 {
>>type: "masquerade"
>>outbound-interface: "eth0"
>>protocols: "all"
>>source {
>>network: "192.168.0.0/24"
>>}
>>destination {
>>network: "0.0.0.0/0"
>>}
>>}
>>rule 3 {
>>type: "masquerade"
>>outbound-interface: "eth0"
>>protocols: "all"
>>source {
>>network: "192.168.1.0/24"
>>}
>>destination {
>>network: "0.0.0.0/0"
>>}
>>}
>>
>>
>>
>>
>> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>>> Here's what I use to port-forward ssh; just adjust for address  
>>> (where
>>> destination address is the public IP) and change it to http.
>>>
>>>rule 2 {
>>>type: "destination"
>>>inbound-interface: "eth0"
>>>protocols: "tcp"
>>>source {
>>>network: 0.0.0.0/0
>>>}
>>>destination {
>>>address: 1.2.3.4
>>>port-name ssh
>>>}
>>>inside-address {
>>>address: 10.0.0.30
>>>}
>>>}
>>>
>>> Best,
>>> Justin
>>>
>>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
 Can someone please help me get this worked out?
 Nate


> Ok these are my nat rules now, I didn't see a command to change
>> the rule
> numbers so i just redid them all by hand.  It still doesn't work.
>
> rule 1 {
>type: "destination"
>inbound-interface: "eth0"
>protocols: "tcp"
>destination {
>address: "71.62.193.105"
>port-name http
>}
>inside-address {
>address: 192.168.0.105
>}
>}
>rule 2 {
>type: "masquerade"
>outbound-interface: "eth0"
>protocols: "all"
>source {
>network: "192.168.0.0/24"
>}
>destination {
>network: "0.0.0.0/0"
>}
>}
>rule 3 {
>type: "masquerade"
>outbound-interface: "eth0"
>protocols: "all"
>source {
>network: "192.168.1.0/24"
>}
>destination {
>network: "0.0.0.0/0"
>}
>}
>
> Nate
>
> On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
>> Hi Nate,
>>
>> The "inside-address" is the internal (private) IP address of
>> your Web server, which in your case is 192.168.0.105. The  
>> "destination
>> address" should actually be the public IP address that outside  
>> clients
>> will use to access your server, so usually this is the public IP  
>> address
>> of your router.
>> An-Cheng
>>
>> Nathan McBride wrote:
>>> I went and looked at the old docs.  I thought I set them up
>> correctly
>>> but aparently I didn't.  I'll im trying to do is to get p

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[John Mason Jr]

I just connected and see the Apache 2 test page running on CentOS

John



Nathan McBride wrote:
> First off I appreciate help from everyone, this is a nice change to some
> mailing lists I'm used to.  Unfortunately, I am still having the same
> problem.  I'm giving out real information, probably shouldn't, but
> that's how frustrated I am.  I just get an unable to connect error.  The
> firewalls are fine I promise.  I can see the page on 192.168.0.105 from
> inside the lan, and I can see and use the webgui of the router just
> fine.  Altho I did disable it of course since I want the port forwarded.
> In the ssh example sent to me which is below, I notice that the address
> are just numbers where mine have "" around them.  Does this matter?  Can
> anyone please give any suggestions?
> 
> Thanks alot,
> Nate
> 
> My domain is: 
> www.nombyte.com
> 
> The IP is: 
> 71.62.193.105
> 
> Full Nat is:
> 
> nat {
> rule 1 {
> type: "destination"
> inbound-interface: "eth0"
> protocols: "tcp"
> source {
> network: "0.0.0.0/0"
> }
> destination {
> address: "71.62.193.105"
> port-name http
> }
> inside-address {
> address: 192.168.0.105
> }
> }
> rule 2 {
> type: "masquerade"
> outbound-interface: "eth0"
> protocols: "all"
> source {
> network: "192.168.0.0/24"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> rule 3 {
> type: "masquerade"
> outbound-interface: "eth0"
> protocols: "all"
> source {
> network: "192.168.1.0/24"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> 
> 
> 
> 
> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>> Here's what I use to port-forward ssh; just adjust for address (where
>> destination address is the public IP) and change it to http.
>>
>> rule 2 {
>> type: "destination"
>> inbound-interface: "eth0"
>> protocols: "tcp"
>> source {
>> network: 0.0.0.0/0
>> }
>> destination {
>> address: 1.2.3.4
>> port-name ssh
>> }
>> inside-address {
>> address: 10.0.0.30
>> }
>> }
>>
>> Best,
>> Justin
>>
>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
>>> Can someone please help me get this worked out?
>>> Nate
>>>
>>>
 Ok these are my nat rules now, I didn't see a command to change
> the rule
 numbers so i just redid them all by hand.  It still doesn't work.

  rule 1 {
 type: "destination"
 inbound-interface: "eth0"
 protocols: "tcp"
 destination {
 address: "71.62.193.105"
 port-name http
 }
 inside-address {
 address: 192.168.0.105
 }
 }
 rule 2 {
 type: "masquerade"
 outbound-interface: "eth0"
 protocols: "all"
 source {
 network: "192.168.0.0/24"
 }
 destination {
 network: "0.0.0.0/0"
 }
 }
 rule 3 {
 type: "masquerade"
 outbound-interface: "eth0"
 protocols: "all"
 source {
 network: "192.168.1.0/24"
 }
 destination {
 network: "0.0.0.0/0"
 }
 }

 Nate

 On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> Hi Nate,
>
> The "inside-address" is the internal (private) IP address of
> your Web server, which in your case is 192.168.0.105. The "destination
> address" should actually be the public IP address that outside clients
> will use to access your server, so usually this is the public IP address
> of your router.
> An-Cheng
>
> Nathan McBride wrote:
>> I went and looked at the old docs.  I thought I set them up
> correctly
>> but aparently I didn't.  I'll im trying to do is to get people
> on the
>> internet to view the website on my comp (192.168.0.105).  The
> only
>> difference that i noticed when I tried to commit the example
> in the old
>> docs was that vc3 requires an 'inside-address'.  Could someone
> please
>> help me correct this to get it working?
>>
>> rule 3 {
>> type: "destination"
>> inbound-interface: "eth0"
>> protocols: "tcp"
>> 

[Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

[Nathan McBride]

First off I appreciate help from everyone, this is a nice change to some
mailing lists I'm used to.  Unfortunately, I am still having the same
problem.  I'm giving out real information, probably shouldn't, but
that's how frustrated I am.  I just get an unable to connect error.  The
firewalls are fine I promise.  I can see the page on 192.168.0.105 from
inside the lan, and I can see and use the webgui of the router just
fine.  Altho I did disable it of course since I want the port forwarded.
In the ssh example sent to me which is below, I notice that the address
are just numbers where mine have "" around them.  Does this matter?  Can
anyone please give any suggestions?

Thanks alot,
Nate

My domain is: 
www.nombyte.com

The IP is: 
71.62.193.105

Full Nat is:

nat {
rule 1 {
type: "destination"
inbound-interface: "eth0"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "71.62.193.105"
port-name http
}
inside-address {
address: 192.168.0.105
}
}
rule 2 {
type: "masquerade"
outbound-interface: "eth0"
protocols: "all"
source {
network: "192.168.0.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
rule 3 {
type: "masquerade"
outbound-interface: "eth0"
protocols: "all"
source {
network: "192.168.1.0/24"
}
destination {
network: "0.0.0.0/0"
}
}




On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
> Here's what I use to port-forward ssh; just adjust for address (where
> destination address is the public IP) and change it to http.
> 
> rule 2 {
> type: "destination"
> inbound-interface: "eth0"
> protocols: "tcp"
> source {
> network: 0.0.0.0/0
> }
> destination {
> address: 1.2.3.4
> port-name ssh
> }
> inside-address {
> address: 10.0.0.30
> }
> }
> 
> Best,
> Justin
> 
> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> > Can someone please help me get this worked out?
> > Nate
> >
> >
> > > Ok these are my nat rules now, I didn't see a command to change
the rule
> > > numbers so i just redid them all by hand.  It still doesn't work.
> > >
> > >  rule 1 {
> > > type: "destination"
> > > inbound-interface: "eth0"
> > > protocols: "tcp"
> > > destination {
> > > address: "71.62.193.105"
> > > port-name http
> > > }
> > > inside-address {
> > > address: 192.168.0.105
> > > }
> > > }
> > > rule 2 {
> > > type: "masquerade"
> > > outbound-interface: "eth0"
> > > protocols: "all"
> > > source {
> > > network: "192.168.0.0/24"
> > > }
> > > destination {
> > > network: "0.0.0.0/0"
> > > }
> > > }
> > > rule 3 {
> > > type: "masquerade"
> > > outbound-interface: "eth0"
> > > protocols: "all"
> > > source {
> > > network: "192.168.1.0/24"
> > > }
> > > destination {
> > > network: "0.0.0.0/0"
> > > }
> > > }
> > >
> > > Nate
> > >
> > > On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> > > > Hi Nate,
> > > >
> > > > The "inside-address" is the internal (private) IP address of
your Web server, which in your case is 192.168.0.105. The "destination
address" should actually be the public IP address that outside clients
will use to access your server, so usually this is the public IP address
of your router.
> > > >
> > > > An-Cheng
> > > >
> > > > Nathan McBride wrote:
> > > > > I went and looked at the old docs.  I thought I set them up
correctly
> > > > > but aparently I didn't.  I'll im trying to do is to get people
on the
> > > > > internet to view the website on my comp (192.168.0.105).  The
only
> > > > > difference that i noticed when I tried to commit the example
in the old
> > > > > docs was that vc3 requires an 'inside-address'.  Could someone
please
> > > > > help me correct this to get it working?
> > > > >
> > > > > rule 3 {
> > > > > type: "destination"
> > > > > inbound-interface: "eth0"
> > > > > protocols: "tcp"
> > > > > destination {
> > > > > address: "192.168.0.105"
> > > > > port-name http
> > > > > }
> > > > > inside-address {
> > > > >

[Vyatta-users] Munin and Vyatta

[Alain Kelder]

Is Munin (http://munin.projects.linpro.no) known to be incompatible with 
Vyatta? I have it working great on Debian Etch, but not Vyatta VC3. It 
installs and starts fine, runs like a champ for a day and then descends 
into a coma (no display, no networking). After a hard reset it comes 
back fine (no errors in the logs) only to go comatose again after a while.

How different is Vyatta from a stock Debian? Is it just the xorp daemons 
or there's more?

Wonder if my problem has nothing to do with Vyatta and is related to my 
hardware instead.. I'm using a mini-itx system from LogicSupply 
(http://www.logicsupply.com/products/system3677) with the following config:

SolidLogic 3677 Mini-ITX System (System3677)
A/C Adapter (brick): A/C Power Adapter 60W (PW-AC 60W)
Mainboard: Jetway J7F2WE-1G2 1.2GHz fanless
CD/DVD Drive: TEAC Slimline CD-ROM (CD-224E)
Hard Disk/Flash: Transcend IDE Flash Module (40 pin) 2GB
Memory: DDR2 533 RAM 512MB
Daughterboards: 3 x 10/100/1000 LAN Module
Case: Morex 3677 Mini-ITX Case - Silver



___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Squid & Vyatta

[Go Wow]

I was searching the internet and found this script which can be used to get
a complete url log using squid.

http://www.benking.me.uk/2007/10/24/vyatta-forwarding-traffic-to-squid/

#!/bin/sh -e
#
# rc.local
#
# Modified to forward to squid cache
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#

IPTABLES="/sbin/iptables"
IP="/sbin/ip"
SQUID="10.1.1.1″  # Internal address of our squid box

# Webcache jump to cache
echo Setting up jump to webcache

# clear any existing entries
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

# Don't mark webcache traffic
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -s $SQUID
# Internal subnets to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -d 10.0.0.0/8
#Don't cache internal

# External sites to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -d 1.2.3.4 #IP
address of site you want to exclude from going to the cache

# Now mark our traffic, we have a number of subnets on virtual interfaces we
want to grab, if you aren't using vifs simply use eth1 or whatever you are
using
$IPTABLES -t mangle -A PREROUTING -j MARK �Cset-mark 3 -i eth3.102 -p tcp
�Cdport 80
$IPTABLES -t mangle -A PREROUTING -j MARK �Cset-mark 3 -i eth3.103 -p tcp
�Cdport 80

# Send the marked traffic to table 2 (you can actaully use whatever table
you want, i used 2 because we are using eth2 for the subnet squid is on.
$IP rule add fwmark 3 table 2

# set the default route for table 2, change eth2 for the interface you are
on
$IP route add default via $SQUID dev eth2 table 2

# Make sure we exit
exit 0


I Just wanted someone to explain me this a little more Ben did explain it on
his site but still i would like someone to explain this please.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall: block internal telnet

[Go Wow]

And I have added it to eth0 for "in" and "local" traffic only.

On 30/01/2008, Go Wow <[EMAIL PROTECTED]> wrote:
>
> This is my firewall config, look in rule 2 192.168.10.2 is my gateway, I
> added thinking that my internal LAN users would still have access to
> internet but there arent having can someone tell me why? or give me some
> pointers please.
>
> firewall {
> log-martians: "enable"
> send-redirects: "disable"
> receive-redirects: "disable"
> ip-src-route: "disable"
> broadcast-ping: "disable"
> syn-cookies: "enable"
> name "Rule-1" {
> rule 1 {
> protocol: "tcp"
> action: "accept"
> log: "disable"
> source {
> network: "0.0.0.0/0"
> }
> destination {
> port-name ssh
> }
> }
> rule 2 {
> protocol: "all"
> action: "accept"
> log: "disable"
> source {
> address: "192.168.10.2"
> }
> }
> rule 3 {
> protocol: "tcp"
> action: "accept"
> log: "disable"
> source {
> network: "0.0.0.0/0"
> }
> destination {
> port-number 81
> port-name http
> port-name https
> }
> }
> }
> }
>
> On 30/01/2008, Go Wow <[EMAIL PROTECTED]> wrote:
> >
> > How do I do this, my eth0 is WAN and eth1 is Internal LAN I want to
> > unblock Internet for internal users and also i should have ssh and webgui
> > interfaces rest all should be blocked how do i do this?
> >
> >
>
>
> --
> Those that make the rule don't play the game!!
>



-- 
Those that make the rule don't play the game!!
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall: block internal telnet

[Go Wow]

This is my firewall config, look in rule 2 192.168.10.2 is my gateway, I
added thinking that my internal LAN users would still have access to
internet but there arent having can someone tell me why? or give me some
pointers please.

firewall {
log-martians: "enable"
send-redirects: "disable"
receive-redirects: "disable"
ip-src-route: "disable"
broadcast-ping: "disable"
syn-cookies: "enable"
name "Rule-1" {
rule 1 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: "0.0.0.0/0"
}
destination {
port-name ssh
}
}
rule 2 {
protocol: "all"
action: "accept"
log: "disable"
source {
address: "192.168.10.2"
}
}
rule 3 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: "0.0.0.0/0"
}
destination {
port-number 81
port-name http
port-name https
}
}
}
}

On 30/01/2008, Go Wow <[EMAIL PROTECTED]> wrote:
>
> How do I do this, my eth0 is WAN and eth1 is Internal LAN I want to
> unblock Internet for internal users and also i should have ssh and webgui
> interfaces rest all should be blocked how do i do this?
>
>


-- 
Those that make the rule don't play the game!!
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[An-Cheng Huang]

Stephen Hemminger wrote:
> I vote for #1 as well, but:
> Sounds like a release note, no matter what is decided.
> 
> Is there way to enable/disable this?
> 

To use the '?' key for help, you can change the key binding using the following 
shell command:

  bind '"?": possible-completions'

To restore the original binding:

  bind '"?": self-insert'
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Stig Thormodsrud]

I'd vote for #1 also (but my thinking may be warped by over a decade of
IOS development using the "?" key ;-).  

The other thing to consider is the principle of least astonishment for the
over 100,000 downloads of vyatta before glendale.

stig


> I vote for #1. Maybe its just because I've been doing this for quite a
> while, but I would think that most people who would be annoyed about
> not being able to put a ? in a description or something know how to
> use the ctrl-v escape like with a cisco. maybe it can be a config
> option?
> 
> set system online-help key-rebindings true
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 5:27 PM, An-Cheng Huang wrote:
> 
> > Note also that if the '?' key is bound to auto-completion, the user
> > can still input the '?' character using the readline escape sequence
> > (i.e., in this case "Ctrl-v ?"). So basically it came down to a
> > choice between these:
> >
> > (1) Keep '?' key as help. To input a '?' character, prefix it with
> > "Ctrl-v".
> > (2) Use some other key sequence for help. A '?' character can be
> > entered directly.
> >
> > At that time, (2) was deemed more acceptable than (1), so we
> > currently have (2).
> >
> > An-Cheng
> >
> > An-Cheng Huang wrote:
> >> That was the first thing I tried when we started implementing the
> >> help system. The problem is when the user actually wants to input a
> >> '?' character, how do we rebind the '?' key back to the actual
> >> character? I also tried to rebind the key after seeing a quote
> >> (assuming '?' characters can only appear in quotes), etc., etc. In
> >> the end, this is a limitation in the readline library (which is
> >> used by bash for command line input). We _could_ change readline, I
> >> suppose, somewhere down the road.
> >>
> >> An-Cheng
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Unable to login, solved by reboot

[Jostein Martinsen-Jones]

Log result attached.
I managed to login if I changed the passwords for my "troubled users".
Somethimes the encrypted-password didn't get encrypted.


2008/1/29, Justin Fletcher <[EMAIL PROTECTED]>:
>
> Give "show log | match ERROR" a try.
>
> Justin
>
> On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > I have this problem again. Now i was able to login to a user account I
> > created, but unable to view logfiles since im in xorpsh.
> >
> > 2008/1/28, Justin Fletcher <[EMAIL PROTECTED]>:
> >
> > > Anything untoward in the log files?
> > >
> > > Justin
> > >
> > > On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> > wrote:
> > > > Today I had a wierd experience with Vyatta.
> > > > I was unable to login on any account. Did a reboot, then everything
> was
> > > > normal.
> > > > What is going on?
> > > >
> > > > ___
> > > > Vyatta-users mailing list
> > > > Vyatta-users@mailman.vyatta.com
> > > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > > >
> > > >
> > >
> >
> >
>
;; This buffer is for notes you don't want to save, and for Lisp evaluation.
;; If you want to create a file, visit that file with C-x C-f,
;; then enter the text in that file's own buffer.

 show log | match ERROR
Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41  ERROR 
xorp_rtrmgr:3758 LIBXORP +741 
/home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libxorp/run_command.cc
 done ] Command "/opt/vyatta/sbin/xorp_tmpl_tool": exited with exit status 1.
Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41  ERROR 
xorp_rtrmgr:3758 RTRMGR +1647 
/home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/task.cc 
execute_done ] Error found on program stderr!
Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41  ERROR 
xorp_rtrmgr:3758 RTRMGR +701 
/home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
 commit_pass2_done ] Commit failed: VPN configuration error.  The IKE group 
"IKE-1W" specified for peer "0.0.0.0" has not been configured. VPN 
configuration error.  The ESP group "ESP-1W" specified for peer "0.0.0.0" 
tunnel 1 has not been configured. VPN configuration commit aborted due to 
error(s).
Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41  ERROR 
xorp_rtrmgr:3758 LIBXORP +741 
/home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libxorp/run_command.cc
 done ] Command "/opt/vyatta/sbin/xorp_tmpl_tool": exited with exit status 1.
Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41  ERROR 
xorp_rtrmgr:3758 RTRMGR +1647 
/home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/task.cc 
execute_done ] Error found on program stderr!
Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41  ERROR 
xorp_rtrmgr:3758 RTRMGR +701 
/home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc
 commit_pass2_done ] Commit failed: VPN configuration error.  The IKE group 
"IKE-1W" specified for peer "0.0.0.0" has not been configured. VPN 
configuration error.  The ESP group "ESP-1W" specified for peer "0.0.0.0" 
tunnel 1 has not been configured. VPN configuration commit aborted due to 
error(s).
Jan 28 14:33:36 localhost pluto[4670]: ERROR: "peer-yyy.xxx.zzz.qqq-tunnel-1" 
#1: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in main_outI1. Errno 101: 
Network is unreachable
Jan 28 14:33:36 localhost ipsec__plutorun: 003 ERROR: 
"peer-yyy.xxx.zzz.qqq-tunnel-1" #1: sendto on eth0 to yyy.xxx.zzz.qqq:500 
failed in main_outI1. Errno 101: Network is unreachable
Jan 28 14:33:40 localhost pluto[4670]: ERROR: "peer-yyy.xxx.zzz.qqq-tunnel-1" 
#2: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in STATE_MAIN_R0. Errno 101: 
Network is unreachable
Jan 28 14:33:46 localhost pluto[4670]: ERROR: "peer-yyy.xxx.zzz.qqq-tunnel-1" 
#1: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in EVENT_RETRANSMIT. Errno 
101: Network is unreachable
Jan 28 14:33:50 localhost pluto[4670]: ERROR: "peer-yyy.xxx.zzz.qqq-tunnel-1" 
#3: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in STATE_MAIN_R0. Errno 101: 
Network is unreachable
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Aubrey Wells]

I vote for #1. Maybe its just because I've been doing this for quite a  
while, but I would think that most people who would be annoyed about  
not being able to put a ? in a description or something know how to  
use the ctrl-v escape like with a cisco. maybe it can be a config  
option?

set system online-help key-rebindings true

--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 5:27 PM, An-Cheng Huang wrote:

> Note also that if the '?' key is bound to auto-completion, the user  
> can still input the '?' character using the readline escape sequence  
> (i.e., in this case "Ctrl-v ?"). So basically it came down to a  
> choice between these:
>
> (1) Keep '?' key as help. To input a '?' character, prefix it with  
> "Ctrl-v".
> (2) Use some other key sequence for help. A '?' character can be  
> entered directly.
>
> At that time, (2) was deemed more acceptable than (1), so we  
> currently have (2).
>
> An-Cheng
>
> An-Cheng Huang wrote:
>> That was the first thing I tried when we started implementing the  
>> help system. The problem is when the user actually wants to input a  
>> '?' character, how do we rebind the '?' key back to the actual  
>> character? I also tried to rebind the key after seeing a quote  
>> (assuming '?' characters can only appear in quotes), etc., etc. In  
>> the end, this is a limitation in the readline library (which is  
>> used by bash for command line input). We _could_ change readline, I  
>> suppose, somewhere down the road.
>>
>> An-Cheng
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] vlan trunking?

[Aubrey Wells]

You are correct, a vif is a dot1q tagged vlan interface where the vif  
number is the vlan id. so to tag vlan 27 and 29 on interface eth0:


set interfaces ethernet eth0 vif 27
set interfaces ethernet eth0 vif 29
set interfaces ethernet eth0 vif 27 address 10.1.1.1 prefix-length 24
set interfaces ethernet eth0 vif 29 address 10.2.2.1 prefix-length 24
commit

make sense?

--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 5:28 PM, [EMAIL PROTECTED] wrote:

Out of couristiy, does Vyatta (I'm currently using community edition  
3) support vlan trunking? I have yet to see in any documenation or  
tutorials any sort of the word trunk. I have seen tutorials that  
have 2-3 vlan (vif interfaces) on a single physical interface-- so I  
guess its just implied trunking on dot1q protocol?


Thanks in advance,

Aaron
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[An-Cheng Huang]

Note also that if the '?' key is bound to auto-completion, the user can still 
input the '?' character using the readline escape sequence (i.e., in this case 
"Ctrl-v ?"). So basically it came down to a choice between these:

(1) Keep '?' key as help. To input a '?' character, prefix it with "Ctrl-v".
(2) Use some other key sequence for help. A '?' character can be entered 
directly.

At that time, (2) was deemed more acceptable than (1), so we currently have (2).

An-Cheng

An-Cheng Huang wrote:
> That was the first thing I tried when we started implementing the help 
> system. The problem is when the user actually wants to input a '?' character, 
> how do we rebind the '?' key back to the actual character? I also tried to 
> rebind the key after seeing a quote (assuming '?' characters can only appear 
> in quotes), etc., etc. In the end, this is a limitation in the readline 
> library (which is used by bash for command line input). We _could_ change 
> readline, I suppose, somewhere down the road.
> 
> An-Cheng

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] vlan trunking?

[aaron-linuxuser]

Out of couristiy, does Vyatta (I'm currently using community edition 3) support 
vlan trunking? I have yet to see in any documenation or tutorials any sort of 
the word trunk. I have seen tutorials that have 2-3 vlan (vif interfaces) on a 
single physical interface-- so I guess its just implied trunking on dot1q 
protocol? 

Thanks in advance,

Aaron___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[An-Cheng Huang]

In case people don't know about this: instead of '?', a user can get the help 
text using either of the following two key sequences: "Alt =" or "Alt ?". 
(These are the default key bindings for "possible-completions" in 
readline/bash.)

An-Cheng Huang wrote:
> That was the first thing I tried when we started implementing the help 
> system. The problem is when the user actually wants to input a '?' character, 
> how do we rebind the '?' key back to the actual character? I also tried to 
> rebind the key after seeing a quote (assuming '?' characters can only appear 
> in quotes), etc., etc. In the end, this is a limitation in the readline 
> library (which is used by bash for command line input). We _could_ change 
> readline, I suppose, somewhere down the road.
> 
> An-Cheng
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Unable to login, solved by reboot

[Justin Fletcher]

Give "show log | match ERROR" a try.

Justin

On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]> wrote:
> I have this problem again. Now i was able to login to a user account I
> created, but unable to view logfiles since im in xorpsh.
>
> 2008/1/28, Justin Fletcher <[EMAIL PROTECTED]>:
>
> > Anything untoward in the log files?
> >
> > Justin
> >
> > On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > > Today I had a wierd experience with Vyatta.
> > > I was unable to login on any account. Did a reboot, then everything was
> > > normal.
> > > What is going on?
> > >
> > > ___
> > > Vyatta-users mailing list
> > > Vyatta-users@mailman.vyatta.com
> > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> > >
> > >
> >
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[An-Cheng Huang]

Stig Thormodsrud wrote:
>>> #3 - I agree, please bring back my beloved ?! Its an automatic reflex
> to
>>> hit ? whenever I'm in a router. I end up hitting it 3 or 4 times
> before
>> I
>>> realize that its echoing the char to the screen rather than activating
>>> help.
>>>
>> Has anyone explored using ~/.inputrc to rebind the ? character to
>> something
>> for auto-completion?  It might be possible, to do
>>
>> $if Bash
>> "?": "C-IC-I"
>> $endif
> 
> Good call Stephen.  I just tried:
> 
> $if Bash
> "?": "\C-i"
> $endif
> 
> Maybe we won't have to give up the "?".
> 
> stig

That was the first thing I tried when we started implementing the help system. 
The problem is when the user actually wants to input a '?' character, how do we 
rebind the '?' key back to the actual character? I also tried to rebind the key 
after seeing a quote (assuming '?' characters can only appear in quotes), etc., 
etc. In the end, this is a limitation in the readline library (which is used by 
bash for command line input). We _could_ change readline, I suppose, somewhere 
down the road.

An-Cheng
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Unable to login, solved by reboot

[Jostein Martinsen-Jones]

I have this problem again. Now i was able to login to a user account I
created, but unable to view logfiles since im in xorpsh.

2008/1/28, Justin Fletcher <[EMAIL PROTECTED]>:
>
> Anything untoward in the log files?
>
> Justin
>
> On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > Today I had a wierd experience with Vyatta.
> > I was unable to login on any account. Did a reboot, then everything was
> > normal.
> > What is going on?
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Stig Thormodsrud]

> > Frankly I miss the "?" and space auto-completion too, but am slowly
> > getting use to the .  Given that the new cli is integrated
> with
> > bash and "?" has special meaning to bash, then it probably limits our
> > usage of "?" for help.
> >
> >
> >
> > stig
> >
> >
> >
> >   _
> >
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Aubrey
> Wells
> > Sent: Tuesday, January 29, 2008 7:48 AM
> > To: Ken Felix (C)
> > Cc: vyatta-users@mailman.vyatta.com
> > Subject: Re: [Vyatta-users] glendale problems my 1st view
> >
> >
> >
> > #3 - I agree, please bring back my beloved ?! Its an automatic reflex
to
> > hit ? whenever I'm in a router. I end up hitting it 3 or 4 times
before
> I
> > realize that its echoing the char to the screen rather than activating
> > help.
> >
> >
> >
> > That and the new CLI being mildly confusing (i'm adjusting to it) are
my
> > only two complaints so far.
> 
> Has anyone explored using ~/.inputrc to rebind the ? character to
> something
> for auto-completion?  It might be possible, to do
> 
> $if Bash
> "?": "C-IC-I"
> $endif

Good call Stephen.  I just tried:

$if Bash
"?": "\C-i"
$endif

And now I get the following:

[EMAIL PROTECTED] set <1st ?>
cluster firewallinterfaces  policy  protocols   service
system  vpn
[edit]
[EMAIL PROTECTED] set <2nd ?>
Possible completions:
  cluster   Configure clustering
  firewall  Configure firewall
  interfacesNetwork interface configuration
  policyConfigure routing policy
  protocols Routing protocol configuration
  service   Service configuration
  systemSystem configuration
  vpn   Configure VPN


Maybe we won't have to give up the "?".

stig

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall: block internal telnet

[Justin Fletcher]

See the Vyatta docs at http://www.vyatta.com/documentation/index.php; there
are examples in the firewall chapters.

Best,
Justin

On Jan 29, 2008 12:17 PM, Go Wow <[EMAIL PROTECTED]> wrote:
> okay thanks for replies.
>
> People help with this please, how can I block ssh on router i.e.
> 192.168.10.45 using firewall, I want to give access of ssh to say only ip
> xxx.xxx.xxx.xxx
>
> On 30/01/2008, Beau Walker <[EMAIL PROTECTED]> wrote:
> >
> >
> > You'll want to ask the List that. I could only answer your last question
> because the answer wasn't specific to Vyatta.
> >
> >
> > Beau Walker - CCNA, Linux+
> >
> >
> >
> > 
>  From: Go Wow [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, January 29, 2008 3:10 PM
> > To: Beau Walker
> > Subject: Re: [Vyatta-users] Firewall: block internal telnet
> >
> >
> > Okay how can I block ssh on router i.e. 192.168.10.45 using firewall, I
> want to give access of ssh to say only ip xxx.xxx.xxx.xxx
>
>
>
> --
> Those that make the rule don't play the game!!
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall: block internal telnet

[Go Wow]

okay thanks for replies.

People help with this please, how can I block ssh on router i.e.
192.168.10.45 using firewall, I want to give access of ssh to say only ip
xxx.xxx.xxx.xxx

On 30/01/2008, Beau Walker <[EMAIL PROTECTED]> wrote:
>
>  You'll want to ask the List that. I could only answer your last question
> because the answer wasn't specific to Vyatta.
>
>
> Beau Walker - CCNA, Linux+
>
>
>  --
> *From:* Go Wow [mailto:[EMAIL PROTECTED]
> *Sent:* Tuesday, January 29, 2008 3:10 PM
> *To:* Beau Walker
> *Subject:* Re: [Vyatta-users] Firewall: block internal telnet
>
> Okay how can I block ssh on router i.e. 192.168.10.45 using firewall, I
> want to give access of ssh to say only ip xxx.xxx.xxx.xxx
>



-- 
Those that make the rule don't play the game!!
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall: block internal telnet

[Beau Walker]

I believe you'd have to set up a firewall on each PC to block telnet
access from the local subnet, or start using VLANs.
 
The telnet traffic will connect to your internal systems just by going
through your switches with the current configuration.  The router will
never even see the traffic.
 

Beau Walker - CCNA, Linux+



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Go Wow
Sent: Tuesday, January 29, 2008 2:51 PM
To: [EMAIL PROTECTED]
Subject: [Vyatta-users] Firewall: block internal telnet



Hi

 I want to configure my firewall so that it blocks the internal systems
from telnet'ing each other. 

My config is 

 eth0 >>192.168.10.45 (acting as WAN)
 eth1 >> 192.168.1.1 (Internal Lan) 
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Firewall: block internal telnet

[Go Wow]

Hi

 I want to configure my firewall so that it blocks the internal systems from
telnet'ing each other.

My config is

 eth0 >>192.168.10.45 (acting as WAN)
 eth1 >> 192.168.1.1 (Internal Lan)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] NAT:Almost Done

[John Gong]

GW,

If you're trying to access the web server from the 192.168.1.x network, 
your client's browser should simply point to http://192.168.1.244.  It 
should not point to the 192.168.10.45:81 location because the traffic 
never reaches the router.

John

Go Wow wrote:
> Yeah I can view my inside internal webserver through my router using 
> NAT, what I cant do is to view the same webserver from internal lan. 
> If I want to view it I have to issue its internal ip and I cant go 
> through the router.
>  
> My eth0 >> 192.168.10.45  (acting as WAN)
> My eth1 >> 192.168.1.1  (My Internal Network)
> My Webserver >> 192.168.1.244 
>  
> From any system which is not a part of my vyatta router if I put in 
> the address 192.168.10.45:81  I'm getting 
> redirected to 192.168.1.244:80  which is my 
> webserver, so far so good. But when I type in the address 
> 192.168.10.45:81  from one of my internal LAN 
> system it throws back the "unable to connect error" error how do I get 
> it fixed?
> 
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>   

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] NAT:Almost Done

[Go Wow]

Yeah I can view my inside internal webserver through my router using NAT,
what I cant do is to view the same webserver from internal lan. If I want to
view it I have to issue its internal ip and I cant go through the router.

My eth0 >> 192.168.10.45 (acting as WAN)
My eth1 >> 192.168.1.1 (My Internal Network)
My Webserver >> 192.168.1.244

>From any system which is not a part of my vyatta router if I put in the
address 192.168.10.45:81 I'm getting redirected to 192.168.1.244:80 which is
my webserver, so far so good. But when I type in the address
192.168.10.45:81 from one of my internal LAN system it throws back the
"unable to connect error" error how do I get it fixed?
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Aubrey Wells]

I guess its just so wildly different than any other router I've ever  
been on that it threw me for a loop with the bash integration. After  
reading the docs, it just talks about the new CLIs benefits, it bever  
actually says "hey dummy, you just need to type your commands at the  
shell" I had to look at an example section and realize that that was a  
bash prompt. There was also something in the docs about it being  
called "the vshell" so i was searching for a "vshell" command to dump  
me in to the cli.


I guess its mostly the initial fumbling of how to get to the thing,  
and now its just adjusting to not having a distinct router CLI. Its  
probably just culture shock and I'll get over it.


--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 29, 2008, at 12:11 PM, Dave Roberts wrote:

Aubrey, when you say it's "mildly confusing," what are you referring  
to?


-- Dave

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
] On Behalf Of Aubrey Wells

Sent: Tuesday, January 29, 2008 7:48 AM
To: Ken Felix (C)
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] glendale problems my 1st view

#3 - I agree, please bring back my beloved ?! Its an automatic  
reflex to hit ? whenever I'm in a router. I end up hitting it 3 or 4  
times before I realize that its echoing the char to the screen  
rather than activating help.


That and the new CLI being mildly confusing (i'm adjusting to it)  
are my only two complaints so far.


--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 28, 2008, at 10:03 PM, Ken Felix (C) wrote:



1. Still todate, OSPF md authenication is not  enable or even  
configurable


2. System uptime is now show via "show version" & "show system  
uptime"


3. system help now requires a tab vrs the previous question mark on  
the CLI, I thought this was confusing at first


4. system configuration like for protocols ospf is slightly  
different vrs vc3


5. any help on the CLI regardless of level show  bash options vrs  
th vyatta engine options.

(confusing to say the least )


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Dave Roberts]

> I'm  assuming at some later date , a new vyatta user guide 
> will be post ?

At some point, we'll have completely reworked documentation. That may be a
couple months out for all of it, however (around the beta timeframe).
Lindsay is working hard to get it converted and track all the changes. As
I said in the announcement, Glendale is a **BIG** step forward. One
consequence of that is that almost all the documentation has to be at
least looked at to see if it needs updating. Many parts won't have large
changes, but they'll have to be reviewed nonetheless.

> Now that  some small difference in the new vrs previous 
> release commands syntax, will people be ableto upload their 
> previous  configs into let's say glendale and onwards,  and 
> will it work?  or what problems could creep up during a upgrade?

Unfortunately, the changes are so significant that we decided to break CLI
compatibility with old configurations. That's something we generally don't
want to do moving forward, however.

The reason for that is that the changes were so fundamental that semantic
remapping of past configs into the new structure was virtually impossible.
This was particularly the case around the routing and policy
configuration. In other parts of the configuration, the changes should be
very minimal and are easily converted by hand.

-- Dave

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] glendale problems my 1st view

[ken Felix]

I'm going to retry the  md5 auth this afternoon when I get some more 
vyatta console time ;) Other then these immediate issues, it's been 
holding stable. I have to recheck, BGP4 and ipsec,   and then know for 
sure are is good.

I'm  assuming at some later date , a new vyatta user guide will be post 
?

Now that  some small difference in the new vrs previous release 
commands syntax, will people be ableto upload their previous  configs 
into let's say glendale and onwards,  and will it work?  or what 
problems could creep up during a upgrade?



___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Problem with vyatta installation

[ken Felix]

Do you recall if grub was installed and setup  during the  install? 
Sound  like it wasn't. Since this was a fresh install, you could go 
back in and  re-install or use the grub-update/install   tools and that 
might get  you going.

e.g

unix command "update-grub"  or "grub-install"


So boot the livecd, fsck the  desk partition ( i.e /dev/sda1 ) and then 
mount this partition to /mnt and see if the update-grub will allow you 
to update the  /dev/sda1 or whatever you have. Worst case use the 
grub-install off the livecd and that should get you going.

Good luck and post on what you find out.



___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Stig Thormodsrud]

Frankly I miss the "?" and space auto-completion too, but am slowly
getting use to the .  Given that the new cli is integrated with
bash and "?" has special meaning to bash, then it probably limits our
usage of "?" for help.  

 

stig

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aubrey Wells
Sent: Tuesday, January 29, 2008 7:48 AM
To: Ken Felix (C)
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] glendale problems my 1st view

 

#3 - I agree, please bring back my beloved ?! Its an automatic reflex to
hit ? whenever I'm in a router. I end up hitting it 3 or 4 times before I
realize that its echoing the char to the screen rather than activating
help.

 

That and the new CLI being mildly confusing (i'm adjusting to it) are my
only two complaints so far.


--

Aubrey Wells

Senior Engineer

Shelton | Johns Technology Group

A Vyatta Ready Partner

www.sheltonjohns.com

 

 





 

On Jan 28, 2008, at 10:03 PM, Ken Felix (C) wrote:





 

1. Still todate, OSPF md authenication is not  enable or even configurable

2. System uptime is now show via "show version" & "show system uptime"

3. system help now requires a tab vrs the previous question mark on the
CLI, I thought this was confusing at first

4. system configuration like for protocols ospf is slightly different vrs
vc3

5. any help on the CLI regardless of level show  bash options vrs th
vyatta engine options.
(confusing to say the least )

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

 

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Dave Roberts]

Aubrey, when you say it's "mildly confusing," what are you referring to?
 
-- Dave


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aubrey Wells
Sent: Tuesday, January 29, 2008 7:48 AM
To: Ken Felix (C)
Cc: vyatta-users@mailman.vyatta.com
Subject: Re: [Vyatta-users] glendale problems my 1st view


#3 - I agree, please bring back my beloved ?! Its an automatic reflex to
hit ? whenever I'm in a router. I end up hitting it 3 or 4 times before I
realize that its echoing the char to the screen rather than activating
help. 

That and the new CLI being mildly confusing (i'm adjusting to it) are my
only two complaints so far.



--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 28, 2008, at 10:03 PM, Ken Felix (C) wrote:



1. Still todate, OSPF md authenication is not  enable or even configurable

2. System uptime is now show via "show version" & "show system uptime"

3. system help now requires a tab vrs the previous question mark on the
CLI, I thought this was confusing at first

4. system configuration like for protocols ospf is slightly different vrs
vc3

5. any help on the CLI regardless of level show  bash options vrs th
vyatta engine options.
(confusing to say the least )



___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users



___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Problem with vyatta installation

[Go Wow]

Hi

  I have just install vyatta from livecd using the command "install-system"
and everything went fine I got the message "Done". But now when I removed my
livecd and boot from HDD it doesnt read the partition table, its a brand new
computer with Intel Dual Core, 1gb, RAM 80 GB SATA and Intel Motherboard.
Can someone tell what i may be doing wrong or whats the problem?
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Justin Fletcher]

>  5. any help on the CLI regardless of level show  bash options vrs th vyatta
> engine options.
>  (confusing to say the least )

If you're logged in as root, you'll get Unix commands listed as well
as Vyatta commands
during tab completion/help.  However, if you're an admin level user, you'll just
see the Vyatta command set.  You can still issue Unix commands; you'll just need
to enter them directly.

Justin
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] just two more questions for today... :D

[Justin Fletcher]

I think we covered port forwarding :-)

The Vyatta sides of the VPN will be the same; configuring the other
end of the VPN client will be up to you for a site-to-site tunnel.

Undocumented now, but actually in Glendale Alpha 1 is remote client
VPN which works with Windows l2tp.  It's under VPN configuration as well.
Give it a go if you're connecting with Windows.

For a list, see http://www.vyatta.com/twiki/bin/view/Community/TopEnhancements.
Find something you'd like to have yourself, make sure it's not already in
Glendale :-) and work from the Glendale source base.

Glendale is a VERY different CLI than previous releases; it makes adding new
features much simpler once you're used to the new CLI template structure.

Best,
Justin

On Jan 28, 2008 2:32 PM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> I just made a script to load a firewall with iptables.
> I know iptables so until the bug gets fixed I'll just
> do it that way.  I do have two more questions though.
>
> 1). How do I setup 'port-forwarding'.  So when you go
> through port 80 from the wan it sends it to some ip on
> the internal network at port 80?  Do I do this with NAT?
>
> 2). Is there any easy guides on setting up a vpn?  Not a vpn
> like a cisco router to the vyatta router because I found those
> guides, but just a vpn that I can access from work or on any
> computer providing the have an ipsec client?
>
> Is there a list of things you guys want made for Vyatta or a
> project site somewhere?  I'm always looking for things to do in
> my off time.
>
> Nate
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Starting to get really frustrated... GRRR :D

[Justin Fletcher]

Here's what I use to port-forward ssh; just adjust for address (where
destination address is the public IP) and change it to http.

rule 2 {
type: "destination"
inbound-interface: "eth0"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 1.2.3.4
port-name ssh
}
inside-address {
address: 10.0.0.30
}
}

Best,
Justin


On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> Can someone please help me get this worked out?
> Nate
>
>
> > Ok these are my nat rules now, I didn't see a command to change the rule
> > numbers so i just redid them all by hand.  It still doesn't work.
> >
> >  rule 1 {
> > type: "destination"
> > inbound-interface: "eth0"
> > protocols: "tcp"
> > destination {
> > address: "71.62.193.105"
> > port-name http
> > }
> > inside-address {
> > address: 192.168.0.105
> > }
> > }
> > rule 2 {
> > type: "masquerade"
> > outbound-interface: "eth0"
> > protocols: "all"
> > source {
> > network: "192.168.0.0/24"
> > }
> > destination {
> > network: "0.0.0.0/0"
> > }
> > }
> > rule 3 {
> > type: "masquerade"
> > outbound-interface: "eth0"
> > protocols: "all"
> > source {
> > network: "192.168.1.0/24"
> > }
> > destination {
> > network: "0.0.0.0/0"
> > }
> > }
> >
> > Nate
> >
> > On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> > > Hi Nate,
> > >
> > > The "inside-address" is the internal (private) IP address of your Web 
> > > server, which in your case is 192.168.0.105. The "destination address" 
> > > should actually be the public IP address that outside clients will use to 
> > > access your server, so usually this is the public IP address of your 
> > > router.
> > >
> > > An-Cheng
> > >
> > > Nathan McBride wrote:
> > > > I went and looked at the old docs.  I thought I set them up correctly
> > > > but aparently I didn't.  I'll im trying to do is to get people on the
> > > > internet to view the website on my comp (192.168.0.105).  The only
> > > > difference that i noticed when I tried to commit the example in the old
> > > > docs was that vc3 requires an 'inside-address'.  Could someone please
> > > > help me correct this to get it working?
> > > >
> > > > rule 3 {
> > > > type: "destination"
> > > > inbound-interface: "eth0"
> > > > protocols: "tcp"
> > > > destination {
> > > > address: "192.168.0.105"
> > > > port-name http
> > > > }
> > > > inside-address {
> > > > address: 192.168.0.105 <-- didn't know what to put here
> > > > exactly...
> > > > }
> > > > }
> > > >
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Weird Routing problem on VC2

[Justin Fletcher]

Personally, I'd try Alpha 1.  It'll need more polishing and features
to add (which
is why it's an alpha) but there are major improvements with the
routing protocols.
Check the Glendale bug list, and see if you'd be affected by any of these first
(like no GUI yet).

Also note that you're existing configuration won't be preserved on ISO
install which
means you'll have to re-enter it, and there have been major changes to
CLI syntax -
even to how you configure an interface (from address prefix-length CML to
address/CML).  However, VPN, firewall, NAT, clustering, and serial
commands should
be the same, so you CAN copy an old configuration back and edit it -
it's just that
there will be a lot of iterations of loading the configuration to
identify and adjust
configuration changes.

Justin

On Jan 28, 2008 7:08 PM, Daren Tay <[EMAIL PROTECTED]> wrote:
> Hi Justin,
>
> embarassingly so man... haha.
>
> So there are issues with routing after link failures huh.. yep.. we are
> looking to upgrade to VC3 once the new box is in... but to use Alpha 1? Is
> it advisable? It will be for production use.
>
> I need to use the router to handle 2 different WAN connection for 2 separate
> NAT networks.
>
> Daren
>
> -Original Message-
> From: Justin Fletcher [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 29, 2008 12:18 AM
> To: Daren Tay
>
> Cc: Robert Bays; Vyatta-users@mailman.vyatta.com
> Subject: Re: [Vyatta-users] Weird Routing problem on VC2
>
>
> Glad you got that figured out - many pieces in play!
>
> Yes, there have been issues with the routing protocols with link failure; a
> search in the bug database will turn up a number of issues.  I'd strongly
> suggest that you look into upgrading to VC3 and check out Glendale Alpha 1.
>
> Best,
> Justin
>
> On Jan 27, 2008 7:03 PM, Daren Tay <[EMAIL PROTECTED]> wrote:
> > Hi all,
> >
> > finally resolved the 1st problem (cannot detect newly inserted web
> machine):
> > end up it was a changed in config in the firewall that caused the
> > situation... my guys changed it without informing me but still, many
> > apologies for the false alarm. My bad.
> >
> > secondly though, the problem still stands. when i plug out the network
> > cables from the router, and insert back in, everything fails.. the router
> > will fail to route. I will need to reset the server for it to work again.
> > For now, we are waiting for a new box to arrive before using VC2.2 and
> > hopefully that resolves the issues, but wonder if it is a bug.. or a badly
> > configure option somewhere?
> >
> > is this the arp cache you are talking about?
> > router:~# arp
> > Address  HWtype  HWaddress   Flags Mask
> > Iface
> >ether   00:0C:DB:2B:AB:68   C
> > eth0
> > 192.168.3.1  ether   00:1B:0C:30:B4:80   C
> > eth1
> >
> > Thanks for your patience guys :)
> > Daren
> >
> > -Original Message-
> > From: Robert Bays [mailto:[EMAIL PROTECTED]
> > Sent: Monday, January 28, 2008 9:32 AM
> > To: Daren Tay
> >
> > Cc: Justin Fletcher; Vyatta-users@mailman.vyatta.com
> > Subject: Re: [Vyatta-users] Weird Routing problem on VC2
> >
> >
> > Daren,
> >
> > Sounds like the router still can't find the new host.  What does you arp
> > cache say for 192.168.1.13 after you try to ping it?  What does your
> > routing table look like?
> >
> > cheers,
> > robert.
> >
> > Daren Tay wrote:
> > > Nope, it was 'pingable' before.
> > > I can still ping the other web servers connected to it... but the newly
> > > added one I can't.
> > > Yet I am able to route out to the public network from the new box...
> > >
> > > -Original Message-
> > > From: Justin Fletcher [mailto:[EMAIL PROTECTED]
> > > Sent: Friday, January 25, 2008 3:16 PM
> > > To: Daren Tay
> > > Cc: Vyatta-users@mailman.vyatta.com
> > > Subject: Re: [Vyatta-users] Weird Routing problem on VC2
> > >
> > >
> > > Does the load balancer have ICMP disabled?  That'd certainly explain
> > > that, unless
> > > you were able to ping it before --
> > >
> > > Since you have the load balancer between the router, I suspect it's a
> > > load balancer issue.
> > >
> > > You can see what's going on by running tshark/tcpdump on the interface,
> > and
> > > see
> > > what's on the wire.  If you can examine the traffic between the load
> > > balancer and the
> > > servers, you'll learn more :-)
> > >
> > > Justin
> > >
> > > On Jan 24, 2008 10:40 PM, Daren Tay <[EMAIL PROTECTED]> wrote:
> > >> Hi guys,
> > >>
> > >> anyone?
> > >>
> > >> Thanks,
> > >> Daren
> > >>
> > >>
> > >> -Original Message-
> > >> From: [EMAIL PROTECTED]
> > >> [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay
> > >> Sent: Wednesday, January 23, 2008 6:29 PM
> > >> To: Vyatta-users@mailman.vyatta.com
> > >> Subject: [Vyatta-users] Weird Routing problem on VC2
> > >>
> > >>
> > >> Hi guys
> > >>
> > >> I have this queer problem.
> > >>
> > >> My setup with Vyatta is like this
> > >>
> > >>
> > >> Internet --- Firewall --- Vyatta Router --- Load

Re: [Vyatta-users] Starting to get really frustrated... GRRR :D

[Nathan McBride]

Can someone please help me get this worked out?
Nate

> Ok these are my nat rules now, I didn't see a command to change the rule
> numbers so i just redid them all by hand.  It still doesn't work.
> 
>  rule 1 {
> type: "destination"
> inbound-interface: "eth0"
> protocols: "tcp"
> destination {
> address: "71.62.193.105"
> port-name http
> }
> inside-address {
> address: 192.168.0.105
> }
> }
> rule 2 {
> type: "masquerade"
> outbound-interface: "eth0"
> protocols: "all"
> source {
> network: "192.168.0.0/24"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> rule 3 {
> type: "masquerade"
> outbound-interface: "eth0"
> protocols: "all"
> source {
> network: "192.168.1.0/24"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> 
> Nate
> 
> On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> > Hi Nate,
> > 
> > The "inside-address" is the internal (private) IP address of your Web 
> > server, which in your case is 192.168.0.105. The "destination address" 
> > should actually be the public IP address that outside clients will use to 
> > access your server, so usually this is the public IP address of your router.
> > 
> > An-Cheng
> > 
> > Nathan McBride wrote:
> > > I went and looked at the old docs.  I thought I set them up correctly
> > > but aparently I didn't.  I'll im trying to do is to get people on the
> > > internet to view the website on my comp (192.168.0.105).  The only
> > > difference that i noticed when I tried to commit the example in the old
> > > docs was that vc3 requires an 'inside-address'.  Could someone please
> > > help me correct this to get it working?
> > > 
> > > rule 3 {
> > > type: "destination"
> > > inbound-interface: "eth0"
> > > protocols: "tcp"
> > > destination {
> > > address: "192.168.0.105"
> > > port-name http
> > > }
> > > inside-address {
> > > address: 192.168.0.105 <-- didn't know what to put here
> > > exactly...
> > > }
> > > }
> > > 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] glendale problems my 1st view

[Aubrey Wells]

#3 - I agree, please bring back my beloved ?! Its an automatic reflex  
to hit ? whenever I'm in a router. I end up hitting it 3 or 4 times  
before I realize that its echoing the char to the screen rather than  
activating help.


That and the new CLI being mildly confusing (i'm adjusting to it) are  
my only two complaints so far.


--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
A Vyatta Ready Partner
www.sheltonjohns.com





On Jan 28, 2008, at 10:03 PM, Ken Felix (C) wrote:



1. Still todate, OSPF md authenication is not  enable or even  
configurable


2. System uptime is now show via "show version" & "show system uptime"

3. system help now requires a tab vrs the previous question mark on  
the CLI, I thought this was confusing at first


4. system configuration like for protocols ospf is slightly  
different vrs vc3


5. any help on the CLI regardless of level show  bash options vrs th  
vyatta engine options.

(confusing to say the least )


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users