First, your original problem was (probably) that your external connection
uses a private-range (10.b.c.d) address. Since you say the LEAF router
itself works with this address (after you disable ipchains, that is), I
assume the address is legit and not an symptom of, say, a
MAC-address-authentication problem with your ISP. Dachstein by default DENYs
input from and output to all private-range addresses on the external
connection.
Second, your "solution" of turning off all firewalling was a good *test* but
a bad *solution*. (Your interpretation of the ping response was right on
target.) The reason is that you removed the forward-chain rules that NAT
your LAN addresses. Without NAT, you can't use an unroutable private address
range on the LAN. So in this instance, we'd exect to see the router itself
able to connect to the Internet, but not the hosts behind it on the LAN ...
exactly what you report.
The better *test* is to restore the line you commented out. Then, after the
router finishes the boot/init process, enter these commands:
ipchains -F input
ipchains -F output
ipchains -P input ACCEPT
ipchains -P output ACCEPT
This clears the input and output chains while leaving the forward chain
alone. Now see if you can ping from the LAN through the router to the
Internet. If you can, we've found the problem. If you can't, then the
problem is somewhere else.
Having found it, we still have to fix it. I don't use the Dach default
firewall, but someone else can tell you the edit for it ... or you can try
scanning the list archives (the external-privvate-address problem comes up
regularly on the list). [Mike, is this problem common enough to deserve a
FAQ answer?] Or you can use a different drop-in firewall; I know
echowall.lrp, for example, handles private-range external addresses OK.
At 04:20 PM 1/19/02 -0600, [EMAIL PROTECTED] wrote:
[...]
>This is my situation:
>
>I am getting my DHCPACK from my ISP. DHCP on the external side is working
and sets
>up.
>
>DHCP on the internal side seems to be working, as my XP box is pulling the
IP, etc. from
>the LRP box.
>
>Under pretty much default settings, I can ping from both boxes to each
other - but not to
>the outside world. When I attempt to ping from the client box out - I get
request time
>outs. When I attempt to ping from the LRP out I get type 3 ping failure
>("sendto():operation not permitted.) The documentation I could find
indicated that this
>was a firewall issue possibly related to ipchains.
>
>I looked at ipchains, and really didn't have any idea where to start.
>
>So instead I just went into ipfilter.conf and commented the following line
as so:
># IPCH="sbin/ipchains --no-warnings"
>
>I figured this would just cut out all ip packet filtering, and at least
narrow down the
>problem. After doing this, backing up, and rebooting - I can now ping out
from the LRP
>box and can even resolve domain names. From the client box I can ping to
the external
>node of the LRP box, but no further. It still get "request time out" on
all outside pings.
>
>LRP Box Stats:
>
>p166 w/ 64mb
>internal IP 192.168.1.254
>external IP 10.120.92.142
>
>XP Box
>p550 w/256mb
>internal ip 192.168.1.1
>gateway 192.168.1.254
>dhcp server 192.168.1.254
>dns1 24.116.0.81
>dns2 24.116.0.201
[...]
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
