First, your original problem was (probably) that your external connection uses a private-range (10.b.c.d) address. Since you say the LEAF router itself works with this address (after you disable ipchains, that is), I assume the address is legit and not an symptom of, say, a MAC-address-authentication problem with your ISP. Dachstein by default DENYs input from and output to all private-range addresses on the external connection.
Second, your "solution" of turning off all firewalling was a good *test* but a bad *solution*. (Your interpretation of the ping response was right on target.) The reason is that you removed the forward-chain rules that NAT your LAN addresses. Without NAT, you can't use an unroutable private address range on the LAN. So in this instance, we'd exect to see the router itself able to connect to the Internet, but not the hosts behind it on the LAN ... exactly what you report. The better *test* is to restore the line you commented out. Then, after the router finishes the boot/init process, enter these commands: ipchains -F input ipchains -F output ipchains -P input ACCEPT ipchains -P output ACCEPT This clears the input and output chains while leaving the forward chain alone. Now see if you can ping from the LAN through the router to the Internet. If you can, we've found the problem. If you can't, then the problem is somewhere else. Having found it, we still have to fix it. I don't use the Dach default firewall, but someone else can tell you the edit for it ... or you can try scanning the list archives (the external-privvate-address problem comes up regularly on the list). [Mike, is this problem common enough to deserve a FAQ answer?] Or you can use a different drop-in firewall; I know echowall.lrp, for example, handles private-range external addresses OK. At 04:20 PM 1/19/02 -0600, [EMAIL PROTECTED] wrote: [...] >This is my situation: > >I am getting my DHCPACK from my ISP. DHCP on the external side is working and sets >up. > >DHCP on the internal side seems to be working, as my XP box is pulling the IP, etc. from >the LRP box. > >Under pretty much default settings, I can ping from both boxes to each other - but not to >the outside world. When I attempt to ping from the client box out - I get request time >outs. When I attempt to ping from the LRP out I get type 3 ping failure >("sendto():operation not permitted.) The documentation I could find indicated that this >was a firewall issue possibly related to ipchains. > >I looked at ipchains, and really didn't have any idea where to start. > >So instead I just went into ipfilter.conf and commented the following line as so: ># IPCH="sbin/ipchains --no-warnings" > >I figured this would just cut out all ip packet filtering, and at least narrow down the >problem. After doing this, backing up, and rebooting - I can now ping out from the LRP >box and can even resolve domain names. From the client box I can ping to the external >node of the LRP box, but no further. It still get "request time out" on all outside pings. > >LRP Box Stats: > >p166 w/ 64mb >internal IP 192.168.1.254 >external IP 10.120.92.142 > >XP Box >p550 w/256mb >internal ip 192.168.1.1 >gateway 192.168.1.254 >dhcp server 192.168.1.254 >dns1 24.116.0.81 >dns2 24.116.0.201 [...] -- ------------------------------------"Never tell me the odds!"--- Ray Olszewski -- Han Solo Palo Alto, CA [EMAIL PROTECTED] ---------------------------------------------------------------- _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user