Tom,, Thanks so much for your response.
[snip] >> The wireless router has a DHCP server (uses DNsMasq) and hands out >> addresses in the 192.168.12.x range. the wireless router is in Gateway >> mode, which according to the DD-WRT docs, means it does NAT/MASQ and all >> the devices on the 192.168.12.x range appear as the static WAN of the >> wireless router. Everyone has internet access and all is well. [snip] >> By putting ath0.1 in unbridged mode you can assign it an ip address in a >> different subnet. I gave it 192.168.13.1. You can also set up dnsmasq >> to do dhcp on that subnet. >> >> Here is what I have. Connect wirelessly to ath0 or ath1 you get an >> address in the 192.168.12.x range and you can connect to the internet >> just fine. >> >> Connect wirelessly to ath0.1 and you get an address in the 19.168.13.x >> range and you cannot connect tot he internet. I can ping the WAN of the >> wireless router but not the dmz NIC of the shorewall box. I can ping >> the DMZ NIC of the shorewall box from the other subnet just fine >> I suspect that the virtual interface does not get NATed retains its ip >> address in the 192.168.13.x range and the wireless router and/or >> shorewall don't know what to do with the packets. I have read a lot >> today about adding routes. That is actually a good result, because then >> I can use Squid on the Shorewall box to treat that subnet differently. I >> have several questions. [snip] > > Try 'tcpdump -ni ethX net 192.168.13.0/24' where ethX is the DMZ > interface on the Shorewall box. What do you see when you try to connect > from that net? Two things. The firewall in the router was blocking the the 19.168.13.0 subnet from internet access. That subnet was still being MASQ as the address of the WAN once the wireless router firewall was turned off The tcpdump command gave no info with the wireless router in Gateway mode. I switched the wireless router to "router" mode. At thsi point internet access stopped. At that point the tcpdump command gave the following results 10:51:31.544404 IP 192.168.13.121.45570 > 173.194.43.51.443: Flags [P.], seq 2892120423:2892121250, ack 3799399888, win 1109, options [nop,nop,TS val 1284574 ecr 2029482935], length 827 0:51:31.544437 IP 192.168.13.121.45570 > 173.194.43.51.443: Flags [P.], seq 827:868, ack 1, win 1109, options [nop,nop,TS val 1284575 ecr 2029482935], length 41 10:51:31.950359 IP 192.168.13.121.45570 > 173.194.43.51.443: Flags [P.], seq 0:868, ack 1, win 1109, options [nop,nop,TS val 1284980 ecr 2029482935], length 868 10:51:47.705759 IP 192.168.13.121.54309 > 74.125.226.11.443: Flags [.], ack 1888573337, win 331, options [nop,nop,TS val 1300736 ecr 1965050180], length 0 The tcpdump lines are too long for one line here so I separated each by a blank line There were many other lines as well, but were all similar tot he above. 192.168.13.121 was the address assigned to the laptop via the dhcp of the wireless router. Don't know what 173.194.43.51 or 74.125.226.11 are There were 13 lines of 192.168.13.121 > 173.194.43.51.443 before it switched to 192.168.13.121 > 74.125.226.11.443 Two lines of that and then back to 192.168.13.121 > 173.194.43.51.443 I hope this helps. I know I have to add some routes, but not sure where. Mike -- Michael A. Coan Woodlawn Foundation 56 Harrison Street, Suite 401 New Rochelle, NY 10801-6560 Tel: 914-632-3778 Fax: 914-632-5502 ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
