Re: [Vyatta-users] Starting to get really frustrated... GRRR :D
Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
5. any help on the CLI regardless of level show bash options vrs th vyatta engine options. (confusing to say the least ) If you're logged in as root, you'll get Unix commands listed as well as Vyatta commands during tab completion/help. However, if you're an admin level user, you'll just see the Vyatta command set. You can still issue Unix commands; you'll just need to enter them directly. Justin ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Starting to get really frustrated... GRRR :D
Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
#3 - I agree, please bring back my beloved ?! Its an automatic reflex to hit ? whenever I'm in a router. I end up hitting it 3 or 4 times before I realize that its echoing the char to the screen rather than activating help. That and the new CLI being mildly confusing (i'm adjusting to it) are my only two complaints so far. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 28, 2008, at 10:03 PM, Ken Felix (C) wrote: 1. Still todate, OSPF md authenication is not enable or even configurable 2. System uptime is now show via show version show system uptime 3. system help now requires a tab vrs the previous question mark on the CLI, I thought this was confusing at first 4. system configuration like for protocols ospf is slightly different vrs vc3 5. any help on the CLI regardless of level show bash options vrs th vyatta engine options. (confusing to say the least ) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
Frankly I miss the ? and space auto-completion too, but am slowly getting use to the tabtab. Given that the new cli is integrated with bash and ? has special meaning to bash, then it probably limits our usage of ? for help. stig _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aubrey Wells Sent: Tuesday, January 29, 2008 7:48 AM To: Ken Felix (C) Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] glendale problems my 1st view #3 - I agree, please bring back my beloved ?! Its an automatic reflex to hit ? whenever I'm in a router. I end up hitting it 3 or 4 times before I realize that its echoing the char to the screen rather than activating help. That and the new CLI being mildly confusing (i'm adjusting to it) are my only two complaints so far. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 28, 2008, at 10:03 PM, Ken Felix (C) wrote: 1. Still todate, OSPF md authenication is not enable or even configurable 2. System uptime is now show via show version show system uptime 3. system help now requires a tab vrs the previous question mark on the CLI, I thought this was confusing at first 4. system configuration like for protocols ospf is slightly different vrs vc3 5. any help on the CLI regardless of level show bash options vrs th vyatta engine options. (confusing to say the least ) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
Aubrey, when you say it's mildly confusing, what are you referring to? -- Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aubrey Wells Sent: Tuesday, January 29, 2008 7:48 AM To: Ken Felix (C) Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] glendale problems my 1st view #3 - I agree, please bring back my beloved ?! Its an automatic reflex to hit ? whenever I'm in a router. I end up hitting it 3 or 4 times before I realize that its echoing the char to the screen rather than activating help. That and the new CLI being mildly confusing (i'm adjusting to it) are my only two complaints so far. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 28, 2008, at 10:03 PM, Ken Felix (C) wrote: 1. Still todate, OSPF md authenication is not enable or even configurable 2. System uptime is now show via show version show system uptime 3. system help now requires a tab vrs the previous question mark on the CLI, I thought this was confusing at first 4. system configuration like for protocols ospf is slightly different vrs vc3 5. any help on the CLI regardless of level show bash options vrs th vyatta engine options. (confusing to say the least ) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Problem with vyatta installation
Do you recall if grub was installed and setup during the install? Sound like it wasn't. Since this was a fresh install, you could go back in and re-install or use the grub-update/install tools and that might get you going. e.g unix command update-grub or grub-install So boot the livecd, fsck the desk partition ( i.e /dev/sda1 ) and then mount this partition to /mnt and see if the update-grub will allow you to update the /dev/sda1 or whatever you have. Worst case use the grub-install off the livecd and that should get you going. Good luck and post on what you find out. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Problem with vyatta installation
Hi I have just install vyatta from livecd using the command install-system and everything went fine I got the message Done. But now when I removed my livecd and boot from HDD it doesnt read the partition table, its a brand new computer with Intel Dual Core, 1gb, RAM 80 GB SATA and Intel Motherboard. Can someone tell what i may be doing wrong or whats the problem? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
I guess its just so wildly different than any other router I've ever been on that it threw me for a loop with the bash integration. After reading the docs, it just talks about the new CLIs benefits, it bever actually says hey dummy, you just need to type your commands at the shell I had to look at an example section and realize that that was a bash prompt. There was also something in the docs about it being called the vshell so i was searching for a vshell command to dump me in to the cli. I guess its mostly the initial fumbling of how to get to the thing, and now its just adjusting to not having a distinct router CLI. Its probably just culture shock and I'll get over it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 12:11 PM, Dave Roberts wrote: Aubrey, when you say it's mildly confusing, what are you referring to? -- Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Aubrey Wells Sent: Tuesday, January 29, 2008 7:48 AM To: Ken Felix (C) Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] glendale problems my 1st view #3 - I agree, please bring back my beloved ?! Its an automatic reflex to hit ? whenever I'm in a router. I end up hitting it 3 or 4 times before I realize that its echoing the char to the screen rather than activating help. That and the new CLI being mildly confusing (i'm adjusting to it) are my only two complaints so far. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 28, 2008, at 10:03 PM, Ken Felix (C) wrote: 1. Still todate, OSPF md authenication is not enable or even configurable 2. System uptime is now show via show version show system uptime 3. system help now requires a tab vrs the previous question mark on the CLI, I thought this was confusing at first 4. system configuration like for protocols ospf is slightly different vrs vc3 5. any help on the CLI regardless of level show bash options vrs th vyatta engine options. (confusing to say the least ) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] glendale problems my 1st view
I'm going to retry the md5 auth this afternoon when I get some more vyatta console time ;) Other then these immediate issues, it's been holding stable. I have to recheck, BGP4 and ipsec, and then know for sure are is good. I'm assuming at some later date , a new vyatta user guide will be post ? Now that some small difference in the new vrs previous release commands syntax, will people be ableto upload their previous configs into let's say glendale and onwards, and will it work? or what problems could creep up during a upgrade? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Weird Routing problem on VC2
Personally, I'd try Alpha 1. It'll need more polishing and features to add (which is why it's an alpha) but there are major improvements with the routing protocols. Check the Glendale bug list, and see if you'd be affected by any of these first (like no GUI yet). Also note that you're existing configuration won't be preserved on ISO install which means you'll have to re-enter it, and there have been major changes to CLI syntax - even to how you configure an interface (from address prefix-length CML to address/CML). However, VPN, firewall, NAT, clustering, and serial commands should be the same, so you CAN copy an old configuration back and edit it - it's just that there will be a lot of iterations of loading the configuration to identify and adjust configuration changes. Justin On Jan 28, 2008 7:08 PM, Daren Tay [EMAIL PROTECTED] wrote: Hi Justin, embarassingly so man... haha. So there are issues with routing after link failures huh.. yep.. we are looking to upgrade to VC3 once the new box is in... but to use Alpha 1? Is it advisable? It will be for production use. I need to use the router to handle 2 different WAN connection for 2 separate NAT networks. Daren -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 29, 2008 12:18 AM To: Daren Tay Cc: Robert Bays; Vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Weird Routing problem on VC2 Glad you got that figured out - many pieces in play! Yes, there have been issues with the routing protocols with link failure; a search in the bug database will turn up a number of issues. I'd strongly suggest that you look into upgrading to VC3 and check out Glendale Alpha 1. Best, Justin On Jan 27, 2008 7:03 PM, Daren Tay [EMAIL PROTECTED] wrote: Hi all, finally resolved the 1st problem (cannot detect newly inserted web machine): end up it was a changed in config in the firewall that caused the situation... my guys changed it without informing me but still, many apologies for the false alarm. My bad. secondly though, the problem still stands. when i plug out the network cables from the router, and insert back in, everything fails.. the router will fail to route. I will need to reset the server for it to work again. For now, we are waiting for a new box to arrive before using VC2.2 and hopefully that resolves the issues, but wonder if it is a bug.. or a badly configure option somewhere? is this the arp cache you are talking about? router:~# arp Address HWtype HWaddress Flags Mask Iface gateway ip ether 00:0C:DB:2B:AB:68 C eth0 192.168.3.1 ether 00:1B:0C:30:B4:80 C eth1 Thanks for your patience guys :) Daren -Original Message- From: Robert Bays [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 9:32 AM To: Daren Tay Cc: Justin Fletcher; Vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Weird Routing problem on VC2 Daren, Sounds like the router still can't find the new host. What does you arp cache say for 192.168.1.13 after you try to ping it? What does your routing table look like? cheers, robert. Daren Tay wrote: Nope, it was 'pingable' before. I can still ping the other web servers connected to it... but the newly added one I can't. Yet I am able to route out to the public network from the new box... -Original Message- From: Justin Fletcher [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 3:16 PM To: Daren Tay Cc: Vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Weird Routing problem on VC2 Does the load balancer have ICMP disabled? That'd certainly explain that, unless you were able to ping it before -- Since you have the load balancer between the router, I suspect it's a load balancer issue. You can see what's going on by running tshark/tcpdump on the interface, and see what's on the wire. If you can examine the traffic between the load balancer and the servers, you'll learn more :-) Justin On Jan 24, 2008 10:40 PM, Daren Tay [EMAIL PROTECTED] wrote: Hi guys, anyone? Thanks, Daren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daren Tay Sent: Wednesday, January 23, 2008 6:29 PM To: Vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] Weird Routing problem on VC2 Hi guys I have this queer problem. My setup with Vyatta is like this Internet --- Firewall --- Vyatta Router --- Load Balancer 03 x Web Servers | | staging server As you can see, the router seats in front of the load balancer. First... generally whenever
Re: [Vyatta-users] Firewall: block internal telnet
okay thanks for replies. People help with this please, how can I block ssh on router i.e. 192.168.10.45 using firewall, I want to give access of ssh to say only ip xxx.xxx.xxx.xxx On 30/01/2008, Beau Walker [EMAIL PROTECTED] wrote: You'll want to ask the List that. I could only answer your last question because the answer wasn't specific to Vyatta. Beau Walker - CCNA, Linux+ -- *From:* Go Wow [mailto:[EMAIL PROTECTED] *Sent:* Tuesday, January 29, 2008 3:10 PM *To:* Beau Walker *Subject:* Re: [Vyatta-users] Firewall: block internal telnet Okay how can I block ssh on router i.e. 192.168.10.45 using firewall, I want to give access of ssh to say only ip xxx.xxx.xxx.xxx -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] NAT:Almost Done
Yeah I can view my inside internal webserver through my router using NAT, what I cant do is to view the same webserver from internal lan. If I want to view it I have to issue its internal ip and I cant go through the router. My eth0 192.168.10.45 (acting as WAN) My eth1 192.168.1.1 (My Internal Network) My Webserver 192.168.1.244 From any system which is not a part of my vyatta router if I put in the address 192.168.10.45:81 I'm getting redirected to 192.168.1.244:80 which is my webserver, so far so good. But when I type in the address 192.168.10.45:81 from one of my internal LAN system it throws back the unable to connect error error how do I get it fixed? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] NAT:Almost Done
GW, If you're trying to access the web server from the 192.168.1.x network, your client's browser should simply point to http://192.168.1.244. It should not point to the 192.168.10.45:81 location because the traffic never reaches the router. John Go Wow wrote: Yeah I can view my inside internal webserver through my router using NAT, what I cant do is to view the same webserver from internal lan. If I want to view it I have to issue its internal ip and I cant go through the router. My eth0 192.168.10.45 http://192.168.10.45 (acting as WAN) My eth1 192.168.1.1 http://192.168.1.1 (My Internal Network) My Webserver 192.168.1.244 http://192.168.1.244 From any system which is not a part of my vyatta router if I put in the address 192.168.10.45:81 http://192.168.10.45:81 I'm getting redirected to 192.168.1.244:80 http://192.168.1.244:80 which is my webserver, so far so good. But when I type in the address 192.168.10.45:81 http://192.168.10.45:81 from one of my internal LAN system it throws back the unable to connect error error how do I get it fixed? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Firewall: block internal telnet
Hi I want to configure my firewall so that it blocks the internal systems from telnet'ing each other. My config is eth0 192.168.10.45 (acting as WAN) eth1 192.168.1.1 (Internal Lan) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall: block internal telnet
I believe you'd have to set up a firewall on each PC to block telnet access from the local subnet, or start using VLANs. The telnet traffic will connect to your internal systems just by going through your switches with the current configuration. The router will never even see the traffic. Beau Walker - CCNA, Linux+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Go Wow Sent: Tuesday, January 29, 2008 2:51 PM To: [EMAIL PROTECTED] Subject: [Vyatta-users] Firewall: block internal telnet Hi I want to configure my firewall so that it blocks the internal systems from telnet'ing each other. My config is eth0 192.168.10.45 (acting as WAN) eth1 192.168.1.1 (Internal Lan) ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall: block internal telnet
See the Vyatta docs at http://www.vyatta.com/documentation/index.php; there are examples in the firewall chapters. Best, Justin On Jan 29, 2008 12:17 PM, Go Wow [EMAIL PROTECTED] wrote: okay thanks for replies. People help with this please, how can I block ssh on router i.e. 192.168.10.45 using firewall, I want to give access of ssh to say only ip xxx.xxx.xxx.xxx On 30/01/2008, Beau Walker [EMAIL PROTECTED] wrote: You'll want to ask the List that. I could only answer your last question because the answer wasn't specific to Vyatta. Beau Walker - CCNA, Linux+ From: Go Wow [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 29, 2008 3:10 PM To: Beau Walker Subject: Re: [Vyatta-users] Firewall: block internal telnet Okay how can I block ssh on router i.e. 192.168.10.45 using firewall, I want to give access of ssh to say only ip xxx.xxx.xxx.xxx -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
Frankly I miss the ? and space auto-completion too, but am slowly getting use to the tabtab. Given that the new cli is integrated with bash and ? has special meaning to bash, then it probably limits our usage of ? for help. stig _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aubrey Wells Sent: Tuesday, January 29, 2008 7:48 AM To: Ken Felix (C) Cc: vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] glendale problems my 1st view #3 - I agree, please bring back my beloved ?! Its an automatic reflex to hit ? whenever I'm in a router. I end up hitting it 3 or 4 times before I realize that its echoing the char to the screen rather than activating help. That and the new CLI being mildly confusing (i'm adjusting to it) are my only two complaints so far. Has anyone explored using ~/.inputrc to rebind the ? character to something for auto-completion? It might be possible, to do $if Bash ?: C-IC-I $endif Good call Stephen. I just tried: $if Bash ?: \C-i $endif And now I get the following: [EMAIL PROTECTED] set 1st ? cluster firewallinterfaces policy protocols service system vpn [edit] [EMAIL PROTECTED] set 2nd ? Possible completions: cluster Configure clustering firewall Configure firewall interfacesNetwork interface configuration policyConfigure routing policy protocols Routing protocol configuration service Service configuration systemSystem configuration vpn Configure VPN Maybe we won't have to give up the ?. stig ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] vlan trunking?
Out of couristiy, does Vyatta (I'm currently using community edition 3) support vlan trunking? I have yet to see in any documenation or tutorials any sort of the word trunk. I have seen tutorials that have 2-3 vlan (vif interfaces) on a single physical interface-- so I guess its just implied trunking on dot1q protocol? Thanks in advance, Aaron___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
Note also that if the '?' key is bound to auto-completion, the user can still input the '?' character using the readline escape sequence (i.e., in this case Ctrl-v ?). So basically it came down to a choice between these: (1) Keep '?' key as help. To input a '?' character, prefix it with Ctrl-v. (2) Use some other key sequence for help. A '?' character can be entered directly. At that time, (2) was deemed more acceptable than (1), so we currently have (2). An-Cheng An-Cheng Huang wrote: That was the first thing I tried when we started implementing the help system. The problem is when the user actually wants to input a '?' character, how do we rebind the '?' key back to the actual character? I also tried to rebind the key after seeing a quote (assuming '?' characters can only appear in quotes), etc., etc. In the end, this is a limitation in the readline library (which is used by bash for command line input). We _could_ change readline, I suppose, somewhere down the road. An-Cheng ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] vlan trunking?
You are correct, a vif is a dot1q tagged vlan interface where the vif number is the vlan id. so to tag vlan 27 and 29 on interface eth0: set interfaces ethernet eth0 vif 27 set interfaces ethernet eth0 vif 29 set interfaces ethernet eth0 vif 27 address 10.1.1.1 prefix-length 24 set interfaces ethernet eth0 vif 29 address 10.2.2.1 prefix-length 24 commit make sense? -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 5:28 PM, [EMAIL PROTECTED] wrote: Out of couristiy, does Vyatta (I'm currently using community edition 3) support vlan trunking? I have yet to see in any documenation or tutorials any sort of the word trunk. I have seen tutorials that have 2-3 vlan (vif interfaces) on a single physical interface-- so I guess its just implied trunking on dot1q protocol? Thanks in advance, Aaron ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
In case people don't know about this: instead of '?', a user can get the help text using either of the following two key sequences: Alt = or Alt ?. (These are the default key bindings for possible-completions in readline/bash.) An-Cheng Huang wrote: That was the first thing I tried when we started implementing the help system. The problem is when the user actually wants to input a '?' character, how do we rebind the '?' key back to the actual character? I also tried to rebind the key after seeing a quote (assuming '?' characters can only appear in quotes), etc., etc. In the end, this is a limitation in the readline library (which is used by bash for command line input). We _could_ change readline, I suppose, somewhere down the road. An-Cheng ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
Stig Thormodsrud wrote: #3 - I agree, please bring back my beloved ?! Its an automatic reflex to hit ? whenever I'm in a router. I end up hitting it 3 or 4 times before I realize that its echoing the char to the screen rather than activating help. Has anyone explored using ~/.inputrc to rebind the ? character to something for auto-completion? It might be possible, to do $if Bash ?: C-IC-I $endif Good call Stephen. I just tried: $if Bash ?: \C-i $endif Maybe we won't have to give up the ?. stig That was the first thing I tried when we started implementing the help system. The problem is when the user actually wants to input a '?' character, how do we rebind the '?' key back to the actual character? I also tried to rebind the key after seeing a quote (assuming '?' characters can only appear in quotes), etc., etc. In the end, this is a limitation in the readline library (which is used by bash for command line input). We _could_ change readline, I suppose, somewhere down the road. An-Cheng ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Unable to login, solved by reboot
Give show log | match ERROR a try. Justin On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I have this problem again. Now i was able to login to a user account I created, but unable to view logfiles since im in xorpsh. 2008/1/28, Justin Fletcher [EMAIL PROTECTED]: Anything untoward in the log files? Justin On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Today I had a wierd experience with Vyatta. I was unable to login on any account. Did a reboot, then everything was normal. What is going on? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
I vote for #1. Maybe its just because I've been doing this for quite a while, but I would think that most people who would be annoyed about not being able to put a ? in a description or something know how to use the ctrl-v escape like with a cisco. maybe it can be a config option? set system online-help key-rebindings true -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 5:27 PM, An-Cheng Huang wrote: Note also that if the '?' key is bound to auto-completion, the user can still input the '?' character using the readline escape sequence (i.e., in this case Ctrl-v ?). So basically it came down to a choice between these: (1) Keep '?' key as help. To input a '?' character, prefix it with Ctrl-v. (2) Use some other key sequence for help. A '?' character can be entered directly. At that time, (2) was deemed more acceptable than (1), so we currently have (2). An-Cheng An-Cheng Huang wrote: That was the first thing I tried when we started implementing the help system. The problem is when the user actually wants to input a '?' character, how do we rebind the '?' key back to the actual character? I also tried to rebind the key after seeing a quote (assuming '?' characters can only appear in quotes), etc., etc. In the end, this is a limitation in the readline library (which is used by bash for command line input). We _could_ change readline, I suppose, somewhere down the road. An-Cheng ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Unable to login, solved by reboot
Log result attached. I managed to login if I changed the passwords for my troubled users. Somethimes the encrypted-password didn't get encrypted. 2008/1/29, Justin Fletcher [EMAIL PROTECTED]: Give show log | match ERROR a try. Justin On Jan 29, 2008 2:00 PM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: I have this problem again. Now i was able to login to a user account I created, but unable to view logfiles since im in xorpsh. 2008/1/28, Justin Fletcher [EMAIL PROTECTED]: Anything untoward in the log files? Justin On Jan 28, 2008 7:29 AM, Jostein Martinsen-Jones [EMAIL PROTECTED] wrote: Today I had a wierd experience with Vyatta. I was unable to login on any account. Did a reboot, then everything was normal. What is going on? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ;; This buffer is for notes you don't want to save, and for Lisp evaluation. ;; If you want to create a file, visit that file with C-x C-f, ;; then enter the text in that file's own buffer. show log | match ERROR Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41 ERROR xorp_rtrmgr:3758 LIBXORP +741 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libxorp/run_command.cc done ] Command /opt/vyatta/sbin/xorp_tmpl_tool: exited with exit status 1. Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41 ERROR xorp_rtrmgr:3758 RTRMGR +1647 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/task.cc execute_done ] Error found on program stderr! Jan 27 14:20:41 localhost xorp_rtrmgr: [ 2008/01/27 15:20:41 ERROR xorp_rtrmgr:3758 RTRMGR +701 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc commit_pass2_done ] Commit failed: VPN configuration error. The IKE group IKE-1W specified for peer 0.0.0.0 has not been configured. VPN configuration error. The ESP group ESP-1W specified for peer 0.0.0.0 tunnel 1 has not been configured. VPN configuration commit aborted due to error(s). Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41 ERROR xorp_rtrmgr:3758 LIBXORP +741 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/libxorp/run_command.cc done ] Command /opt/vyatta/sbin/xorp_tmpl_tool: exited with exit status 1. Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41 ERROR xorp_rtrmgr:3758 RTRMGR +1647 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/task.cc execute_done ] Error found on program stderr! Jan 27 14:22:41 localhost xorp_rtrmgr: [ 2008/01/27 15:22:41 ERROR xorp_rtrmgr:3758 RTRMGR +701 /home/autobuild/builds/master/2007-10-24-0001/ofr/xorp/xorp/rtrmgr/master_conf_tree.cc commit_pass2_done ] Commit failed: VPN configuration error. The IKE group IKE-1W specified for peer 0.0.0.0 has not been configured. VPN configuration error. The ESP group ESP-1W specified for peer 0.0.0.0 tunnel 1 has not been configured. VPN configuration commit aborted due to error(s). Jan 28 14:33:36 localhost pluto[4670]: ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #1: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in main_outI1. Errno 101: Network is unreachable Jan 28 14:33:36 localhost ipsec__plutorun: 003 ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #1: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in main_outI1. Errno 101: Network is unreachable Jan 28 14:33:40 localhost pluto[4670]: ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #2: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable Jan 28 14:33:46 localhost pluto[4670]: ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #1: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in EVENT_RETRANSMIT. Errno 101: Network is unreachable Jan 28 14:33:50 localhost pluto[4670]: ERROR: peer-yyy.xxx.zzz.qqq-tunnel-1 #3: sendto on eth0 to yyy.xxx.zzz.qqq:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] glendale problems my 1st view
I'd vote for #1 also (but my thinking may be warped by over a decade of IOS development using the ? key ;-). The other thing to consider is the principle of least astonishment for the over 100,000 downloads of vyatta before glendale. stig I vote for #1. Maybe its just because I've been doing this for quite a while, but I would think that most people who would be annoyed about not being able to put a ? in a description or something know how to use the ctrl-v escape like with a cisco. maybe it can be a config option? set system online-help key-rebindings true -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 5:27 PM, An-Cheng Huang wrote: Note also that if the '?' key is bound to auto-completion, the user can still input the '?' character using the readline escape sequence (i.e., in this case Ctrl-v ?). So basically it came down to a choice between these: (1) Keep '?' key as help. To input a '?' character, prefix it with Ctrl-v. (2) Use some other key sequence for help. A '?' character can be entered directly. At that time, (2) was deemed more acceptable than (1), so we currently have (2). An-Cheng An-Cheng Huang wrote: That was the first thing I tried when we started implementing the help system. The problem is when the user actually wants to input a '?' character, how do we rebind the '?' key back to the actual character? I also tried to rebind the key after seeing a quote (assuming '?' characters can only appear in quotes), etc., etc. In the end, this is a limitation in the readline library (which is used by bash for command line input). We _could_ change readline, I suppose, somewhere down the road. An-Cheng ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall: block internal telnet
This is my firewall config, look in rule 2 192.168.10.2 is my gateway, I added thinking that my internal LAN users would still have access to internet but there arent having can someone tell me why? or give me some pointers please. firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name Rule-1 { rule 1 { protocol: tcp action: accept log: disable source { network: 0.0.0.0/0 } destination { port-name ssh } } rule 2 { protocol: all action: accept log: disable source { address: 192.168.10.2 } } rule 3 { protocol: tcp action: accept log: disable source { network: 0.0.0.0/0 } destination { port-number 81 port-name http port-name https } } } } On 30/01/2008, Go Wow [EMAIL PROTECTED] wrote: How do I do this, my eth0 is WAN and eth1 is Internal LAN I want to unblock Internet for internal users and also i should have ssh and webgui interfaces rest all should be blocked how do i do this? -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Firewall: block internal telnet
And I have added it to eth0 for in and local traffic only. On 30/01/2008, Go Wow [EMAIL PROTECTED] wrote: This is my firewall config, look in rule 2 192.168.10.2 is my gateway, I added thinking that my internal LAN users would still have access to internet but there arent having can someone tell me why? or give me some pointers please. firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name Rule-1 { rule 1 { protocol: tcp action: accept log: disable source { network: 0.0.0.0/0 } destination { port-name ssh } } rule 2 { protocol: all action: accept log: disable source { address: 192.168.10.2 } } rule 3 { protocol: tcp action: accept log: disable source { network: 0.0.0.0/0 } destination { port-number 81 port-name http port-name https } } } } On 30/01/2008, Go Wow [EMAIL PROTECTED] wrote: How do I do this, my eth0 is WAN and eth1 is Internal LAN I want to unblock Internet for internal users and also i should have ssh and webgui interfaces rest all should be blocked how do i do this? -- Those that make the rule don't play the game!! -- Those that make the rule don't play the game!! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Squid Vyatta
I was searching the internet and found this script which can be used to get a complete url log using squid. http://www.benking.me.uk/2007/10/24/vyatta-forwarding-traffic-to-squid/ #!/bin/sh -e # # rc.local # # Modified to forward to squid cache # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will exit 0″ on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # IPTABLES=/sbin/iptables IP=/sbin/ip SQUID=10.1.1.1″ # Internal address of our squid box # Webcache jump to cache echo Setting up jump to webcache # clear any existing entries $IPTABLES -t mangle -F $IPTABLES -t mangle -X # Don't mark webcache traffic $IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -s $SQUID # Internal subnets to exclude $IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -d 10.0.0.0/8 #Don't cache internal # External sites to exclude $IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp �Cdport 80 -d 1.2.3.4 #IP address of site you want to exclude from going to the cache # Now mark our traffic, we have a number of subnets on virtual interfaces we want to grab, if you aren't using vifs simply use eth1 or whatever you are using $IPTABLES -t mangle -A PREROUTING -j MARK �Cset-mark 3 -i eth3.102 -p tcp �Cdport 80 $IPTABLES -t mangle -A PREROUTING -j MARK �Cset-mark 3 -i eth3.103 -p tcp �Cdport 80 # Send the marked traffic to table 2 (you can actaully use whatever table you want, i used 2 because we are using eth2 for the subnet squid is on. $IP rule add fwmark 3 table 2 # set the default route for table 2, change eth2 for the interface you are on $IP route add default via $SQUID dev eth2 table 2 # Make sure we exit exit 0 I Just wanted someone to explain me this a little more Ben did explain it on his site but still i would like someone to explain this please. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Hmm, gotcha. I guess that makes sense actually. I'll see if I can't figure it out. Nate On Wed, 2008-01-30 at 08:49 +0530, Go Wow wrote: Nathan i can even view it, from inside LAN you cannot view it, if i remember correctly someone said when you try to enter on NAT'ted ip from inside network the router doesnt know the address where it needs to forward your request. Now look im not a networking guru and not even iptables guru so dont know why it happens but you would like to even visit it from inside LAN then you need to add couple of more nat rules i guess. someone may help you with additional rules. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Nathan i can even view it, from inside LAN you cannot view it, if i remember correctly someone said when you try to enter on NAT'ted ip from inside network the router doesnt know the address where it needs to forward your request. Now look im not a networking guru and not even iptables guru so dont know why it happens but you would like to even visit it from inside LAN then you need to add couple of more nat rules i guess. someone may help you with additional rules. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
*shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } }
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list
[Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an 'inside-address'. Could someone please help me correct this to get it working? rule 3 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 192.168.0.105 port-name http } inside-address { address: 192.168.0.105 -- didn't know what to put here exactly... } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Yeah I was about to say the same thing as Aubrey said, I had the same issue when i was trying to access the NATt'ed ip from inside the LAN, try to access it from outside any ip. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I thought I set them up correctly but aparently I didn't. I'll im trying to do is to get people on the internet to view the website on my comp (192.168.0.105). The only difference that i noticed when I tried to commit the example in the old docs was that vc3 requires an
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in your case is 192.168.0.105. The destination address should actually be the public IP address that outside clients will use to access your server, so usually this is the public IP address of your router. An-Cheng Nathan McBride wrote: I went and looked at the old docs. I
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Its been a while since I researched it, but I think there was something about the way netfilter_conntrac tracks the NAT sessions that prevents the hairpin nat from working. I never figured out a way around it and no one on google was helpful either. The usual solution is to put a dns entry in your internal dns server to point the domain name to the internal ip of the web site. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote: Can't I do another nat rule? On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Another way would be to have these kind of servers (which needs to be access from LAN ) on another subnet. Looks feasible to me. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Can't I do another nat rule? On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers so i just redid them all by hand. It still doesn't work. rule 1 { type: destination inbound-interface: eth0 protocols: tcp destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } Nate On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote: Hi Nate, The inside-address is the internal (private) IP address of your Web server, which in
[Vyatta-users] help me with firewall
This is my complete configuration, I want to add firewall such that all the internal LAN should be able to access internet as there are having access now without firewall, I want only port 80 443 to be open to all (yes it should be accessible from anywhere) and lastly I have a webserver nat'ted on port 81 of eth0 I want to access that too rest all should be blocked, can someone please define the rules for this. protocols { rip { interface eth0 { address 192.168.10.45 { metric: 1 horizon: split-horizon-poison-reverse disable: false passive: false accept-non-rip-requests: true accept-default-route: true advertise-default-route: true route-timeout: 180 deletion-delay: 120 triggered-delay: 3 triggered-jitter: 66 update-interval: 30 update-jitter: 16 request-interval: 30 interpacket-delay: 50 } } interface eth1 { address 192.168.1.1 { metric: 1 horizon: split-horizon-poison-reverse disable: false passive: false accept-non-rip-requests: true accept-default-route: true advertise-default-route: true route-timeout: 180 deletion-delay: 120 triggered-delay: 3 triggered-jitter: 66 update-interval: 30 update-jitter: 16 request-interval: 30 interpacket-delay: 50 } } } } policy { } interfaces { restore: false loopback lo { description: address 192.168.2.1 { prefix-length: 32 disable: false } } ethernet eth0 { disable: false discard: false description: hw-id: 00:1c:c0:0d:0c:85 duplex: auto speed: auto address 192.168.10.45 { prefix-length: 24 disable: false } } ethernet eth1 { disable: false discard: false description: hw-id: 00:08:a1:83:b7:1e duplex: auto speed: auto address 192.168.1.1 { prefix-length: 24 disable: false } } } service { nat { rule 10 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 192.168.10.45 port-number 81 } inside-address { address: 192.168.1.244 port-number: 80 } } rule 1000 { type: masquerade outbound-interface: eth0 source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } } ssh { port: 22 protocol-version: v2 } webgui { http-port: 80 https-port: 443 } } system { host-name: vyatta domain-name: name-server 202.56.250.6 time-zone: GMT ntp-server 69.59.150.135 gateway-address: 192.168.10.2 login { user root { full-name: authentication { encrypted-password: $1$$Ht7gBYnxI1xCdO/JOnodh. } } user vyatta { full-name: authentication { encrypted-password: $1$$Ht7gBYnxI1xCdO/JOnodh. } } } package { auto-sync: 1 repository community { component: main url: http://archive.vyatta.com/vyatta; } } } ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] vyatta in a fully-virtualized (hvm) domU; console issues
hi, i've installed vyatta community edition, from vyatta-livecd-vc3.iso, as a fully-virutalized (HVM) Xen DomU on a Fedora8 Dom0. install went without a noticeable hitch. on domain shutdown/restart, xm create -c vyatta_run.cfg @ console, i see, Using config file /etc/xen/vyatta_run.cfg. Started domain vyatta xenconsole: Could not read tty from store: No such file or directory searching, i find http://readlist.com/lists/lists.xensource.com/xen-users/3/16722.html which suggests adding to vyatta domain's /etc/inittab, co:2345:respawn:/sbin/mingetty console mounting the domain's LV from Dom0 with, kpartx -av /dev/VG00/vyatta mount -t ext2 /dev/mapper/vyatta1 /mnt i note in /sbin only 'getty' -- no 'minggetty'. so, instead, i add a similar co:2345:respawn:/sbin/getty console to /mnt/etc/inittab but on domain restart i see the same, Using config file /etc/xen/vyatta_run.cfg. Started domain vyatta xenconsole: Could not read tty from store: No such file or directory @ Dom0, the vyatta DomU's console displays, Press F10 to select boot device. Booting from Hard Disk ... GRUB Loading stage 2.. Press any key to continue. and there it sits. doing nothing. other DomU's, e.g. Fedora8, have no probs so far ... anyone here have any hints as to how to get past this? thanks! ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]
Hi Nate, If the problem you're seeing is caused by external vs. internal DNS problem (external access is fine, but internal hosts resolve the server to the external address and therefore cannot access it), you might be able to work around it using NAT. See the following message from the list archive for more details. http://mailman.vyatta.com/pipermail/vyatta-users/2007-August/001741.html An-Cheng Nathan McBride wrote: hmmm, guess i should make an internal dns server then... :D nate On Tue, 2008-01-29 at 22:34 -0500, Aubrey Wells wrote: Its been a while since I researched it, but I think there was something about the way netfilter_conntrac tracks the NAT sessions that prevents the hairpin nat from working. I never figured out a way around it and no one on google was helpful either. The usual solution is to put a dns entry in your internal dns server to point the domain name to the internal ip of the web site. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote: Can't I do another nat rule? On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote: It sounds like you're a victim of hairpin natting. Very frustrating. Iptables doesnt do it (that I know of.) I first encountered this on a PIX firewall years ago and thought it was an absurd limitation (then I found out my beloved linux couldn't do it either and was crushed). Cisco fixed it in v7 of the PIX software IIRC but iptables still can't do it. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote: John just told me he can get to the page too. From inside the lan I am going to a browser and typing www.nombyte.com. And it doesn't work? Nate On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote: *shrug* same here Are you trying to hit the natted address from inside the LAN that is being natted to? Hairpin NAT doesnt work in iptables... -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group A Vyatta Ready Partner www.sheltonjohns.com On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote: I just connected and see the Apache 2 test page running on CentOS John Nathan McBride wrote: First off I appreciate help from everyone, this is a nice change to some mailing lists I'm used to. Unfortunately, I am still having the same problem. I'm giving out real information, probably shouldn't, but that's how frustrated I am. I just get an unable to connect error. The firewalls are fine I promise. I can see the page on 192.168.0.105 from inside the lan, and I can see and use the webgui of the router just fine. Altho I did disable it of course since I want the port forwarded. In the ssh example sent to me which is below, I notice that the address are just numbers where mine have around them. Does this matter? Can anyone please give any suggestions? Thanks alot, Nate My domain is: www.nombyte.com The IP is: 71.62.193.105 Full Nat is: nat { rule 1 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 71.62.193.105 port-name http } inside-address { address: 192.168.0.105 } } rule 2 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.0.0/24 } destination { network: 0.0.0.0/0 } } rule 3 { type: masquerade outbound-interface: eth0 protocols: all source { network: 192.168.1.0/24 } destination { network: 0.0.0.0/0 } } On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote: Here's what I use to port-forward ssh; just adjust for address (where destination address is the public IP) and change it to http. rule 2 { type: destination inbound-interface: eth0 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 1.2.3.4 port-name ssh } inside-address { address: 10.0.0.30 } } Best, Justin On Jan 29, 2008 7:46 AM, Nathan McBride [EMAIL PROTECTED] wrote: Can someone please help me get this worked out? Nate Ok these are my nat rules now, I didn't see a command to change the rule numbers